To build a new alert rule, you add settings that identify the file activity that your organization has deemed the most risky, and then select options from those settings that best match what you want to monitor. You can mix and match settings as needed to build rules that best fit your organization's needs and environments.
Alert rule settings
Alert rule settings give you simple, criteria-based building blocks from which you can create a rule. These settings group similar options that define activity your organization has identified as having the most risk of loss. This flexibility helps you build powerful alerts that notify you about activity that needs investigation while filtering out normal, expected activity to reduce noise. The result is targeted, meaningful alerts that you can act on.
To view and select alert rule settings when building a rule:
- Select Alerts > Manage Rules.
- Click Create rule.
- Click a setting name to add those settings to your rule, then select the options that match the activity you want to be alerted about and click Save.
That setting is added to the rule with the options you selected.
- Click Add setting to add another setting to the rule and select its options.
You can mix and match settings as needed to target specific activity.
- Save your new rule.
- When you finish adding settings, click Next to name the new rule, add a description, and identify the users you want to be notified about the activity this rule monitors.
- Click Save to save your completed rule.
Alerts you when file events that are associated with increased risk scores or severity are detected. Use this to be notified when file events occur that have risk scores that correspond to specific severities. To learn more about risk severity and risk scores, see Risk settings reference.
Select the severity of file events you want to be notified about. When an alert notification is generated, the Risk severity calculated for those events appears in the Review Alerts table, in the Overview of the alert notifications or emails, and in the Filename/Details list. This severity is based on the following ranges:
- 9+: Critical
- 7-8: High
- 4-6: Moderate
- 1-3: Low
- 0: No risk indicated
By default, file events associated with no risk (or a risk score of 0) are not included in the Filename/Details section of alert notifications and emails. However, brief details about these events are included in the Risk summary section for reference and you can see all file events, regardless of risk score, in Forensic Search.
Filename or extension
Alerts you when activity is detected for files with specific filenames or extensions.
Enter the filenames (or filename components) you want to monitor and be alerted about. To monitor several different filenames and extensions, enter each on a separate line. Code42 alerts you when exfiltration activity involving a file that matches this criteria is detected.
The following limits apply to the filename or extension criteria:
- You can enter up to 100 separate lines.
- Each line can contain a maximum of 500 characters.
You can use wildcards along with specific words or characters to define filename components:
- Use the * wildcard character to replace partial strings in the filename. For example, enter expenses* to monitor any filename beginning with the phrase "expenses," such as "expenses.xls," "expenses.doc," or "expenses to review.txt."
You can also use the * wildcard to watch filenames ending in specific extensions. For example, enter *.cpp to monitor activity for any C++ file.
Use the ? wildcard character to replace a single character in the filename. For example, enter Q? Financials 202?.xls to monitor filenames such as "Q3 Financials 2020.xls," or "Q1 Financials 2021.xls."
Code42 automatically trims entries to remove any leading or trailing spaces at the beginning or ending of the filenames you enter. To monitor filenames that begin or end with a space, use the ? wildcard character to replace that space. For example, enter Roadmap?.*< to monitor filenames such as "Roadmap␣.ppt" or "Roadmap␣.vsd." Likewise, enter ?Roadmap.doc to monitor files named "␣Roadmap.doc."
Code42 does not evaluate any capitalization used in filenames or file extensions. Only the characters in the filename or extension must match the criteria exactly. However, Code42 displays the filename or extension criteria exactly as it was entered (including any capitalization) when the rule was created.
Similar to the Filename or extension settings, the File categories settings alert you when exfiltration activity is detected for any file matching the categories you select. A key difference: selecting a category monitors for all the file types and extensions included in that category, including others that are not listed.
File categories are managed by Code42 and cannot be edited or updated. However, the examples listed for each file category are not exhaustive. Each category contains many more file types. Keep in mind that file extensions are not the only method Code42 uses to identify a file's category.
File extension mismatch
There is no criteria to select or enter for this rule setting. Select it when you want to be alerted about files with extensions that don't appear to match their contents.
The file mismatch risk indicator highlights files with extensions that do not match the file contents, particularly when a high-value file is given a low-value extension. Detection focuses on high-risk file mismatches that may indicate a file with an unexpected extension was renamed, downloaded, or shared.
- For example, a ZIP file with a JPG extension is considered a file mismatch.
- See below for examples that are not considered a file mismatch.
