The All Users list shows all of the users in your Code42 environment sorted on the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity.
Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.
All Users list
To access the All Users list:
- Sign in to the Code42 console.
- Select User Activity > All Users.
The All Users list appears.
Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings.
|b||Search||Enter a Code42 username to find a specific employee's file activity.|
Click to open Risk settings, from which you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information about Risk settings, see Risk settings reference.
|d||Selected time frame||Shows the time frame in which the file activity occurred. Click to change the time frame.|
|e||Quick filters||Click View users on any of the filters to only see employees in the list with file events of that severity.|
|f||List of users||Shows all of the users in your Code42 environment sorted by the highest number of critical-severity file events, then by high-severity file events.|
List of users
Shows the name of employee that initiated the file activity, their department*, and title*.
*Department and title are only shown if your Code42 environment uses provisioning.
Displays file events with the following ranges of risk scores:
Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event.
Risk indicator based on where a file is moved or uploaded.
Risk indicator based on the type of file, as determined by the file extension and file contents.
Risk indicator based on user behavior automatically detected by Incydr and inclusion in high risk user groups, such as departing employees.
|—||Departure date / Start date||
Lists the dates added when the user was placed on a watchlist.
|f||Notes||Displays any notes added to the User Profile.|
Click to filter the list by:
|h||View details||Click to see more details about the user's file activity such as the filename and risk score of their critical and high file events.|
Click to select:
From the list of users, click View event details to see more information about a user's file activity.
|a||Selected time frame||
Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the screen.
Do one of the following:
Visibility of actions
You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example:
To add users to watchlists, you must have the Insider Risk Admin role, the Departing Employee Manager role (for the Departing watchlist), or the High Risk Manager role (for all other watchlists). For more information about adding users to watchlists see Manage watchlists.
To access Incydr Flows you must have the Insider Risk Respond role. For more information about Flows, see Introduction to Incydr Flows.
Displays a summary of the employee's information, including:
*Displays this information if your Code42 environment uses provisioning. For more information, see Provision user attributes to Code42.
|Opens the User Profile for the employee.|
Do one of the following:
Notes are limited to 1000 characters.
|f||Risk indicator events||
Displays counts of each file event severity with associated risk indicators.
For more information about risk indicators, see Risk settings reference.
|g||Investigate in Forensic Search||Click to see more details about the file events in Forensic Search. Learn more about using Forensic Search.|
|h||Filter||Click to show filters that allow you to filter the list of events based on risk indicator or watchlist. To remove a selected filter, click it again.|
|i||By risk score||Click to show file events by risk score in descending order.|
|j||By date observed||Click to show file events by the date the event occurred with latest events on top.|
|k||View details||Click to view details about the file event. For detailed descriptions of each field, see File event metadata.|
Shows filename, risk indicators, risk score, and other details pertaining to the file event.
If the filename is shown as a blue hyperlink, you can download the file from this location. If the filename is not a blue hyperlink, you may be able to download the file in Forensic Search.
To view all file events with more detail, click Investigate in Forensic Search .