This article explains what risk indicators (also known as “insider risk indicators”) are and how to use them to aid your investigations.
- To use risk indicators, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for investigating suspicious file activity.
What are risk indicators?
When Code42 monitors file activity, some file events are identified by the system as more anomalous than others, such as files that have different content than the file extension typically contains, or file events that occur at odd times of day for a particular employee's typical pattern of activity. These file activities have an added risk and may be something you want to review before other file events.
To help you quickly find these events, Code42 automatically flags these events in graphs on the User profile and in Forensic Search with a yellow icon , as shown in the example below. Hover over the icon in the Code42 console to see the type of risk it indicates.
File mismatch risk indicator
The file mismatch risk indicator highlights files with extensions that do not match the file contents, particularly when a high-value file is given a low-value extension. Code42 detection focuses on high-risk file mismatches that may indicate a file was renamed, downloaded, or shared with an unexpected extension. For example:
- A ZIP file with a JPG extension is considered a file mismatch.
- A TXT file with a DOC extension is NOT considered a file mismatch because these are both high-value file extensions.
- A PNG file with a JPG extension is NOT considered a file mismatch because these are closely related file types.
Code42 analyzes files for mismatches when it detects activity involving the file, such as when it is moved to removable media or cloud sync folders, read by a browser or app, or shared publicly via direct link or with specific users outside your trusted domains. Code42 does not actively scan or monitor files for mismatches outside of those actions.
The following types of mismatches do not trigger File extension mismatch alerts or get a file mismatch risk indicator:
- Files where Code42 cannot read the file header and determine the true file type. This occurs when the file's media type (formerly, mimeType) doesn't have magic number support.
- Files that have two high-value file extensions such as a TXT file renamed to have a DOC extension.
- Files with closely related file types and file extensions. For example, the file’s contents indicate that it is a PNG file, but the file has a GIF extension.
- Mismatches generated by software applications to control the application used to open the file. For example, SalesForce may change the extension of a CSV file so that it opens within that application.
- Files that generally don’t have extensions, such as application or system files.
File extension mismatch alert rule
In addition to the file mismatch risk indicator, you can create an alert to notify you whenever a file mismatch occurs on exfiltrated files. For more information about how to create an alert to notify you when a file mismatch occurs, see Create and manage alerts.
Watch the video below to learn how to identify if files have been renamed to hide their original file type. For more videos, visit the Code42 University.
Off hours risk indicator
The off hours risk indicator identifies file activity that occurred outside the hours an employee is typically active. When File Metadata Collection is enabled, Code42 captures file activity from an employee’s endpoint and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours).
The off hours risk indicator does not:
- Use static or pre-populated schedule of “working” hours (for example, 9am-5pm). It is based on dynamic observation of file activity on each user’s endpoint.
- Measure keyboard and mouse activity or window focus
- Track user “clock-ins” or “clock-outs” or otherwise measure or report on user productivity, focus, or attention
It takes several weeks of data to start identifying patterns, so the off hours indicator does not appear right away for new users.
Because employees aren’t active at the exact same times every day, Code42 continually adjusts what is considered “off hours activity” based on the observed file activity patterns each day. However, in some cases, if the user’s activity is too variable (for example, consistently changing from overnight activity to daytime activity on back-to-back weeks), we may not be able to observe a strong enough pattern of activity to determine typical active or off hours. In these cases, the off hours risk indicator is not applied.
Because off hours file activity is determined based on an employee's activity on their endpoint, off hours risk indicators are only shown on the Endpoint activity graphs and tiles. Off hours risk indicators do not appear on any of the Cloud sharing graphs or tiles, while file mismatch risk indicators do.
How do risk indicators get applied?
When you have File Metadata Collection enabled, risk indicators automatically appear and require no further configuration.
If you only have endpoint monitoring for file exfiltration detection, you can still see the file mismatch risk indicator without any further configuration. However, the off hours risk indicator is not available.
Use risk indicators in the Code42 console
You may see risk indicators while reviewing an employee's profile from an ad-hoc search, or a profile from the Departing Employees list and High Risk Employees lists. You may also see risk indicators in Forensic Search, while investigating file activity.
When you see risk indicators in the Code42 console, you may want to investigate those file events first because they are identified as being more anomalous and risky than the other file events for that employee.
To investigate an event with a risk indicator, do the following:
- From a graph on a User Profile:
- Click the point on the graph that has a risk indicator.
- For any or all events for which you would like to see more details, click Investigate in Forensic Search .
- From within Forensic Search:
- For any event listed in your search results with a risk indicator, click the event to see more details.
- Search for file events with risk indicators:
- In Filter, select Risk Indicator.
- In Operator, select Includes any.
- In Value, select one or both risk indicators.
For more details on how to use Forensic Search, see Forensic Search use cases.