Review Alerts reference

Last updated
Save as PDF

Overview

Code42 Alerts let you know when important data may be leaving your company. Use the Review Alerts table to view or dismiss alert notifications, add notes to a notification, and select the status of any associated investigation.

This article is a reference guide with detailed descriptions of the notifications in the Review Alerts table. For more information on how to work with alerts, see View and manage alert notifications. Use the Manage Rules table to view or update the different alert rules you have in your Code42 environment that trigger these notifications. For information about alert rules and their components, see Manage Rules reference. For information on creating and configuring alert rules, see Create and manage alert rules.

Considerations

To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Technical Support Engineers.
You must connect Code42 to at least one corporate business, cloud storage, or email service to see this download, file sharing, or attachment activity.
Visibility of Incydr data is not limited by your Code42 organization hierarchy. Users with roles that allow access to Incydr features can view insider risk data for users in all organizations.
To allow email from Code42, ensure that code42.com is added to your email server's allowlist. If you suspect that email is not arriving from Code42, contact our Technical Support Engineers.

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

Review Alerts

Alert notifications are listed in the Review Alerts table when activity matching the settings defined in alert rules is detected. To view the table, in the Code42 console select Alerts > Review Alerts.

Review Alerts list

Item		Description
a	Trust settings	Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings. Code42 excludes trusted file activity from appearing on dashboards, watchlists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.
b	Risk settings	Click to open Risk settings, from which you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information, see the Risk settings reference. To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
c	Filter	Filters the Review Alerts list by the criteria you select. For more information, see Filter alerts below.
d	Filtered by	The filters that are currently applied to the Review Alerts list. Click the X to remove that filter. Remove all filters to view all alerts.
e	Select all	Selects all alerts and presents an action button (Dismiss alerts or Reopen alerts). Click the button to perform that action on all selected alerts at once. You cannot add notes when you use select all.
f	Risk severity	The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges: 9+: Critical 7-8: High 4-6: Moderate 1-3: Low 0: No risk indicated If the risk severity is unknown, — appears in this column. For more information about risk indicators, see Risk settings reference.
g	Rule name	Name entered for the rule that generated the alert.
h	Alert generated	Date and time the alert was generated.
i	Column sort	Click the column header to sort results by this column in ascending or descending order.
j	Username/Actor	The Code42 username or the cloud alias associated with the file events that generated the alert.
k	Status	The status of the alert: Open, In progress, Pending response, and Dismissed. Statuses indicate the alert's current state and identify any specific stages of an investigation into that notification.
l	Dismiss or Reopen alert	Opens a menu to dismiss or reopen the current alert. You can also choose to add a note to the alert before you dismiss or reopen it. Select Dismiss or Dismiss with note to remove this individual alert from the list of open alerts. This also dismisses the notification for any teammates. To stop all alerts for this specific activity, click Manage Rules and disable the alert rule. Select Reopen or Reopen with note to add this alert back to the list of open alerts on the Review Alerts tab.
m	View detail	Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.
n	Rows per page	Select the number of alerts to display on each page.
o	Pagination	Click the right and left arrows to scroll through pages of alerts.

Filter alerts

To filter the alerts listed on Review Alerts, click Filter and select the criteria to use. When you click Apply, alerts that match all filters appear in the list.

Any filters that are applied are shown above the Review Alerts list. Click the X on a filter to remove that filter.

Filter alert notifications

Item		Description
a	Status	Filters the list by status: Open: Alerts that have not yet been investigated. In progress: Alerts for which an investigation is underway. Pending response: Alerts for which a response is forthcoming. Dismissed: Alerts that have been closed. Any: Alerts with any of these statuses.
b	Date range	Filters the list by the selected date range: alerts triggered in the last 24 hours, 7 days, 30 days, or select Custom and enter the start and end dates to use to filter alerts. You can also select All dates to view all alerts that have been triggered. The Custom and All dates filters show only the notifications that have occurred within your product plan's event data retention period (30, 90, or 180 days), even if you enter a custom date that is outside that window.
c	Risk severity	Filters the list by risk severity: shows alerts with Critical, High, Moderate, or Low risk scores, or alerts with any risk severity. Risk severities are based on the following scoring ranges: 9+: Critical 7-8: High 4-6: Moderate 1-3: Low 0: No risk indicated For more information about risk indicators, see Risk settings reference.
d	Username or actor	Filters the list to show only file events associated with a specific Code42 username or cloud alias (actor).
e	Rule name	Filters the list to show only alerts associated with a specific rule name.
f	Cancel / Apply	Click Apply to apply the selected filter criteria to the list and display only the alerts that match that criteria. To return to the list without applying any filters, click Cancel.

