Top users by critical activity reference

Overview

Top users by critical activity on the Risk Exposure dashboard shows a prioritized view of the users associated with the most critical and high severity file events. Top users by critical activity only shows events that occurred outside your trusted domains or in unapproved cloud destinations.

The severity of file activity is defined by the risk scores you have set for various risk indicators in your Code42 environment. For more information about risk scores, see Risk settings reference.

To see Top users by critical activity, sign in to the Code42 console and in the upper-left corner click Incydr. Click Incydr to return to the Risk Exposure dashboard at any time.

For more information about the Risk Exposure dashboard, see:

Risk Exposure dashboard reference

Considerations

You must connect Code42 to at least one corporate business, cloud storage, or email service to see this download, file sharing, or attachment activity.
Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
For permissions, licensing, and visibility considerations for the Risk Exposure dashboard, see Risk Exposure dashboard reference.

Top users by critical activity

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Changing the time frame updates all the data you see on the Risk Exposure dashboard and User Profiles.
b	User	Displays a summary of the employee's information, including: Name Department* Title* Watchlists the employee has been added to *Displays this information if your Code42 environment uses provisioning. For more information, see Provision user attributes to Code42. Click the user's name to open their User profile.
c	Critical events	Displays file events with an overall risk score of 9+. Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event. For more information about how risk scores are calculated and how risk scores applies to event severity, see Risk settings reference.
d	High events	Displays file events with an overall risk score of 6-9. Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event. For more information about how risk scores are calculated and how risk scores applies to event severity, see Risk settings reference.
e	Risk indicators	Shows the added risks that apply to a user's file events. For more information about risk indicators and their related risk scores, see Risk settings reference. Risk indicators are listed in the following order: Destination risk indicators, alphabetically File risk indicators, alphabetically User risk indicators, alphabetically
f	View details	Click to see more details about the file activity.
g	Watchlist badge	Indicates if the employee is on a watchlist for closer monitoring and shows the name of the watchlist.
h	View all users	Click to see a list of all users in your Code42 environment.

View details

From Top users by critical activity, click View details to see more information about the user's file activity.

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the screen.
b	View profile	Opens the User Profile for the employee.
c	Actions	Click the Actions menu and do one of the following: Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships. In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it. Select Send user an Instructor lesson to send a lesson to the user. Select a custom action. Incydr Flows connect other systems or workflows to Code42. These integrations can add contextual information about users and orchestrate response controls. Custom actions are only available if your organization has worked with Code42 Professional Services to set up Incydr Flows and if you have the correct role. Visibility of actions You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example: To add users to watchlists, you must have the Insider Risk Admin role, the Departing Employee Manager role (for the Departing watchlist), or the High Risk Manager role (for all other watchlists). For more information about adding users to watchlists see Manage watchlists. To send Code42 Instructor lessons to users, you must have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor and one of these roles: Insider Risk Admin, Insider Risk Analyst, Insider Risk Read Only, or Insider Risk Respond. To access Incydr Flows you must have the Insider Risk Respond role. For more information about Flows, see Introduction to Incydr Flows.
d	User	Displays a summary of the employee's information, including: Name Department* Title* Watchlists the employee has been added to *Displays this information if your Code42 environment uses provisioning. For more information, see Provision user attributes to Code42.
e	Cases	Shows the number of cases with the Open status for which the user has been added as the subject of the case. Click to see the user's cases.
f	Alerts	Shows the number of alerts the user has triggered during the selected time frame that are in the Open, In progress, or Pending response status. Click to see the user's alerts.
g	Notes	Do one of the following: Click Add to add more details to the user's profile. Click Edit to modify existing notes. Notes are limited to 1000 characters.
h	Risk indicator events	Displays counts of each file event severity with associated risk indicators. For more information about risk indicators, see Risk settings reference.
i	Investigate in Forensic Search	Click to see more details about the file events in Forensic Search. Learn more about using Forensic Search.
j	Filter	Click to show filters that allow you to see events based on risk indicator or watchlist. To remove a selected filter, click it again.
k	By risk score	Click to show file events by risk score in descending order.
l	By date observed	Click to show file events by the date the event occurred with latest events on top.
m	View details	Click to view details about the file event. For detailed descriptions of each field, see File event metadata.
n	Filename/Details	Shows filename, risk indicators, risk score, and other details pertaining to the file event. If the filename is shown as a blue hyperlink, you can download the file from this location. If the filename is not a blue hyperlink, you may be able to download the file in Forensic Search. To view all file events with more detail, click Investigate in Forensic Search .

Overview

Considerations

Top users by critical activity

View details

Related topics