Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Review Alerts reference

Overview

Code42 Alerts let you know when important data may be leaving your company. Use the Review Alerts table to view or dismiss alert notifications, add notes to a notification, and select the status of any associated investigation.

This article is a reference guide with detailed descriptions of the notifications in the Review Alerts table. For more information on how to work with alerts, see View and manage alert notifications. Use the Manage Rules table to view or update the different alert rules you have in your Code42 environment that trigger these notifications. For information about alert rules and their components, see Manage Rules reference. For information on creating and configuring alert rules, see Create and manage alert rules.

Considerations

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Review Alerts

Alert notifications are listed in the Review Alerts table when activity matching the settings defined in alert rules is detected. To view the table, in the Code42 console select Alerts > Review Alerts.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains, URL paths, or Slack workspaces you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you are not notified by alert rules for trusted events.

Review Alerts list

Item Description
a Trust settings

Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings.


Code42 excludes trusted file activity from appearing on dashboards, detection lists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.

b Risk settings

Click to open Risk settings, from which you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information, see the Risk settings reference.
 

To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

c Filter Filters the Review Alerts list by the criteria you select. For more information, see Filter alerts below.
d Filtered by The filters that are currently applied to the Review Alerts list. Click the X to remove that filter. Remove all filters to view all alerts.
e Select all

Selects all alerts and presents an action button (Dismiss alerts or Reopen alerts). Click the button to perform that action on all selected alerts at once.

 

You cannot add notes when you use select all.

f Risk severity

The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

If the risk severity is unknown, appears in this column.

 

For more information about risk indicators, see Risk settings reference.

g Rule name Name entered for the rule that generated the alert.
h Alert generated Date and time the alert was generated.
i Column sort Sort column icon Click the column header to sort results by this column in ascending or descending order. 
j Username/Actor The Code42 username or the cloud alias associated with the file events that generated the alert.
k Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses indicate the alert's current state and identify any specific stages of an investigation into that notification.

l Dismiss Dismiss notification icon or Reopen alert Reopen notification icon

Opens a menu to dismiss or reopen the current alert. You can also choose to add a note to the alert before you dismiss or reopen it.

  • Select Dismiss or Dismiss with note to remove this individual alert from the list of open alerts. This also dismisses the notification for any teammates. To stop all alerts for this specific activity, click Manage Rules and disable the alert rule.
  • Select Reopen or Reopen with note to add this alert back to the list of open alerts on the Review Alerts tab.
m View detail View detail icon Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.
n Default alert indicator Identifies alert notifications generated by default alert rules from the Departing Employees list or High Risk Employees list.
o Rows per page Select the number of alerts to display on each page.
p Pagination Click the right and left arrows to scroll through pages of alerts.

Filter alerts

To filter the alerts listed on Review Alerts, click Filter and select the criteria to use. When you click Apply, alerts that match all filters appear in the list.

Any filters that are applied are shown above the Review Alerts list. Click the X on a filter to remove that filter. 

Filter alert notifications

Item Description
a Status

Filters the list by status:

  • Open: Alerts that have not yet been investigated.
  • In progress: Alerts for which an investigation is underway.
  • Pending response: Alerts for which a response is forthcoming.
  • Dismissed: Alerts that have been closed.
  • Any: Alerts with any of these statuses.
b Date range Filters the list by the selected date range: alerts triggered in the last 24 hours, 7 days, 30 days, or select Custom and enter the start and end dates to use to filter alerts. You can also select All dates to view all alerts that have been triggered.
c Risk severity

Filters the list by risk severity: shows alerts with Critical, High, Moderate, or Low risk scores, or alerts with any risk severity. 

Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For more information about risk indicators, see Risk settings reference.

d Username or actor

Filters the list to show only file events associated with a specific Code42 username or cloud alias (actor).

e Rule name Filters the list to show only alerts associated with a specific rule name.
f Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the alerts that match that criteria. To return to the list without applying any filters, click Cancel.

Alert details

For any alert listed on Review Alerts, click View detail View details icon to see more information about the alert notification.

Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below.

The Alert details is divided into several sections:

  • Actions that you can take on the alert (such as investigating it in Forensic Search or emailing the user about the questionable activity) appear at the top.
  • The Overview lists general information about the alert, such as the rule and user that generated the alert, a summary of the activity that generated the alert, the timeframe in which the activity occurred, and the number of files involved in the endpoint or cloud activity.
  • The events and details sections at the bottom of the notification give more information about the specific events and files involved in the activity. These details describe the type of activity that generated the alert, identify the specific files involved in the activity and list the associated risk scores, and display additional information captured when the activity was detected.

Alert details

Item Description
a Alert ID The unique identifier for the alert notification. Click Copy link   to copy the link to the alert notification in the Code42 console so that you can share it with others for further investigation.
b Investigate in Forensic Search

Click to view these file events in Forensic Search.

If multiple event types are involved in the activity that generated the alert, select the type of events you want to view in Forensic Search from the menu that appears:

  • Investigate download events
  • Investigate external device events
  • Investigate browser and app upload events
  • Investigate cloud sync events
  • Investigate cloud sharing events
c Send email Click to open an email template requesting more information from the user about this activity. You can customize the template as needed before sending it to the user.
d Dismiss alert or Reopen alert

For an open alert, click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates.

