Overview
From the User Profile, you can review the file activity of an employee, helping you to:
- Quickly identify suspicious file movement
- Review endpoint and cloud services activity
- See previous file activity
This article describes the information and options in the User Profile.
Considerations
-
Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
-
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
- To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.
Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see
Expected time ranges for events to appear.
User Profile
To see a user profile from various places in the Code42 console, do the following:
- Click View profile

- Click a hyperlinked username

Item |
Description |
a |
Risk settings |
|
b |
Selected time frame |
Shows the time frame the file activity occurred in. Click to change the time frame. |
c |
Actions |
Click the Actions menu and do one of the following:
- Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships.
- In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it.
- Select Send user an Instructor lesson to send a lesson to the user.
- Select a custom action.
- Incydr Flows connect other systems or workflows to Code42. These integrations can add contextual information about users and orchestrate response controls.
- Custom actions are only available if your organization has worked with Code42 Professional Services to set up Incydr Flows and if you have the correct role.
Visibility of actions
You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example:
|
d |
User information |
Shows various information about the user.
|
e |
Activity overview |
Shows the following numbers for the selected time frame:
- File events that have a critical severity score. Click to see the user's critical events.
- Cases with the Open status for which the user has been added as the subject of the case. Click to see the user's cases.
- Alerts the user has caused during the selected time frame that are in the Open, In progress, or Pending response status. Click to see the user's alerts.
|
f |
File activity by severity |
Shows file events by risk severity and associated risk indicators. Severity is based on the following scoring ranges:
9+: Critical
7-8: High
4-6: Moderate
1-3: Low
For more information about risk indicators, see Risk settings reference.
|
g |
Source risk indicator activity |
Shows all of the user's file events where the file came from a source likely to contain company data. |
h |
Destination risk indicator activity |
Shows all of the user's file events by where the file was moved to, shared, or sent (destination risk indicator).
|
i |
File risk indicator activity |
Shows all of the user's file events by file risk indicator.
|
User information

Item |
Description |
a |
User information |
Displays a summary of the employee's information, including:
- Name
- Department*
- Title*
- Location*
*Displays this information if your Code42 environment uses provisioning:
|
b |
Watchlists |
Lists the watchlists the user is currently on.
If the user is not yet on a watchlist, click Add to watchlist to add the user to one or more lists for closer monitoring.
If the user is already on a watchlist, click Edit to adjust their watchlist membership. Do one of the following:
- Select existing watchlists to add the user to.
- Click Remove from watchlist
to take the user off a watchlist.
- To add the user to a new watchlist:
- Click Create watchlist.
A new tab opens.
- Create the new watchlist.
- Go back to the User Profile tab and refresh the page.
The new watchlist is available for you to select.
|
c |
Notes |
Click Add notes or Edit to add or update the notes on the User profile. Notes are limited to 1000 characters.
|
d |
Code42 username |
Lists the user's Code42 username. The Code42 username ties all of this user's endpoint activity to their user profile.
To see cloud activity for a user, see Cloud alias below. |
e |
Start date |
Click Add or Edit to add or update a start date for the user. The start date is used with the New hire watchlist.
Start date filtering
The start date can be used to filter and find all employees that have started at your company in the past 30-90 days. Use this filter to determine if new employees are aware of and following your company's data practices.
|
f |
Departure date |
Click Add or Edit to add or update a departure date for the user. The departure date is used with the Departing watchlist.
|
g |
Manager name |
Shows the manager's name of the employee if you use provisioning in your Code42 environment. For more information about provisioning, see Provision user attributes to Code42. |
h |
Cloud alias |
A cloud alias is the username an employee uses to access cloud services such as Google Drive or Box.
Adding a cloud alias allows Incydr to link a user's cloud activity with their Code42 username (endpoint activity), providing you with a more complete view of the user's activity. You can only add one cloud alias.
Cloud alias and Code42 username match
If a user's cloud alias is the same as their Code42 username, Incydr knows they belong to the same user and you do not need to add it as a separate cloud alias.
|
Source risk indicator activity

Item |
Description |
a |
Selected time frame |
Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
|
b |
Filter |
Click to filter the graph and events in the table by:
|
c |
Filtered by |
Shows the filters currently applied to the data shown in the graph as well as the data available in the source indicators. Click the "x" on a filter to remove it. |
d |
Showing |
Lists the source risk indicator you are viewing.
|
e |
Select source risk indicator
|
Select a source risk indicator to see where the file was sent and its associated risk.
Source risk indicators are applied to file events where the file came from a source likely to contain company data.
|
f |
Events |
Number of file events associated with the risk indicator for the selected time frame. |
g |
Size |
Total size of files involved with the file activity. |
h |
Activity preview |
Shows a visual representation of file activity for the selected time frame. |
i |
View event details  |
Click to view more information about the file events. |
Destination risk indicator activity

Destination risk indicators are dynamic
The list of destination risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.
For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box corporate data connector is not listed.
Item |
Description |
a |
Selected time frame |
Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
|
b |
Filter |
Click to filter the graph and events in the table by:
|
c |
Filtered by |
Shows the filters currently applied to the data shown in the graph as well as the data available in the destination indicators. Click the "x" on a filter to remove it. |
d |
Showing |
Lists the destination risk indicator you are viewing.
|
e |
Select destination risk indicator
|
Select a destination risk indicator to see where the file was sent and its associated risk.
Destination risk indicators apply risk scores to file events based on where a file is moved or uploaded. See the list of destination risk indicators for more details on what types of destinations you may have in your Code42 environment.
|
f |
Events |
Number of file events associated with the destination for the selected time frame. |
g |
Size |
Total size of files involved with the file activity. |
h |
Activity preview |
Shows a visual representation of file activity for the selected time frame. |
i |
View event details  |
Click to view more information about the file events. |
File risk indicator activity

File risk indicators are dynamic
The list of file risk indicators shown is dynamic. Only risk indicators with
untrusted file activity are shown.
For example, if there is no untrusted file activity involving source code, that indicator is not listed.
Item |
Description |
a |
Selected time frame |
Shows the time frame in which the file activity occurred. Change the time frame in the upper-right corner of the page. |
b |
Filter |
Click to filter the graph and events in the table by:
|
c |
Selected file risk indicator |
Shows the summary of file activity for the following file risk indicators:
- Audio
- Document
- Executable
- Image
- PDF
- Presentation
- Script
- Source Code
- Spreadsheet
- Video
- Virtual Disk Image
- Zip
For more information about file risk indicators, see Risk settings reference.
|
d |
File risk indicators |
Select a file risk indicator to see its graph. |
e |
Events |
Displays the count of total file events for a file risk indicator and a visual representation of the number of file events. File events include when files are:
- Moved to removable media or cloud sync folders
- Uploaded via a browser or other app
- Shared publicly or directly from your corporate cloud storage*
- Sent from your corporate email provider*
*Requires Code42 have access to monitor your cloud storage environment and email services.
The default sort order is from the highest number of events to the lowest.
|
f |
Size |
Displays the total file size of file events for a file risk indicator. |
g |
Activity preview |
Shows a visual representation of file activity for the selected time frame. |
h |
View details  |
Click to view the details of file events for a file risk indicator. |