Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Incydr Labs

Overview

Incydr Labs is a testing ground for experimental features. Labs includes reporting options for visualizing file event data.

Considerations  

Share your feedback on Labs 
Due to the experimental nature of Incydr Labs, features may change or disappear at any time. If you have feedback on Labs, contact your Customer Success Manager (CSM).   

Access Labs 

To access Incydr Labs: 

  1. Sign in to the Code42 console
  2. Click the Labs icon Labs icon from the top navigation menu. 
    The available labs appear.
  3. Click View for one of the labs options. 
    Labs landing page

Chart builder

Use Chart builder to create a custom chart for a variety of use cases. For example, you can visualize risk over time or track exfiltrated files by file classification data. 

Chart builder by destination names and file category

Item Description
a Date selector

Select a time range for the chart data. Times are evaluated as Coordinated Universal Time (UTC).

 

Select Include trusted activity to include activity that occurred in a location on your list of trusted activity or was observed in a corporate cloud data service monitored by Incydr.

b Chart type

Select one of the available chart types: 

  • Column: A stacked column chart with the primary field as the X axis and event count as the Y axis. The data is broken down by the secondary field.  
  • Heatmap: Shows the frequency of events using color, with the primary field as the X axis and the secondary field as the Y axis. Each cell includes the event count.
  • Histogram: A frequency distribution chart that shows the unique count of primary field values over time. 
  • Pie: Shows the number of events for each primary field value in pie chart format. 
c Primary field Defines the primary search criteria. Options are listed as Code42 API field names
Secondary field 
(not shown)
Defines the secondary search criteria. Only available for column chart types. Options are listed as Code42 API field names
d Filter field Defines the primary search criteria. Options are listed as Code42 API field names
e Filter operator Choose IS or IS NOT.
f Filter value Enter the value you want to filter on.
g Delete Click to remove filter.
h Add filter Click to add a filter.

i

Search Click to run a search based on the current criteria. 
j Export

Downloads the current search results to a CSV file.

  • Only includes the fields applicable to your product plan.
  • The CSV file is UTF-8 encoded.
  • Some CSV column headers have different names than the corresponding field labels in Forensic Search. See Field name mapping and definitions for complete details.

Review grouped alerts

Grouped alerts consist of multiple file events for a user occurring within a brief period of time. Review grouped alerts for a consolidated view of alerts that includes context around the user activity. 

Review grouped alerts with annotations

Item Description
a Open Click to view grouped alerts currently in an open state
b In progress Click to view grouped alerts currently in an "In progress" state1
c Dismissed Grouped alerts that have been marked as closed from within labs or marked as dismissed from Review alerts.1  
d Risk severity

The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges: 

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For more information about risk indicators, see Risk settings reference.

e Description May include the type of file, type of movement, what triggered the alert, and additional context, such as off hours file activity. 
f Date observed The date and time of the first file event within the grouped alert.  
g Duration The length of time between the first file event and the last file event in the group of alerts.
h Events The number of file events in the group of alerts.
i User The user for which the file activity was observed. 
j Last modified by The user who last made a change from the grouped alert details screen, such as closing the grouped alert or selecting an option from the Actions menu. 
k Last action taken The date and time a user last made a change from the grouped alert details screen, such as closing the grouped alert or selecting an option from the Actions menu. 
l View detail Click to view the details of the grouped alert and take action on it.1 
m Provide feedback Click to open a Google Form from which you can submit feedback on Grouped Alerts. 
n Rows per page Select the number of grouped alerts to display on the page. 
o Pagination Click the left and right arrows to scroll through pages of alerts.  

1 You can use the Status list in the Labs details view to change a grouped alert's status. Changing the grouped alert status automatically updates the status of the corresponding notifications listed in Alerts > Review Alerts.

Risk combinations 

Use Risk combinations to view the most common combinations of risk indicators. Risk combinations can help you investigate high risk file type, destination, and user behavior. 

Risk combinations with annotations

Item Description Click to view
a Date selector Select a time range for the chart data. Times are evaluated as Coordinated Universal Time (UTC).  --
b Search risk indicator Select an item from the menu or type the name of a risk indicator to filter by. To learn more about risk indicators, see the Risk settings reference --
c Circle graph Circle graph showing related risk indicators for the selected risk indicator. 

Hover over points on the graph to view the details of the related risk indicator. 

 

Click points on the graph to view the file event details in Forensic Search

d Column graph Column graph showing frequency of related risk indicators by severity.

Hover over sections of the graph to view the details of the related risk indicator. 

 

Click sections of the graph to view the file event details in Forensic Search.

Unmatched cloud usernames 

Use Unmatched cloud usernames to export a list of cloud storage usernames that are not associated with a Code42 user. Use this information to match corporate cloud storage usernames with Code42 users. This allows you to see a user's cloud and endpoint file events attributed to the same Code42 user in Incydr.

The lab lists options to resolve the unmatched cloud usernames:

  • Update your SCIM integration to pull in all possible users from your directory
    For directions specific to supported provisioning providers, see our articles for Azure AD, Okta, and PingOne
  • Update the scope of the data connection to pull in only events for users that exist in Code42
    Use the exported CSV to reconfigure scoping to include the unmatched users.
  • Manually create the missing users in Code42. If the Code42 email address differs, add the cloud alias to the user
    Compare the cloud alias user emails in the exported CSV to your list of Code42 users. If the CSV shows users not in Code42, add the missing users manually and then add cloud aliases for the users.
  • If the corresponding user already exists in Code42, add the cloud alias to the user 
    Compare the cloud alias user emails in the exported CSV to your list of Code42 users. If you find corresponding users in Code42, add the cloud alias user emails to those users.

Unmatched cloud usernames

Item Description
a All connectors Select the cloud storage data connection to show data for.
b Date selector Select a time range for the data. Times are evaluated as Coordinated Universal Time (UTC).
c Export

Downloads the current search results to a CSV file. The CSV file is UTF-8 encoded. 

d User email The cloud alias for which a corresponding Code42 username could not be found. 
e Source The corporate cloud storage environment where file events originated.
f Events The number of file events associated with the cloud alias user.
  • Was this article helpful?