Alert details

For any alert listed on Review Alerts, click View detail to see more information about the alert notification.

Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below.

The Alert details is divided into several sections:

Actions that you can take on the alert (such as investigating it in Forensic Search or emailing the user about the questionable activity) appear at the top.
The Overview lists general information about the alert, such as the rule and user that generated the alert, a summary of the activity that generated the alert, the timeframe in which the activity occurred, and the number of files involved in the endpoint or cloud activity.
The events and details sections at the bottom of the notification give more information about the specific events and files involved in the activity. These details describe the type of activity that generated the alert, identify the specific files involved in the activity and list the associated risk scores, and display additional information captured when the activity was detected.

Alert details with annotations

Item		Description
a	Alert ID	The unique identifier for the alert notification. Click Copy link to copy the link to the alert notification in the Code42 console so that you can share it with others for further investigation.
b	Investigate in Forensic Search	Click to view these file events in Forensic Search. If multiple event types are involved in the activity that generated the alert, select the type of events you want to view in Forensic Search from the menu that appears: Investigate download events Investigate external device events Investigate browser and app upload events Investigate cloud sync events Investigate cloud sharing events Investigate external email sharing events Investigate Git events
c	Dismiss alert or Reopen alert	For an open alert, click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates. For an alert that has been dismissed, click to reopen this individual alert notification and return it to the list of open alerts.
d	Actions	Click the Actions menu and do one of the following: Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships. In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it. Select Send user an Instructor lesson to send a lesson to the user. Select a custom action. Incydr Flows connect other systems or workflows to Code42. These integrations can add contextual information about users and orchestrate response controls. Custom actions are only available if your organization has worked with Code42 Professional Services to set up Incydr Flows and if you have the correct role. Visibility of actions You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example: To add users to watchlists, you must have the Insider Risk Admin role, the Departing Employee Manager role (for the Departing watchlist), or the High Risk Manager role (for all other watchlists). For more information about adding users to watchlists see Manage watchlists. To send Code42 Instructor lessons to users, you must have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor and one of these roles: Insider Risk Admin, Insider Risk Analyst, Insider Risk Read Only, or Insider Risk Respond. To access Incydr Flows you must have the Insider Risk Respond role. For more information about Flows, see Introduction to Incydr Flows.
Overview
e	Rule name	The name of the rule that generated the alert. Either the description entered for the rule or a brief description of the rule settings that triggered the alert is listed under the rule name for your reference. Click View rule to view and edit the rule that triggered this alert.
f	Instructor lesson	Details about the Code42 Instructor lesson automatically sent when the alert was triggered. Click View Instructor lessons to open Code42 Instructor and view lessons.
g	Status	The status of the alert: Open, In progress, Pending response, and Dismissed. Statuses provide more context about what's happening with an alert or record specific stages of an alert's investigation. Code42 automatically saves and displays the user name of the last person to update the alert's status, along with the date and time the status was changed.
h	Notes	Any notes that have been entered for the alert. Click Add note to add a note to the alert, then enter the note and click Save. To edit an existing note, click Edit Notes , then update the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited. The Notes panel displays only a few lines of the note by default. To view long notes, click Expand note. Click Collapse note when you finish to display the rest of the alert details.
i	Risk severity	The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges: 9+: Critical 7-8: High 4-6: Moderate 1-3: Low 0: No risk indicated For events with an unknown risk severity, this row does not appear. For more information about risk severities and indicators, see Risk settings reference.
