Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Detect and respond to insider risks


Code42 helps you identify insider risks and secures your data from threats by:

  • Continuously monitoring endpoint and cloud file activity to detect risk
  • Highlighting suspicious and anomalous behavior
  • Capturing comprehensive file metadata as well as the file contents

This visibility into endpoint and cloud file activity helps you quickly detect and respond to both malicious and unintentional activity that threatens your intellectual property, sensitive data, and overall security.  

This article provides best practices for detecting and responding to insider risks.


  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Technical Support Engineers.

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

Part 1: Capture file activity

Step 1: Confirm endpoint data collection settings 

To ensure you capture file activity for all detection types, review your endpoint data collection settings:

  1. Sign in to the Code42 console
  2. Select Administration > Environment > Organizations.
  3. View details of the parent organization at the top of the hierarchy:
    1. Click View organization details View details.
    2. Select Endpoint Data Collection.
      (Labeled as Insider Risk for Incydr Basic, Advanced, and Gov F1) 
  4. Verify the organization does not inherit settings from the parent organization. If necessary, click Edit Edit settings and deselect Inherit settings from parent organization.
  5. Verify all detection types (Removable media, Cloud sync applications, Browser and other application activityPrinters, and All file activity) are selected.
  6. Click Save.

Step 2: Set up alerts to notify you about suspicious file activity

Alerts enable you to define specific file activity behaviors and thresholds that trigger an alert. Alerts can be sent as emails, appear on dashboards, or both. For example, you could create an alert that emails you every time a user transfers a certain number of files to removable media or to a cloud sync folder.

To customize alert criteria for your Code42 environment:

  1. Sign in to the Code42 console
  2. Select Alerts > Manage Rules.
  3. Select Create rule.
  4. Define the rule criteria. For a detailed explanation of all options, see Create and manage alert rules.

Step 3: Monitor higher-risk employees

Watchlists provide comprehensive insight into file activity of employees you identify as a risk (for example, departing employees, users with elevated permissions, access to sensitive data, on a performance improvement plan, etc.). The User Activity > Watchlists section of the Code42 console enables you to:

  • Quickly identify suspicious file activity of high-risk employees
  • Assign employees to one or more watchlists to provide more context for investigations
  • Assign customized alerts to each watchlist to be notified of activity you define as critical
  • Easily review both endpoint and cloud sync file activity

To start monitoring higher-risk employees:

  1. Sign in to the Code42 console
  2. Select User Activity > Watchlists.
  3. If no watchlists exist, create a watchlist. For more information about how to create a watchlist, see Manage watchlists.
  4. Click Add users to place users on an existing watchlist.
  5. Enter any pertinent information about the user such as departure or start dates.
  6. Click Save.

Step 4: Define trusted activity to reduce file event volume

Data Preferences settings enable you to define domains, Slack workspaces, and IP addresses you trust, which helps focus your investigations on file activity that may be a higher risk. Trusted activity is excluded from dashboards, user profiles, and alerts, but is still searchable in Forensic Search.

To add trusted activity:

  1. Sign in to the Code42 console
  2. Select Administration > Environment > Data Preferences.
  3. On the Trusted activity tab, click Add trusted activity to define domains, URLs, Slack workspaces, cloud accounts, and Git repositories you trust.
  4. On the IP addresses tab, click Add IP address to define your in-network IP addresses.

See Data Connections reference for more details.

Step 5: Add cloud data connections to reduce file event volume

Adding data connections authorizes Code42 to collect information from cloud services (for example, Google Drive, Microsoft OneDrive, or Box). Additionally, Incydr uses these connections to identify file activity that occurs in any untrusted cloud destinations.

Once connected, all file activity in these sources is searchable in Forensic Search. However, only untrusted activity is shown on Incydr dashboards, user profiles, and alerts.

See Introduction to adding data connections for specific instructions for each data source.

Step 6: Define file backup policies

(Does not apply to Incydr Professional, Enterprise, Horizon, and Gov F2)

File backup is an important part of insider risk detection and response because it enables you to easily review the actual file contents during investigations of suspicious activity. As long as a file is backed up, it's available for download any time, even if the device that backed up the file is offline. For detailed instructions on what to back up, see Considerations for defining your backup policies.

Step 7: Configure third-party integrations (optional)

Code42 offers a variety of tools to leverage our insider risk features and data in other systems, including:

  • The Code42 API, Python SDK, and command-line interface (CLI)
  • Third-party integrations with SOAR and SIEM security analytics tools, including Cortex XSOAR, IBM Resilient, LogRhythm, Sumo Logic, and Splunk.

For more details, see Code42 integrations resources.

Part 2: Review suspicious file activity

The Code42 console offers a wide variety of options to help you quickly identify suspicious or unexpected file activity. Not all options below apply in all situations, so pick the sections below applicable to your specific circumstances.