Code42 analyzes files for mismatches when it detects activity involving the file, such as when it is moved to removable media or cloud sync folders, read by a browser or app, or shared publicly via direct link or with specific users outside your trusted domains. Code42 does not actively scan or monitor files for mismatches outside of those actions.
Not all mismatches are considered risky. The following types of mismatches do not trigger alerts or get a file mismatch risk indicator:
- Files where Code42 cannot read the file header and determine the true file type. This occurs when the file's media type (formerly, mimeType) doesn't have magic number support.
- Files that have two high-value file extensions, such as a PPT file renamed to have a TXT extension.
- Files with closely related file types and file extensions. For example, the file’s contents indicate that it is a PNG file, but the file has a GIF extension.
- Mismatches generated by software applications to control the application used to open the file. For example, Salesforce may change the extension of a CSV file so that it opens within that application.
- Files that generally don’t have extensions, such as application or system files.
To better highlight risky file events or possible exposure, only high-risk mismatches for files that were involved in exfiltration activity trigger the alert rule. However, you can find all known file mismatches in Forensic Search.
Alerts you when activity is detected for files totaling a cumulative count or file size. Use these settings to reduce noise so that you are alerted only after activity reaches certain thresholds of total number or size of files involved.
By default, Code42 monitors for any file activity that occurs, and alerts you when even one file of any size is involved in possible exfiltration activity.
Add this setting to a rule when you want to be notified about activity only when it exceeds the file count and size thresholds you specify. Leave it out of a rule when you want to be notified about any file activity that matches the other rule criteria.
Enter the thresholds to use when monitoring for file activity. If you enter thresholds in both options, select Or to be notified if either value is exceeded, or And to be notified only if both values are exceeded.
- File count greater than: The total number of files moved by a user.
- Total size greater than: The total aggregate size of files moved by a user, measured in bytes, kilobytes (KB), megabites (MB), or gigabites (GB).
After activity matching the rule to which you add this setting is first detected, Code42 alerts you when that activity exceeds these thresholds at any point within the next 15 minutes.
By default, Code42 automatically monitors all destinations for activity for all alert rules. When activity that matches the settings in an alert rule occurs on any destination, Code42 notifies you about that risk. Because Code42 automatically monitors all destinations, there's no need to select the "All" checkbox for every category when adding the Destination setting to a rule. Instead, leave the Destination setting out of a rule entirely if you want to be notified about matching activity that occurs anywhere.
Add the Destination setting to a rule only when you want to use it as a filter. Code42 then notifies you when matching activity occurs only on those selected destinations. For example, your organization may have a problem with accidental uploads of business data to personal iCloud accounts. Selecting the iCloud cloud storage upload in a rule would then notify you only when files are uploaded to iCloud folders. Uploads to other destinations are ignored and filtered out of notifications generated by that rule.
Alerts you about possible exfiltration activity when users:
- Upload files to a variety of destinations, including:
- Personal cloud storage folders, either through folders on their device that sync with cloud storage providers or via a web browser.
- Web-based email services as attachments.
- File conversion tools.
- Corporate messaging services or social media platforms.
- PDF managers or productivity tools.
- Web-based source code management systems.
- Web hosting services.
- Download files to external devices, such as downloads to removable media or reports from your organization's Salesforce environment to devices that are not monitored by Incydr.
You must connect Incydr to your Salesforce environment using Data Connections in order to monitor for Salesforce reports downloaded to unmonitored devices.
- Share files externally, from either:
- Your organization's cloud storage environment, as files shared publicly via a link or with users outside of your trusted domains.
- Your organization's email service, as files sent as attachments through Gmail or Microsoft Office 365.
Selecting the "All" checkbox for a category monitors all file activity occurring in that destination category, including other destinations in that category that are not listed.
Not all exfiltration types have been categorized into common destinations. To monitor file activity occurring in one of these destinations, select Uncategorized browser and app read events under Other uploads at the bottom of the Destination list.
Allows you to identify specific users to monitor (or exclude from monitoring) by this rule. Select whether you want this rule to include or exclude users, then enter those usernames in a comma-separated list.
For example, your company is involved in a legal proceeding against a former employee, and you want to be notified about any activity involving the brief that is not caused by a member of your legal team. (In other words, your legal team will be causing sanctioned activity as they share the brief among themselves while conducting the investigation. You do not want to be notified about this legitimate activity, but you do want to be notified should anyone else in your organization access or move the brief.) In this situation, you would exclude the members of your legal team from being monitored by the rule. Code42 would then alert you of any activity involving users not on this list.