j	Risk summary	A brief summary of the risk indicators that contributed to the event's risk severity. For more information about risk severities and indicators, see Risk settings reference. This summary condenses detected events for a given severity. For example, the summary could indicate that there are 6 moderate events that include 6 file mismatches, 3 events from Slack, 3 remote activity events, and 3 events from Box. This means that 6 file mismatches were detected and 3 of them occurred on Slack and 3 on Box. Of those 6 file mismatches, 3 occurred on IP addresses that are not in-network. Use Forensic Search to identify the specific file events that are condensed into this summary. For events with an unknown risk severity, this row does not appear.
k	Username or Actor	The Code42 username or the cloud alias associated with the file events that triggered the alert. If the user is included on any watchlists, that indicator appears for reference. View profile appears when either: A Code42 username is associated with the event. The actor's cloud alias is associated with a Code42 username in the User Profile. Click to view the User Profile for that user. View profile appears only when allowed by your Code42 product plan and role permissions.
l	Time range of events	Displays the time period in which the file activity occurred. The time frame starts when the file activity begins. An alert is sent five minutes after the activity monitored by the rule is exceeded. This five-minute delay reduces alert "noise," since users can move a lot of data in a few quick clicks. For example, an employee starts moving files at 10:42 a.m. and exceeds the rule's settings at 10:55 a.m. An alert is sent to you five minutes later at 11:00 a.m. with combined totals for everything that was moved between 10:42 a.m. and 11:00 a.m.
m	File total	The total number and size of files involved in the suspected exposure.
--	Endpoint IP addresses (not shown in example)	The public IP address of the endpoint involved in the file activity. If the IP address was not collected, this row does not appear. Remote activity highlights file activity by IP addresses that are not listed as an in-network IP address in Administration > Environment > Data Preferences. Endpoint IP addresses are listed only for endpoint events.
--	Cloud sharing (not shown in example)	The domains (such as "example.com") and email addresses (such as "first.lastname@example.com") that a file has been shared with that are outside of the domains you trust. Cloud sharing details are listed only for cloud events. Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive. Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.
Event and file details
n	Event type	The type of activity that generated the alert: Download events: A file was downloaded from a corporate business service (such as Salesforce) to a device that is not monitored by Incydr. If a file is downloaded to an endpoint that is monitored by Incydr, this is considered trusted activity and is filtered out of this list. External device events: A file was saved to an external device, such as an external drive or memory card. Browser and app upload events: A file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl. Cloud sync events: A file was saved in a folder on the endpoint that is commonly used to sync with one of these personal cloud storage services: Apple iCloud Box Box Drive Dropbox Google for Desktop (requires Code42 agent version 1.4.0 or later) Microsoft OneDrive Cloud sharing events: The sharing permissions were changed for a file saved in one of your organization's corporate cloud storage drives. External email sharing: A file was emailed as an attachment from your corporate email service (such as Gmail or Microsoft Office 365). Git events: A file was uploaded (or "pushed") to a Git source code repository Each event type detected is listed, along with details about the files involved in that event. Specific files may be listed in multiple event types when they are involved in those activities.
o	Filename/Details	The filename involved in the activity, along with details about the risk indicators that contributed to its risk severity and risk score. Risk severities are based on the following scoring ranges: 9+: Critical 7-8: High 4-6: Moderate 1-3: Low 0: No risk indicated For more information about risk indicators, see Risk settings reference. When available, additional details about the event (such as the URL and active tab title involved in the activity, or the email addresses the file was shared with) are listed. These details vary depending on the event type, but can include: The URL and active tab title involved in the activity The email addresses the file was shared with The email recipients that received the file as an attachment The vendor of the removable media to which files were moved The uniform resource identifier (URI) of the source code repository to which files were uploaded The file location on the endpoint The username signed into the device For more information about the details displayed here, see File event metadata reference. Click Investigate in Forensic Search to view these files in Forensic Search.
p	Investigate events in Forensic Search	Click to see these files in Forensic Search. If a number of different event types are involved in the activity that generated the alert, this link appears at the bottom of each section to open those file events in Forensic Search.

Overview

Considerations

Review Alerts

Filter alerts

Alert details

Related topics