Incydr Labs
Overview
Incydr Labs is a testing ground for experimental features. Labs includes reporting options for visualizing file event data.
Considerations
- You must have a role with permissions to search file event data in Forensic Search to use Labs.
- Labs preferences such as time ranges and editable lists are stored in local browser storage. These preferences are:
- Retained if you restart your browser
- Not shared across users
Due to the experimental nature of Incydr Labs, features may change or disappear at any time. If you have feedback on Labs, contact your Customer Success Manager (CSM).
Access Labs
To access Incydr Labs:
- Sign in to the Code42 console.
- Click the Labs icon
from the top navigation menu.
The available labs appear. - Click View for one of the labs options.
Chart builder
Use Chart builder to create a custom chart for a variety of use cases. For example, you can visualize risk over time or track exfiltrated files by file classification data.
Item | Description | |
---|---|---|
a | Date selector |
Select a time range for the chart data. Times are evaluated as Coordinated Universal Time (UTC).
Select Include trusted activity to include activity that occurred in a location on your list of trusted activity or was observed in a corporate cloud data service monitored by Incydr. |
b | Chart type |
Select one of the available chart types:
|
c | Primary field | Defines the primary search criteria. Options are listed as Code42 API field names. |
— | Secondary field (not shown) |
Defines the secondary search criteria. Only available for column chart types. Options are listed as Code42 API field names. |
d | Filter field | Defines the primary search criteria. Options are listed as Code42 API field names. |
e | Filter operator | Choose IS or IS NOT. |
f | Filter value | Enter the value you want to filter on. |
g | Delete | Click to remove filter. |
h | Add filter | Click to add a filter. |
i |
Search | Click to run a search based on the current criteria. |
j | Export |
Downloads the current search results to a CSV file.
|
Review grouped alerts
Grouped alerts consist of multiple file events for a user occurring within a brief period of time. Review grouped alerts for a consolidated view of alerts that includes context around the user activity.
Item | Description | |
---|---|---|
a | Open | Click to view grouped alerts currently in an open state |
b | In progress | Click to view grouped alerts currently in an "In progress" state1 |
c | Dismissed | Grouped alerts that have been marked as closed from within labs or marked as dismissed from Review alerts.1 |
d | Risk severity |
The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges: For more information about risk indicators, see Risk settings reference. |
e | Description | May include the type of file, type of movement, what triggered the alert, and additional context, such as off hours file activity. |
f | Date observed | The date and time of the first file event within the grouped alert. |
g | Duration | The length of time between the first file event and the last file event in the group of alerts. |
h | Events | The number of file events in the group of alerts. |
i | User | The user for which the file activity was observed. |
j | Last modified by | The user who last made a change from the grouped alert details screen, such as closing the grouped alert or selecting an option from the Actions menu. |
k | Last action taken | The date and time a user last made a change from the grouped alert details screen, such as closing the grouped alert or selecting an option from the Actions menu. |
l | View detail | Click to view the details of the grouped alert and take action on it.1 |
m | Provide feedback | Click to open a Google Form from which you can submit feedback on Grouped Alerts. |
n | Rows per page | Select the number of grouped alerts to display on the page. |
o | Pagination | Click the left and right arrows to scroll through pages of alerts. |
1 You can use the Status list in the Labs details view to change a grouped alert's status. Changing the grouped alert status automatically updates the status of the corresponding notifications listed in Alerts > Review Alerts.
Risk combinations
Use Risk combinations to view the most common combinations of risk indicators. Risk combinations can help you investigate high risk file type, destination, and user behavior.
Item | Description | Click to view | |
---|---|---|---|
a | Date selector | Select a time range for the chart data. Times are evaluated as Coordinated Universal Time (UTC). | -- |
b | Search risk indicator | Select an item from the menu or type the name of a risk indicator to filter by. To learn more about risk indicators, see the Risk settings reference. | -- |
c | Circle graph | Circle graph showing related risk indicators for the selected risk indicator. |
Hover over points on the graph to view the details of the related risk indicator.
Click points on the graph to view the file event details in Forensic Search. |
d | Column graph | Column graph showing frequency of related risk indicators by severity. |
Hover over sections of the graph to view the details of the related risk indicator.
Click sections of the graph to view the file event details in Forensic Search. |
Unmatched cloud usernames
Use Unmatched cloud usernames to export a list of cloud storage usernames that are not associated with a Code42 user. Use this information to match corporate cloud storage usernames with Code42 users. This allows you to see a user's cloud and endpoint file events attributed to the same Code42 user in Incydr.
The lab lists options to resolve the unmatched cloud usernames:
- Update your SCIM integration to pull in all possible users from your directory
For directions specific to supported provisioning providers, see our articles for Azure AD, Okta, and PingOne. - Update the scope of the data connection to pull in only events for users that exist in Code42
Use the exported CSV to reconfigure scoping to include the unmatched users. - Manually create the missing users in Code42. If the Code42 email address differs, add the cloud alias to the user
Compare the cloud alias user emails in the exported CSV to your list of Code42 users. If the CSV shows users not in Code42, add the missing users manually and then add cloud aliases for the users. - If the corresponding user already exists in Code42, add the cloud alias to the user
Compare the cloud alias user emails in the exported CSV to your list of Code42 users. If you find corresponding users in Code42, add the cloud alias user emails to those users.
Item | Description | |
---|---|---|
a | All connectors | Select the cloud storage data connection to show data for. |
b | Date selector | Select a time range for the data. Times are evaluated as Coordinated Universal Time (UTC). |
c | Export |
Downloads the current search results to a CSV file. The CSV file is UTF-8 encoded. |
d | User email | The cloud alias for which a corresponding Code42 username could not be found. |
e | Source | The corporate cloud storage environment where file events originated. |
f | Events | The number of file events associated with the cloud alias user. |