Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Identify file activity with increased risk severity

Overview

Risk severity is highlighted throughout Incydr to show you the file activity with the greatest exposure and exfiltration risk. Locations include:

Considerations

Risk severity only applies to untrusted file activity
File events in locations on your list of trusted activity receive a risk score of 0, even if something that would be considered a risk indicator in a different context is present. For example, uploading a source code file to a trusted location like your corporate domain is not considered an exfiltration or exposure risk.

Risk severity on the Risk Exposure dashboard

The Top users by critical activity graph on the Risk Exposure dashboard shows a prioritized view for all users of critical and high severity file events.

To view the Risk Exposure dashboard, sign in to the Code42 console. If you are already signed in, click the Incydr logo in the upper left. For complete details, see Top users by critical activity reference.

Top users by critical activity graph

Risk severity in Forensic Search

Forensic Search provides a Risk severity filter and displays risk scores and severity in the search results. To search file activity with the greatest exposure and exfiltration risk:

  1. Sign in to the Code42 console.
  2. Select Search > Forensic Search.
  3. Choose a date range.
  4. (Optional) To return only file events with a specific risk score, select the search filter Risk severity. To limit the type of risk, select the search filter Risk indicators.
    1. Select the operator includes any.
    2. Select one or more values.
  5. (Optional) Click the plus icon to add more search criteria.
  6. Click Search.
  7. In the search results, review the Risk score column to identify file events with the greatest risk potential. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:
    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  8. From the search results, click View details > to show all metadata for an event. The Risk section displays the Risk severity, the Risk score, and lists all applicable Risk indicators.

Search critical and high severity file activity in Forensic search

Risk severity in Cases

Cases displays risk scores and severity for each file event in the case. To view risk severity:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select a case. Optionally, click the filter icon Cases filter icon to search by case status, date created, case name, or case subject.
    The case details appear.
  4. In the File activity section, review the Risk score column to identify file events with the greatest risk potential. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:
    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  5. From the File activity list, click View details > to show all metadata for an event. The Risk section displays the Risk severity, the Risk score, and lists all applicable Risk indicators.

Risk severity in Alerts

Add the new Risk severity setting to alert rules to be notified when file events with increased risk occur. In turn, notifications and emails generated by rules with this new setting identify those file events and their risk scores.

Alert rule setting

  1. Sign into the Code42 console.
  2. Go to Alerts > Manage Rules.
  3. From the list of alert rules, select a rule. Or, click Create rule to create a new rule.
  4. Add the Risk severity rule setting.
    • If you're editing an existing rule, click Add setting on the View rule panel, then click Risk severity.
    • If you're creating a new rule, click Risk severity on the Create rule panel.
  5. Select the severity of events that you want to be notified about and click Save.
    Risk severity settings
  6. Complete the rule.
    • If you're editing an existing rule, make any other changes needed and then close the View rule panel to return to the Manage Rules table.
    • If you're creating a new rule:
      1. Click Next.
      2. Enter the rule name and description, select a severity to use to filter and prioritize this rule and its notifications, and then click Next.
      3. Enter the email addresses to use for alert notifications created from this rule, and then click Save.
        The new rule is added to the Manage Rules table.

Alert notifications and emails

When file activity matching an alert rule that contains the new Risk severity setting is detected, the files associated with increased risk are identified in the alert notification and email.

  • Risk severity in the Review Alerts table and in the Overview of the alert notification or email identifies a file event's overall risk severity, which is based on the following ranges:
    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  • Risk summary in the Overview of the alert notification or email quickly summarizes the number of file events associated with each severity and the type of activity that generated those events.
  • Filename/Details and Risk score in the Endpoint events and Cloud sharing events sections of the notification or email identify the filename involved in the event and type of activity that contributed to its risk score. Additional details list the date the file event activity was observed, and other information captured about the event (such as the URL a file was uploaded to or the browser tab that was active during the event).
  • Was this article helpful?