Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Departing employee risk report reference


The departing employee risk report shows you a summary of risky activity an employee on the Departing watchlist has had in the last 90 days. In the report, you can see a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees. Use the report to make your offboarding triage tasks more streamlined and consistent.


  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Technical Support Engineers.

Departing employee risk report

To open the report:

  1. Go to User Activity > Watchlists.
  2. Select the Departing watchlist.
  3. Find the user and click Risk report.
    The risk report slides in from the right.

Departing employee risk report


Item Description
a Export events Click to send all of the employee's critical events for the past 90 days to a CSV file. 
b User

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Watchlists the employee has been added to

*Displays this information if your Code42 environment uses provisioning. For more information, see Provision user attributes to Code42.

c View profile Click to see the employee's User profile.
d Notes

Do one of the following:

  • Click Add Click to add notes to add more details to the user's profile.
  • Click Edit Edit user profile notes to modify existing notes.

Notes are limited to 1000 characters.

e Risk breakdown

Shows how many cases exist for the user, the number of alerts they've triggered, and how many critical events they've had in the past 90 days.


Note: The case and alert counts are not visible if you do not have the appropriate permissions.

f Risk indicators Shows the user's top risk indicators sorted by the number of the user's critical events
g View critical events Click to see the user's critical events in Forensic Search
h Common risk scenarios in the last 90 days

Shows the top risk scenarios for departing employees and the user's file event counts for each scenario.

  • External devices: Applies to file events on external devices, including file activity on removable media and files sent to other Apple devices via AirDrop.
  • Cloud storage uploads: Applies to files uploaded to cloud services via a web browser, and for some cloud services, via the installed desktop app such as Box, Dropbox, and Google Drive.
  • Email uploads: Applies to files uploaded to web-based email services via a browser such as Gmail, Outlook, and Yahoo! mail. 

The same risk scenarios are always shown, and do not change based on the user's file activity. To see the user's most active file activity by risk indicator, see the Risk indicators section of the report.

  • Was this article helpful?