Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

Code42 Support

Watchlists reference


Employees whose roles, behaviors, and access increase risk to the company can be monitored more closely for concerning file activity with watchlists. Protect data by monitoring high-risk employees such as those who: 

  • Are about to leave the company or have just joined the company and may not be aware of your security practices.
  • Have privileged system access or access to intellectual property and other confidential data.
  • Seem dissatisfied with their jobs (for example, were turned down for a promotion or have teammate conflicts) or have raised concerns about their performance (from a negative review, demotion, or a performance improvement plan).
  • Work remotely, travel frequently and work on a variety of networks, or are temporary contractors.
  • Have poor security awareness as shown by consistently falling for phishing tests, failing security training, or using unsanctioned tools in their jobs.

For more information about how to create or edit a watchlist and how to use them to monitor risky activity in your Code42 environment, see Manage watchlists.


  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Customer Champions.



Item Description
a Navigation pane

Click the expand Click to expand the navigation pane or collapse button Click to collapse the navigation pane to show and hide the watchlists that have been created.

b Actions Shows summary information about the watchlist and provides options to modify it.
c List of users Shows all of the users on the currently selected watchlist, sorted by the highest number of critical-severity file events, then by high-severity file events.

Navigation pane

Navigating watchlists

Item Description
a Expand Click to expand watchlists panel / Collapse Click to collapse watchlists panel

Click the expand or collapse button to show and hide the watchlists that have been created. 

b Add new Click to create a new watchlist.

If you have created all the recommended watchlists and reached the limit of 25 custom watchlists, the Add new button is not visible.
c Watchlists Lists the existing watchlists. Click a watchlist name to see the users on that list and their file activity. 
d Users with critical file activity Shows how many users on that watchlist have critical file activity. Click a watchlist name to see the users on that list and those with critical file activity


Top portion of watchlists

Item Description
a Risk indicator

For the Departing watchlist only, identifies the risk indicator and point value that is added to the file events of any user on this watchlist.


For more information about risk indicators and how they work, see Risk settings reference.

b Trust settings Click to see trust settings

Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings.

Code42 excludes trusted file activity from appearing on dashboards, watchlists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.

c Search Enter a Code42 username to find file activity for a specific employee on the current watchlist. This searches across your entire Code42 environment and includes deactivated users.
d Selected time frame Shows the time frame in which the file activity occurred. Click to change the time frame.
e Add alerts / Edit alerts / View alerts

Click to add or remove alerts from the watchlist:

  • Add alerts (shown if no alerts have yet been added to the watchlist)
  • Edit alerts (shown if alerts have been added)

Click View alerts to see the alerts set up for that watchlist. (If you see View alerts, you do not have the necessary permissions to edit alerts.)

f Add users / Edit users

Click to add users or remove users from the watchlist:

  • Add users (shown if no users have yet been added to the watchlist)
  • Edit users (shown if users have been added)
g Actions Action menu

Delete watchlist: Any users and alerts assigned to the watchlist are removed from the watchlist.

  • Users are removed from the watchlist, but their User profiles still exist in Incydr and they can be added to other watchlists. 
  • If the assigned alerts are not being used elsewhere in Incydr, the alert rule is also deleted from alerts.
  • Any integrations for the watchlist will no longer function.

Edit title and description (custom watchlists only): Click to change the watchlist name or its description. 

h Quick filters Click View users on any of the filters to only see employees in the list with file events of that severity.

List of users

List of all users

Item Description
a User

Shows the name of employee that initiated the file activity, their department*, and title*. 


*Department and title are only shown if your Code42 environment uses provisioning.

b Event severities 

Displays file events with the following ranges of risk scores: 

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event.

c Destination indicators

Risk indicator based on where a file is moved or uploaded.

d File indicators

Risk indicator based on the type of file, as determined by the file extension and file contents.

e User indicators

Risk indicator based on user behavior automatically detected by Incydr and inclusion in high risk user groups, such as departing employees.

—  Departure date / Start date

Lists the dates added when the user was placed on a watchlist. 

  • Departure date: Date the employee is leaving the company (Departing watchlist only)
  • Start date: Date the employee started working at the company (New hire watchlist only)
f Notes Displays any notes added to the User Profile
g Filter

Click to filter the list by:

  • Event severity
  • Departure date or start date (Departing and New hire watchlists only)
  • Risk indicators
  • Username
  • Department (requires provisioning)
  • Watchlists such as contract employees or flight risks. 
h View details View file event details Click to see more details about the user's file activity such as the filename and risk score of their critical and high file events.
i Action menu Action menu

Click to select:

  • View profile: Opens the employee's User Profile where you can view their past file events.
  • View events in search: Opens the employee's file events in Forensic Search where you can see greater detail about the file events.
  • Remove user (available when viewing watchlists): Removes the employee from the watchlist and any associated alerts.

View details

From the list of users, click View event details View details to see more information about a user's file activity. 

View details about a user's file activity

Item Description
a Selected time frame

Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the screen. 

b Actions

Do one of the following:

  • Click and select Add to watchlists to add the user to one or more watchlists for closer monitoring.
  • Click and select a custom action.
    • Incydr Flows connect other systems or workflows to Code42. These integrations can add contextual information about users and orchestrate response controls.
    • Custom actions are only available if your organization has worked with Code42 Professional Services to set up Incydr Flows and if you have the correct role.
Visibility of actions
You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example: 

To add users to watchlists, you must have the Insider Risk Admin role, the Departing Employee Manager role (for the Departing watchlist), or the High Risk Manager role (for all other watchlists). For more information about adding users to watchlists see Manage watchlists.

To access Incydr Flows you must have the Insider Risk Respond role. For more information about Flows, see Introduction to Incydr Flows
c User

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Watchlists the employee has been added to

*Displays this information if your Code42 environment uses provisioning. For more information, see Provision user attributes to Code42.


View profile View user profile

Opens the User Profile for the employee.
e Cases Displays the number of current and past cases for which the user has been added as the subject of the case. Click View to see the user's cases.
f Notes

Do one of the following:

  • Click Add Click to add notes to add more details to the user's profile.
  • Click Edit Edit user profile notes to modify existing notes.

Notes are limited to 1000 characters.

g Risk indicator events

Displays counts of each file event severity with associated risk indicators.


For more information about risk indicators, see Risk settings reference.

h Investigate in Forensic Search Investigate in Forensic Search Click to see more details about the file events in Forensic Search. Learn more about using Forensic Search.
i Filter Click to show filters that allow you to see events based on risk indicator or watchlist. To remove a selected filter, click it again. 
j By risk score Click to show file events by risk score in descending order.
k By date observed Click to show file events by the date the event occurred with latest events on top.
l View details Click to view details Click to view details about the file event. For detailed descriptions of each field, see File event metadata.
m Filename/Details

Shows filename, risk indicators, risk score, and other details pertaining to the file event.


If the filename is shown as a blue hyperlink, you can download the file from this location. If the filename is not a blue hyperlink, you may be able to download the file in Forensic Search.

To view all file events with more detail, click Investigate in Forensic Search Investigate in Forensic Search.

  • Was this article helpful?