Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Create and manage alert rules

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This article explains how to configure alert rules using the Manage Rules screen. Alert rules monitor the activity that your organization has identified as risky and define the users to notify when that activity occurs. In a rule, you can also define thresholds and severity to help identify when important data may be leaving your company.

When an alert is created, it appears on the Alerts > Review Alerts screen. 

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Create a rule

You can create a new rule in several ways: from a template, from scratch, or by copying and modifying an existing rule.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you will not be notified by alert rules when file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed.

Use a template

To get you up and running, Code42 includes a number of pre-configured rule templates that contain recommended settings. You can quickly create rules from these templates, modifying the default settings to match your needs and environment.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Under Recommended rules, select the template to use as a starting point.
    • If the recommended rule you want to use is already listed in the "ribbon," click its name.
    • Otherwise, click View all recommendations to view all recommended rules, and then click the rule name.
    The Step 1 of 3 panel opens and displays the pre-configured settings used in the template.
  4. Review the alert rule settings and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default criteria
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  5. Enter the rule name, description, and severity.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Select the rule Severity: High, Medium, or Low.
      You can use the severity later to filter alerts.
    4. Click Next.
  6. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Create a rule from scratch

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Click Create Rule
  4. When the Create rule panel opens, click an alert rule setting to add it to the rule.
  5. Select the options that you want to use for that setting in the rule and then click Save.
    The Step 1 of 3 panel opens and summarizes the criteria for the new rule.
  6. Review the criteria for the new rule and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default criteria
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  7. Enter the rule name, description, and severity.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Select the rule Severity: High, Medium, or Low.
      You can use the severity later to filter alerts.
    4. Click Next.
  8. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Copy and modify an existing rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to copy.
  4. Click Actions Actions and select Make a copy.
    The Step 1 of 3 panel opens and summarizes the criteria for the copied rule.
  5. Review the criteria for the new rule and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default criteria
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  6. Enter the rule name, description, and severity.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Select the rule Severity: High, Medium, or Low.
      You can use the severity later to filter alerts.
    4. Click Next.
  7. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Edit a rule

  1. Sign in to the Code42 console
  2. Go to Alerts and select the rule you want to edit.
    • To edit a rule from an alert notification:
      1. Go to Alerts > Review Alerts.
      2. In the list of alerts, select the alert notification to view.
      3. In Alert details, click the View rule link under the rule name.
    • To edit a rule in the Manage Rules table:
      1. Go to Alerts > Manage Rules.
      2. In the list of rules, locate the rule and click View View icon.
  3. Update the rule's details and settings.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default criteria
      You can edit these settings to add them to the rule with specific options as filters, if needed.
    1. To change the name, description, or severity, click Actions Actions and select Edit name & description, then make your changes and click Save.
  4. Close the View rule panel to return to either the Review Alerts or the Manage Rules tables.

Delete a rule

Deleting a rule stops those alerts
Deleting a rule stops all alerts for that rule for all users. Any previous alerts for the rule remain in the Review Alerts table.
  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to delete. Note that you cannot delete a default alert rule from the Departing Employees list or the High Risk Employees list
  4. Click Actions Actions and select Delete.
    A confirmation dialog appears.
  5. Click Delete Rule.
    The rule is removed from the list and all future notifications for that alert are stopped. 

Default alert rules and notifications

If you add an employee to the Departing Employees list or the High Risk Employees list, you may see "Departing Employees" or "High Risk Employees" alerts and rules. Code42 automatically creates these rules to alert you of suspicious activity from employees that are actively monitored in those applications. 

The default Departing Employees and High Risk Employees rules:

Enable or disable default rules

  1. Select User Activity > Departing Employees or User Activity > High Risk Employees.
    You cannot enable or disable a default alert rule on the Manage Rules screen. You can only enable or disable these rules from the corresponding lists.
  2. Click Alert Settings.
    The Alert Settings for that list opens.
  3. Click the slider to enable Enable alerts or disable Disable alerts alerts. When enabled, the alert is turned on for all employees listed in that application.

Edit default alert rule settings

From one of the lists

  1. Select User Activity > Departing Employees or User Activity > High Risk Employees.
  2. Click Alert Settings.
    The Alert Settings for that list opens.
  3. Ensure that the alerts are enabled. 
  4. Click View Rule for the corresponding alert rule. 
    The details and criteria for that rule opens in Alerts.
  5. Update the rule's details and settings.
    1. To change the severity of a default rule, click Actions Actions and select Edit name & description, then make your changes and click Save.
    2. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    3. To change a rule's settings or notifications, click Edit Edit and then make your changes. Click Save when you finish.
      To add or remove users from the rule, you must add or remove them from the corresponding list. Likewise, default rules can only be enabled or disabled in Departing Employees or High Risk Employees.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting and return to the Step 1 of 3 panel.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    4. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default options that Code42 automatically uses for the rule, click Show default criteria
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  6. Close the View rule panel to return to the Manage Rules table.

From Alerts

  1. Go to Alerts > Manage Rules.
  2. In the list of rules, locate the default rule and click View View icon.
  3. Update the rule's details and settings:
    1. To change the severity of a default rule, click Actions Actions and select Edit name & description, then make your changes and click Save.
    2. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    3. To change a rule's settings or notifications, click Edit Edit and then make your changes. Click Save when you finish.
      To add or remove users from the rule, you must add or remove them from the corresponding list. Likewise, default rules can only be enabled or disabled in Departing Employees or High Risk Employees.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting and return to the Step 1 of 3 panel.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    4. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default options that Code42 automatically uses for the rule, click Show default criteria
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  4. Close the View rule panel to return to the Manage Rules table.
  • Was this article helpful?