User Profile reference

Overview

From the User Profile, you can review the file activity of employees, helping you to:

Quickly identify suspicious file movement
Review endpoint and cloud services activity
See previous file activity

This article describes the information and options in the User Profile.

Considerations

Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings reduces noise by only showing untrusted file events in Incydr security event dashboards, user profiles, and alerts. All file activity is still visible in Forensic Search.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.

User Activity functionality varies based on your product plan
The User Profile is only available if your product plan supports it. Depending on your product plan, you may instead see the User Activity page. For more information about User Activity, see User Activity and Activity Notifications reference.

User Profile

To see a user profile from various places in the Code42 console, do the following:

Click View profile
Click a hyperlinked username

User Profile versus Departing Employees or High Risk Employees
If you search for a user that has been added to the Departing Employees or High Risk Employees list, their Departing Employees or High Risk Employees User Profile appears. The Departing Employees list and High Risk Employees list profiles have a blue indicator by the employee name at the top of the page and include additional information such as the employee's departure date, risk factors, and user profile notes.

User profile

Item		Description
a	Risk settings	Click to open the Risk settings where you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information about Risk settings, see the Risk settings reference. To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
b	Selected time frame	Shows the time frame the file activity occurred in. Click to change the time frame.
c	Trust settings	Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings. Code42 excludes trusted file activity from appearing on dashboards, detection lists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.
d	User information	Shows various information about the user.
e	File activity by severity	Shows file events by risk severity and associated risk indicators. Severity is based on the following scoring ranges: 9+: Critical 7-8: High 4-6: Moderate 1-3: Low For more information about risk indicators, see Risk settings reference.
f	Destination activity over time	Shows all of the user's file events by where the file was moved to, shared, or sent (destination).
g	File categories	Shows all of the user's file events by groups of file categories.

User information

Displays a summary of the employee's information, including:

Name
Department*
Title*
Location*
Manager*
Employee's Code42 username
Employee's cloud aliases
Departure Date (Departing Employees list only)
Risk Factors (High Risk Employees list only)
User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information if your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. If you use Azure AD provisioning, the attributes are automatically populated. You must first add the attributes if you use Okta provisioning or PingOne provisioning. ) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Provision user attributes to Code42.

From User information, you can do the following:

Click Edit to add or remove the user's cloud aliases and profile notes (if available).
- A cloud alias is the username an employee uses to access cloud services such as Google Drive or Box. Adding a cloud alias allows Code42 to link cloud activity with a user's Code42 username, providing you with a more complete view of the user's activity. Limited to one alias.
- Profile notes are limited to 1000 characters.
Click Add to list to add the user to a risk detection list such as the Departing Employees list or High Risk Employees list. You can also click the "x" on a risk detection list badge to remove the user from that list.

File activity by severity

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
b	Severity	Shows the severity of file events. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges: 9+: Critical 7-8: High 4-6: Moderate 1-3: Low For more information about risk indicators, see Risk settings reference.
c	Events	Shows the number of file events and their size.
d	Visual representation of events	Shows a visual representation of the number of critical, high, moderate, and low events.
e	Risk indicators	Lists the risk indicators associated with a file event. Risk indicators are used to calculate the risk score of an event, which determines severity. Risk scores are defined for individual risk indicators in Risk settings.
f	View details	Click to view more information about the file events.

Destination activity over time

Destinations are dynamic
The list of destinations shown is dynamic. Only destinations with file activity are shown.

For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box corporate data connector is not listed.

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
b	Selected destination	Lists the destination you are viewing.
c	Choose destination	Select a destination to see where the file was sent. Destinations include: AirDrop: Files were sent to a device via AirDrop. The destination category for AirDrop events is listed as "Device" in the Exposure section of Forensic Search. Cloud destinations: The file exists in a folder on the user's device that is used for syncing with a cloud service. Cloud folder sync activity includes activity for: Apple iCloud Box Box Drive Dropbox Google Drive for Desktop (Incydr Professional, Enterprise, and Horizon only, with Code42 app version 1.4.0 or later) Google Backup and Sync (discontinued by Google on Oct. 1, 2021) Microsoft OneDrive Cloud data detectors: The file was shared from your corporate cloud storage with either a direct share or with a public link. Cloud sharing activity includes shares from your corporate Box, Google Drive, and OneDrive and details how the file was shared (for example, public link from corporate Box). You must connect at least one cloud storage environment to Code42 to see cloud destination file activity. Email services: The file was uploaded from an endpoint to email provider via a web browser. Email data detectors: The file was sent from one of the following corporate email services: Gmail Microsoft Office 365 Messaging services: The file was sent via a messaging service. Removable media: The file was moved to an external device such as a USB drive or hard drive. Click View event details to see file activity broken out by removable media device vendor. Salesforce corporate data detector: A report was downloaded from your corporate Salesforce account. You must have connected the Salesforce corporate exfiltration detector to Code42 to see downloads. Social media: The file was uploaded to social media. This does not necessarily mean it's posted publicly. For example, the file could have been sent in a direct message on LinkedIn. Source code repository: The file was uploaded to a location typically used for storing code files. Other: File activity where the destination does not match any of the above destinations, or in the following special cases: Files were opened in an app that is commonly used for uploading files such as FTP client or curl. We cannot determine the destination. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details. Multiple possibilities appears if the user accessed more than one tab while uploads were in progress. Review the Active tab titles and URLs to identify all possible destinations. Other destination The Other destination does not show the Events bar graph and is shown at the bottom of the list of destinations regardless of sort order.
d	Events	Number of file events associated with the destination for the selected timeframe.
e	Size	Total size of files involved with the file activity.
f	Activity preview	Shows a visual representation of file activity for the selected timeframe.
g	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
h	View event details	Click to view the file events broken down by file category group.

File categories

Item		Description
a	Endpoint activity	Shows file activity that occurred on your employee's devices.
b	Cloud sharing	Shows files shared from your corporate cloud storage with either a direct share or a public link.
c	File category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Incydr file categories.
d	Events	Displays the count of total file events for a file category group and a visual representation of the number of file events. File events include when files are: Moved to removable media or cloud sync folders Uploaded via a browser or other app Shared publicly or directly from your corporate cloud storage* Sent from your corporate email provider* *Requires Code42 have access to monitor your cloud storage environment and email services. The default sort order is from the highest number of events to the lowest.
e	Size	Displays the total file size of file events for a file category group.
f	Activity preview	Shows a visual representation of file activity for the selected time frame.
g	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
h	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
i	View details	Click to view the details of file events for a file category group.