Watch the videos below to get an overview of how to use Code42 Incydr to review suspicious file activity. For more videos, visit the Code42 University.

Review the Risk Exposure dashboard

Review the Risk Exposure dashboard for a high-level view of all endpoint and cloud file activity in your Code42 environment that may be putting data at risk. The Risk Exposure dashboard highlights file activity:

  • On removable media
  • Synced to cloud services
  • Read by browsers and other apps (uploads and downloads)
  • In .zip files and other archive formats

From the dashboard, click any data point to drill down to specifics, or investigate further in Forensic Search. 

Review alerts

After you define the specific file activity behaviors and thresholds required to generate an alert, you can view existing alerts to quickly uncover possible insider risks. 

Review watchlists

After creating a watchlist of your higher-risk employees, navigate to User Activity > Watchlists to review those users' file activity. This view shows users on the watchlist based on their critical file activity so that you can easily find risky file activity.

See Watchlists reference for more details.

Review All users list

Use the All users list, navigate to User Activity > All users to review all users across your Code42 environment for critical file activity. This view shows all users based on their critical file activity so that you can easily find risky file activity from users you may not have been closely monitoring.

See All Users reference for more information.

Review specific users

From User Activity > All users, search for specific users to easily review their file activity. Visit their User profile for more details.

See All Users reference for more information.

Perform ad-hoc file activity searches

Forensic Search provides detailed visibility about endpoint and cloud file activity and helps you to quickly answer questions such as:

  • Does any file activity look suspicious?
  • Is there evidence of covering up suspicious file activity?
  • Does an individual have a specific file, or did the individual previously have it?

Forensic Search allows you to see a wide array of file events, including when a file is created, modified, renamed, moved, or deleted. Search results return file events for your entire Code42 environment. File event details provide extensive metadata about the file, and offer the option to download the actual file contents. 

See Forensic Search use cases for specific use cases, or watch the video below for more details.

Part 3: Respond to insider risks

Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.

No single response is appropriate for all situations because risk varies greatly based on the files and users involved. Therefore, we focus on giving you the information you need to respond to insider risks quickly and appropriately, which may include automated action, corrective conversation, legal action, engaging other stakeholders in your organization, or anything in-between. 

While not a replacement for your existing response protocols, the following actions can help you respond to insider risks and mitigate threats: 

Download and review file contents

Code42 provides the ability to retrieve files involved in an investigation. Being able to definitively see what content is included in these files can help you determine an appropriate response. You can recover file contents in several ways:

  • Download files from Forensic Search: In many cases, files are available for download from the search results. Links to download it appear in the File > Filename section of an event's details.
  • Restore files from the Code42 console (does not apply to Incydr Professional, Enterprise, Horizon, and Gov F2): Administrators can restore a user's backed up files from any web browser or restore files to any device running the Code42 agent.
  • Collect files from a legal hold (does not apply to Incydr Professional, Enterprise, Horizon, and Gov F2): If the user is already a custodian on legal hold, you can use the Code42 console to collect the files.

Search related risks

With Forensic Search, you can search your entire Code42 environment for other, related risks. For example, if you're responding to a non-sanctioned file share via a cloud service, you can identify other instances of the file in your environment to determine who else might be involved by searching for the file hash (MD5 or SHA256) or the filename.

Create a case to organize the investigation

Use Cases as an efficient way to compile, document, and share details about insider risks. This helps you make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

See Manage cases for more details.

Leverage third-party integrations (optional)

If you have already configured third-party integrations, you may be able to use Code42-specific actions and workflows as part of your response. For example, you can use IBM Resilient to download files from a user's backup, use Splunk Phantom to quarantine a device, or use Cortex XSOAR to block users.

For more details, see Code42 integrations resources.

View Insider Risk Trends in your organization

The Insider Risk Trends dashboard shows how risk in your organization changes over time. The dashboard shows fluctuations in the number of users causing risky file events, the departments that cause the most untrusted events, the types of files involved in exfiltration events, and the vectors by which that untrusted activity occurs.

You can use these trends to identify where to focus controls, training, and engagement to improve your organization's risk profile. For more information, see View Insider Risk Trends for your organization.

Send the user a security training video

If you have Code42 Instructor, send users with minor security issues a training video to remedy the situation. For more information, see Introduction to Code42 Instructor.

Place users on legal hold

(Does not apply to Incydr Professional, Enterprise, Horizon, and Gov F2)

Adding a user to a legal hold backs up a separate copy of the user's files and retains them for as long as you specify in the preservation policy. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.

Additional help

Contact your Customer Success Manager (CSM) for assistance with:

  • Licensing for specific features
  • Configuring your Code42 environment to best identify insider risks

If you do not know your CSM, please contact our Technical Support Engineers. If you are a new customer, contact our sales team to get started.