Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

User Profile reference

Overview

From the User Profile, you can review the file activity of an employee, helping you to:

  • Quickly identify suspicious file movement
  • Review endpoint and cloud services activity
  • See previous file activity

This article describes the information and options in the User Profile.

Considerations

  • Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.
Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

User Profile

To see a user profile from various places in the Code42 console, do the following:

  • Click View profile View profile
  • Click a hyperlinked username

User Profile

Item Description
a Risk settings

To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

b Selected time frame Shows the time frame the file activity occurred in. Click to change the time frame.
c Actions

Click the Actions menu and do one of the following:

  • Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships.
  • In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it.
  • Select Send user an Instructor lesson to send a lesson to the user.
  • Select a custom action.
    • Incydr Flows connect other systems or workflows to Code42. These integrations can add contextual information about users and orchestrate response controls.
    • Custom actions are only available if your organization has worked with Code42 Professional Services to set up Incydr Flows and if you have the correct role.
Visibility of actions
You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example:
d Trust settings Trust settings

Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings.


Code42 excludes trusted file activity from appearing on dashboards, watchlists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.

e User information

Shows various information about the user. 

f File activity by severity

Shows file events by risk severity and associated risk indicators. Severity is based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low

For more information about risk indicators, see Risk settings reference

g Source risk indicator activity Shows all of the user's file events where the file came from a source likely to contain company data.
h Destination risk indicator activity

Shows all of the user's file events by where the file was moved to, shared, or sent (destination risk indicator).

i File risk indicator activity

Shows all of the user's file events by file risk indicator

 

User information

Employee information on the User Profile

Item Description
a User information

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Location*

*Displays this information if your Code42 environment uses provisioning:

b Cases Displays the number of current and past cases for which the user has been added as the subject of the case. Click View to see the user's cases.
c Watchlists

Lists the watchlists the user is currently on. 

 

If the user is not yet on a watchlist, click Add to watchlist to add the user to one or more lists for closer monitoring.

If the user is already on a watchlist, click Edit Click to edit watchlists to adjust their watchlist membership. Do one of the following:

  • Select existing watchlists to add the user to. 
  • Click Remove from watchlist Remove from watchlist to take the user off a watchlist.
  • To add the user to a new watchlist: 
    1. Click Create watchlist.
      A new tab opens.
    2. Create the new watchlist
    3. Go back to the User Profile tab and refresh the page.
      The new watchlist is available for you to select.
d Notes

Click Add notes or Edit Click to edit notes to add or update the notes on the User profile. Notes are limited to 1000 characters. 

e Code42 username Lists the user's Code42 username. The Code42 username ties all of this user's endpoint activity to their user profile. 

To see cloud activity for a user, see Cloud alias below.
f Start date

Click Add or Edit to add or update a start date for the user. The start date is typically used with the New hire watchlist.

Start date filtering
The start date can be used to filter and find all employees that have started at your company in the past 30-90 days. Use this filter to determine if new employees are aware of and following your company's data practices.
g Departure date

Click Add or Edit to add or update a departure date for the user. The departure date is typically used with the Departing watchlist.

Departure date filtering
The departure date is used to filter and find all employees that are leaving your company soon. This date drives the filters shown on the Departing watchlist summary of the Risk Exposure dashboard. 
h Manager name Shows the manager's name of the employee if you use provisioning in your Code42 environment. For more information about provisioning, see Provision user attributes to Code42.
i Cloud alias

A cloud alias is the username an employee uses to access cloud services such as Google Drive or Box.

Adding a cloud alias allows Incydr to link a user's cloud activity with their Code42 username (endpoint activity), providing you with a more complete view of the user's activity. You can only add one cloud alias.

Cloud alias and Code42 username match
If a user's cloud alias is the same as their Code42 username, Incydr knows they belong to the same user and you do not need to add it as a separate cloud alias.

File activity by severity

File activity by file-event severity

Item Description
a Selected time frame

Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. 

b Severity

Shows the severity of file events. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low

For more information about risk indicators, see Risk settings reference

c Events Shows the number of file events and their size. 
d Visual representation of events Shows a visual representation of the number of critical, high, moderate, and low events. 
e Risk indicators

Lists the risk indicators associated with a file event. Risk indicators are used to calculate the risk score of an event, which determines severity. 

 

Risk scores are defined for individual risk indicators in Risk settings

f View details View details Click to view more information about the file events.

Source risk indicator activity

Source indicator activity graph

 

Item Description
a Selected time frame

Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. 

b Filter

Click to filter the graph and events in the table by:

c Filtered by Shows the filters currently applied to the data shown in the graph as well as the data available in the source indicators. Click the "x" on a filter to remove it. 
d Showing

Lists the source risk indicator you are viewing.

e

Select source risk indicator

Select a source risk indicator to see where the file was sent and its associated risk. 
 

Source risk indicators are applied to file events where the file came from a source likely to contain company data.

f Events Number of file events associated with the risk indicator for the selected time frame.
g Size Total size of files involved with the file activity.
h Activity preview Shows a visual representation of file activity for the selected time frame.
i View event details View event details Click to view more information about the file events.

Destination risk indicator activity

Destination indicator activity over time graph

Destination risk indicators are dynamic
The list of destination risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.

For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box corporate data connector is not listed.

Item Description
a Selected time frame

Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. 

b Filter

Click to filter the graph and events in the table by:

c Filtered by Shows the filters currently applied to the data shown in the graph as well as the data available in the destination indicators. Click the "x" on a filter to remove it. 
d Showing

Lists the destination risk indicator you are viewing.

e

Select destination risk indicator

Select a destination risk indicator to see where the file was sent and its associated risk. 
 

Destination risk indicators apply risk scores to file events based on where a file is moved or uploaded. See the list of destination risk indicators for more details on what types of destinations you may have in your Code42 environment.

f Events Number of file events associated with the destination for the selected time frame.
g Size Total size of files involved with the file activity.
h Activity preview Shows a visual representation of file activity for the selected time frame.
i View event details View event details Click to view more information about the file events.

File risk indicator activity

File activity by file risk indicator

File risk indicators are dynamic
The list of file risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.

For example, if there is no untrusted file activity involving source code, that indicator is not listed.
 
Item Description
a Selected time frame Shows the time frame in which the file activity occurred. Change the time frame in the upper-right corner of the page. 
b Filter

Click to filter the graph and events in the table by:

c Selected file risk indicator

Shows the summary of file activity for the following file risk indicators:

  • Audio
  • Document
  • Executable
  • Image
  • PDF
  • Presentation
  • Script
  • Source Code
  • Spreadsheet
  • Video
  • Virtual Disk Image
  • Zip

For more information about file risk indicators, see Risk settings reference.

d File risk indicators Select a file risk indicator to see its graph.
e Events

Displays the count of total file events for a file risk indicator and a visual representation of the number of file events. File events include when files are:

  • Moved to removable media or cloud sync folders
  • Uploaded via a browser or other app
  • Shared publicly or directly from your corporate cloud storage*
  • Sent from your corporate email provider*

*Requires Code42 have access to monitor your cloud storage environment and email services.

 

The default sort order is from the highest number of events to the lowest. 

f Size Displays the total file size of file events for a file risk indicator. 
g Activity preview Shows a visual representation of file activity for the selected time frame.
h View details View event details Click to view the details of file events for a file risk indicator.
  • Was this article helpful?