 

For an alert that has been dismissed, click to reopen this individual alert notification and return it to the list of open alerts.

Overview
e Rule name

The name of the rule that generated the alert.

 

Either the description entered for the rule or a brief description of the rule settings that triggered the alert is listed under the rule name for your reference.

 

Click View rule Edit icon to view and edit the rule that triggered this alert.

f Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses provide more context about what's happening with an alert or record specific stages of an alert's investigation.

 

Code42 automatically saves and displays the user name of the last person to update the alert's status, along with the date and time the status was changed.

g Notes

Any notes that have been entered for the alert.

  • Click Add note to add a note to the alert, then enter the note and click Save.
  • To edit an existing note, click Edit Notes Edit icon, then update the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited.
  • The Notes panel displays only a few lines of the note by default. To view long notes, click Expand note. Click Collapse note when you finish to display the rest of the alert details.
h Risk severity

The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For events with an unknown risk severity, this row does not appear.

 

For more information about risk severities and indicators, see Risk settings reference.

i Risk summary

A brief summary of the risk indicators that contributed to the event's risk severity. For more information about risk severities and indicators, see Risk settings reference

 

This summary condenses detected events for a given severity. For example, the summary could indicate that there are 6 moderate events that include 6 file mismatches, 3 events from Slack, 3 remote activity events, and 3 events from Box. This means that 6 file mismatches were detected and 3 of them occurred on Slack and 3 on Box. Of those 6 file mismatches, 3 occurred on IP addresses that are not in-network. Use Forensic Search to identify the specific file events that are condensed into this summary.

 

For events with an unknown risk severity, this row does not appear.

j Username or Actor

The Code42 username or the cloud alias associated with the file events that triggered the alert. If the user is included on either the Departing Employees list or High Risk Employees list, that indicator appears for reference.

 

View profile View profile appears when either:

  • A Code42 username is associated with the event.
  • The actor's cloud alias is associated with a Code42 username in the User Profile.

Click to view the User Profile for that user.
View profile appears only when allowed by your Code42 product plan and role permissions.

k Time range of events

Displays the time period in which the file activity occurred.

  • The time frame starts when the file activity begins. 
  • An alert is sent five minutes after the activity monitored by the rule is exceeded. This five-minute delay reduces alert "noise," since users can move a lot of data in a few quick clicks. For example, an employee starts moving files at 10:42 a.m. and exceeds the rule's settings at 10:55 a.m. An alert is sent to you five minutes later at 11:00 a.m. with combined totals for everything that was moved between 10:42 a.m. and 11:00 a.m.
l File total The total number and size of files involved in the suspected exposure. 
m Endpoint IP addresses

The public IP address of the endpoint involved in the file activity. If the IP address was not collected, this row does not appear.

 

Remote activity highlights file activity by IP addresses that are not listed as an in-network IP address in Administration > Environment > Data Preferences.

 

Endpoint IP addresses are listed only for endpoint events.

--

Cloud sharing

 

(not shown in example)

The domains (such as "example.com") and email addresses (such as "first.lastname@example.com") that a file has been shared with that are outside of the domains you trust

 

Cloud sharing details are listed only for cloud events.

 

Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive.

 

Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.

Event and file details
n Event type

The type of activity that generated the alert:

  • Download events: A file was downloaded from a corporate business service (such as Salesforce) to a device that is not monitored by Incydr.

    If a file is downloaded to an endpoint that is monitored by Incydr, this is considered trusted activity and is filtered out of this list.

  • External device events: A file was saved to an external device, such as an external drive or memory card.
  • Browser and app upload events: A file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
  • Cloud sync events: A file was saved in a folder on the endpoint that is commonly used to sync with one of these personal cloud storage services:
    • Apple iCloud
    • Box
    • Box Drive
    • Dropbox
    • Google Backup and Sync
    • Google Drive
    • Microsoft OneDrive
  • Cloud sharing events: The sharing permissions were changed for a file saved in one of your organization's corporate cloud storage drives.

Each event type detected is listed, along with details about the files involved in that event. Specific files may be listed in multiple event types when they are involved in those activities.

o

Filename/Details

The filename involved in the activity, along with details about the risk indicators that contributed to its risk severity and risk score.

Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For more information about risk indicators, see Risk settings reference.

 

When available, additional details about the event (such as the URL and active tab title involved in the activity, or the email addresses the file was shared with) are listed. These details vary depending on the event type, but can include:

  • The URL and active tab title involved in the activity
  • The email addresses the file was shared with
  • The vendor of the removable media to which files were moved
  • The file location on the endpoint
  • The username signed into the device

For more information about the details displayed here, see Forensic Search reference guide.

 

Click Investigate in Forensic Search to view these files in Forensic Search.

p Investigate events in Forensic Search

Click to see these files in Forensic Search.

If a number of different event types are involved in the activity that generated the alert, this link appears at the bottom of each section to open those file events in Forensic Search.

  • Was this article helpful?