Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Risk settings reference

Overview

This article explains how individual risk indicators contribute to the overall risk severity of a file event.

Focusing on events with higher risk severity helps you quickly identify the file activity and user behaviors that create the greatest exposure and exfiltration risk potential in your environment.

How it works

Risk scores

Incydr assigns a numerical risk score to specific aspects of a file event. Higher scores denote higher risk severity. Default scores are based on how likely the activity is to increase exfiltration or exposure risk, but you can change any score to better match your specific risk tolerance. For example, by default, Incydr assigns a risk score of 0 to video files (no risk). However, if you run a production studio where video files comprise some of your most important intellectual property, you would likely choose to increase the risk score for video files.

Risk severity

Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated
Risk indicators

Risk settings are categorized into several key risk indicator types:

Within each category, there are additional sub-categories to group individual risk indicators.

For example, if a user uploads source code to Dropbox outside their normal hours, that file activity would generate an event with three risk indicators, each with its own risk score. Default scores are listed in parenthesis:

  1. A User risk indicator for the off hours file activity (+1)
  2. A Destination risk indicator for the Dropbox upload (+5)
  3. File risk indicator for the heightened risk of source code file activity (+3)

The sum of these three risk indicator scores determines the overall risk severity for this file event.

This context-driven approach of evaluating the combination of userdestination (vector), and file attributes provides a more accurate risk assessment than simply classifying all upload activity as high risk. In this example, the combination of all three risk indicators produces a risk score of 9, which indicates a critical severity event that likely requires immediate follow-up action.

Risk severity only applies to untrusted file activity
File events in locations on your list of trusted activity receive a risk score of 0, even if something that would be considered a risk indicator in a different context is present. For example, uploading a source code file to a trusted location like your corporate domain is not considered an exfiltration or exposure risk.

Risk settings

To access risk settings:

  1. Sign in to the Code42 console. If you are already signed in, click the Incydr logo in the upper left.
    The Risk Exposure dashboard appears.
  2. Select Risk settings.
    Risk settings slide in from the right.
  3. Click the arrow icon arrow-shaped icon to view all indicators in a category next to any risk indicator category to view all risk indicators in that category.
  4. To change a risk score, select a new value. Default values are marked with an asterisk (*).
    The Insider Risk Admin or Insider Risk Analyst roles are required to change scores. The Insider Risk Read Only role can view risk settings, but not make changes.
  5. Click Save.
    Changes may take up to 60 minutes to take effect and only apply to future file activity. File events that occurred before the score changed retain the old value.

List of risk indicator categories

Changing risk scores
  • All risk indicator scoring changes are tracked in the Audit Log.
  • Use caution selecting a score higher than 7 because it causes all events with that risk indicator to be high or critical severity.
  • To help determine how file events may be affected by changing a score from 0 to a higher value, use Forensic Search to search for events with that risk indicator before changing the score. The results can help you understand how often the behavior occurs and how raising the score would affect the total score for events with multiple risk indicators.

User risk indicators

User risk indicators apply risk scores to file events based on user behavior automatically detected by Incydr, and based on inclusion in the Departing watchlist.

Item Description
User behavior

Applies to risky file activity automatically detected by Incydr, including:

  • File mismatch: Files with extensions that do not match the file contents (for example, a file with the .jpg extension that contains source code content). This may indicate an attempt to disguise and exfiltrate data. Learn more about file mismatch.
  • First use of destination: The first time this user was observed uploading to this destination since Incydr monitoring was enabled. If multiple files are uploaded to this destination around the same time, the risk indicator is applied to all related events.
  • Off hours: File activity occurring outside the user's typical active hours. The off hours determination is unique to each user and is based on the user's past patterns of behavior. Learn more about off hours
  • Rare use of destination: The first time this user uploaded to this destination in the past 90 days. If multiple files are uploaded to this destination around the same time, the risk indicator is applied to all related events.
    This does not include the first time the user uploaded to this destination. First time use is captured by the First use of destination risk indicator. 
  • Remote: File activity on IP addresses not included in your list of in-network IP addresses.
Watchlists Applies to file events for users on the Departing watchlist.

Destination risk indicators

Destination risk indicators apply risk scores to file events based on where a file is moved or uploaded.

Item Description
Cloud storage uploads Applies to files uploaded to cloud services via a web browser, and for some cloud services, via the installed desktop app. For example, Box, Dropbox, and Google Drive.
Email uploads Applies to files uploaded to web-based email services via a browser. For example, Gmail, Outlook, Comcast, and many others.
External devices Applies to file events on external devices, including file activity on removable media and files sent to other Apple devices via AirDrop.
External sharing

Applies to files shared with:

  • A public link from your corporate cloud service 
  • A user outside your trusted domains via your corporate cloud service
  • An email recipient outside your trusted domains via your corporate email

Also applies to files downloaded from corporate cloud tools to endpoints not monitored by Incydr.

 

Requires configuration of data connections within Incydr.

File conversion tool uploads Applies to files uploaded to web-based file conversion tools. For example, CloudConvert and TinyPNG.
Messaging uploads Applies to files uploaded to messaging services. For example, Facebook messenger, Microsoft Teams, and Slack.
PDF manager uploads Applies to files uploaded to web-based tools for creating and managing PDFs. For example, Adobe Acrobat and SmallPDF.
Productivity tool uploads Applies to files uploaded to web-based productivity tools. For example, Evernote, Google Keep, and Trello.
Social media uploads Applies to files uploaded via a web browser to social media websites. For example, Facebook, LinkedIn, and Twitter.
Source code repository uploads Applies to files uploaded via a web browser to code repositories. For example, Bitbucket and Github.
Web hosting uploads Applies to files uploaded to web-hosting services. For example, Google Sites and WordPress. 
Other uploads

Other destination applies to files where: 

  • The destination does not belong to a pre-defined category, but the file event details include metadata (such as the tab title or URL) to help you identify the destination.
  • The event has multiple tab titles or URLs. 
  • The event doesn't match an existing risk indicator.

Unknown destination applies to files where destination information is not available. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details.

File risk indicators

File risk indicators apply risk scores to file events based on the type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. Other file categories include Source code, Spreadsheet, and Zip files. For a complete list of file categories and examples of the specific file types in each category, see Incydr file categories.

Other considerations

  • File events with a total risk score of 0 are searchable in Forensic Search, but since no risk is identified, they do not appear on the Risk Exposure dashboard.
  • File events started being evaluated for risk severity on May 13, 2021. File events that occurred before that have a Risk score of 0 and display a risk severity of Risk undefined.

File mismatch details

Off hours details

  • Was this article helpful?