Any individual users that you add to an alert rule take precedence over any watchlists that exist in that same rule.
- If a rule includes both an individual user and a watchlist: the user's file activity triggers the rule and generates an alert notification even if that user is not on the included watchlist.
- If a rule specifically excludes an individual user but includes a watchlist: the user's file activity does not trigger the rule or generate an alert notification, even if that user is on the included watchlist.
Alerts you about activity associated with users on any watchlists. Watchlists alow you to monitor employees that may be a greater risk to your company data, such as contractors, developers or IT team members with elevated access privileges, executives with access to particularly sensitive company data, or employees that may be leaving your organization. You can add one (or more) watchlists to an alert rule to be alerted about file activity associated with users on these lists.
Unlike the Individual users setting that allows you to exclude users, users on watchlists are always included in the rule by default. Any file activity associated with a user on a watchlist triggers the rule and generates an alert notification. You cannot exclude a watchlist from a rule to prevent its users' file activity from triggering the rule and generating alert notifications.
The following sections detail example use cases for alerts: these are common situations for which a rule could be created. Use them as starting points to help identify the activity that presents the most risk to your organization and to develop the alert rules that could notify you when such activity occurs.
For additional ideas about how to use recommended rules to monitor for risky activity, see Recommended rules reference.
Customer data exposure
Every organization knows it's vital to secure customer data to preserve legitimacy, partner relationships, and business reputations. You can set up rules that notify you about possible exposure of your customer information so that you can secure this data before it becomes a costly breach.
For example, your company is consulting with Acme Enterprises on a large project, code-named "DarkTunnel." All of your business documents regarding this project either use this code name or the customer's name in their filenames to draw attention and separate them from other project files. So that everyone can access them, files are exchanged using your customer's Box cloud storage. You want to set up a rule to notify you when any file about DarkTunnel is moved to any location other than the approved Box destination.
- Filename or extension: Filename includes any *DarkTunnel*, DarkTunnel*, *Acme*, Acme*, *AE*, AE*
- Destination: All Cloud storage uploads options except Box
To customize this for your organization, make a list of the project or customer names that could be used in filenames and targeted for exfiltration. Identify which destinations may be more likely for these files to be exfiltrated to, along with the users who routinely collaborate on these files for valid reasons to exclude from the rule to improve signal.
Sensitive keyword exfiltration
Like the customer data exposure use case above, many companies use file naming conventions to easily identify information when generating valuable sales or financial reports and exporting contact lists. Likewise, employees give files descriptive names when collaborating across groups so it's easy to determine which file contains what information.
Take a few minutes to think about the naming conventions in place at your organization, along with other trigger words used in filenames that could indicate a file's contents. Some possibilities include "forecast," "rollup," "roadmap," "salary," or
"financial." Some trigger words may seem obvious but may also be used in filenames, such as "confidential," "internal," "password," or "private."
- Filename or extension: Filename includes words on the list of naming conventions and trigger words you develop
- Destination: Destination options that represent the most risk to your organization
For other examples of how you can set up keywords to alert you of possible exfiltration, see Recommended rules reference.
File uploads to Slack
Slack is a powerful tool that enhances employee collaboration and productivity while improving engagement. You can secure Slack's communication channels by creating an alert to detect the movement of important business files while filtering out the image and video sharing that's an important part of your company culture.
- File categories
- Source code
- Virtual disk image
- Messaging uploads: Slack
Accidental iCloud uploads
Using their AppleID, employees may be able to log into Apple iCloud on their devices to take advantage of its services, such as updating shared Notes, receiving personal iMessages, or syncing with family calendars. Unfortunately, in doing so it can be easy to automatically start syncing professional files with personal iCloud storage. Set up an alert rule to detect this sort of accidental file syncing so that you can work with employees to resolve it.
- Destination: Cloud storage uploads > iCloud
- File categories
- Source code
- Virtual disk image
Movement of many files
Sometimes, the sheer number of files a user has moved can be suspicious and worth investigating. Set up a rule that alerts you when a user moves a large number of files to a destination. "Large" in this context varies from organization to organization. Depending on how an organization identifies risk, it may choose to investigate the movement of as few as 10 files.
- File volume: File count greater than 50 (for example)
- External devices > Removable media
- Cloud storage uploads (all)