Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

View and manage alert notifications

Overview

This article explains how to review and manage the security notifications that are created when Code42 detects activity that matches the criteria in an alert rule.

When a rule is triggered, an alert notification appears in the Alerts > Review Alerts table. You can add a note to an alert, review and dismiss alerts, or use the filters to search for alerts that have been dismissed to reopen them.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you will not be notified by alert rules when file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Video

Watch the video below to learn how to review alerts. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.

Review alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click View detail View details icon to see more details
  4. (Optional) Select a status to identify the state of your investigation into the alert.
    If you select Dismissed, Code42 automatically dismisses the alert and removes it from the list of open alerts. Click Reopen alert at the bottom of the alert details to reopen the alert and change its status to Open, if needed.
  5. (Optional) Add a note (or edit any current note) to provide more details about the alert.
  6. (Optional) Click Send email to start an email to the user requesting more information about this activity.
    You can customize this email as needed after it opens.
  7. (Optional) Click Investigate in Forensic Search to see the files for this event in Forensic Search. If both cloud sharing and endpoint exposure events are involved in this alert, select the type of events you want to view from the menu that opens:
    • Investigate cloud sharing events
    • Investigate endpoint exposure events
  8. (Optional) When you're done reviewing the alert, click Dismiss alert to remove the notification. 
    When you dismiss an alert, Code42 automatically removes it from the list of open alerts. You can reopen alerts, if needed.
Dismiss multiple notifications at once
To dismiss multiple notifications at once, from the list of alerts select the checkbox next to one or more notifications and click the Dismiss Alerts button that appears at the top-right of the list of notifications.

Add a note

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click View details icon to see more details.
  4. In the Notes panel, click Add note.
    If the alert already includes a note, click Edit Edit icon to edit the existing note. 
  5. Enter the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save.
    Your note is added to the Notes panel in the Alert details. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited. Click Expand note to view long notes.

Dismiss alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click Dismiss alert Dismiss alert icon. When the menu opens:
    • Select Dismiss to dismiss the alert.
    • Select Dismiss with note to add a note to the alert and then dismiss it. Enter your note (or edit the existing note) and then click Save and dismiss.
    The notification is removed from the table and entered into the list of dismissed alert notifications.

Reopen dismissed alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. Click Filter Filter icon and apply the Dismissed status to show alerts that have been dismissed.
    1. When the Filters panel opens, under Status, clear the Open checkbox and select the Dismissed checkbox.
    2. (Optional) Select any other criteria to further filter the list of alerts that are returned.
    3. Click Apply.
      You are returned to the Review Alerts table and only the dismissed alerts that meet any other selected criteria are listed.
  4. (Optional) Click Reopen Alert Reopen alert icon to reopen a notification:
    • Select Reopen to reopen the alert.
    • Select Reopen with note to add a note to the alert and then reopen it. Enter your note (or edit the existing note) and then click Save and reopen.
    The reopened notification is removed from the table and returned to the list of open alert notifications. To view open notifications, repeat step 3 above and select the Open status.
  • Was this article helpful?