Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Create and manage alert rules

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Overview

This article explains how to configure alert rules using the Manage Rules screen. Alert rules monitor the activity that your organization has identified as risky and define the users to notify when that activity occurs. In a rule, you can also define thresholds and severity to help identify when important data may be leaving your company.

When an alert is created, it appears on the Alerts > Review Alerts screen. 

Considerations

Before you begin

Carefully identify the behavior that represents real risks to your organization before creating alert rules. It's tempting to create a rule that monitors (for example) every single file category for all risk severities, but overly broad rules can result in notification overload and too much information to sort through to find the real exfiltration risks.

To craft meaningful and focused rules:

  • Identify what information poses the most risk to your organization. For example, perhaps source code files are your organization's most valuable intellectual property and you want to be alerted any time such files move outside your trusted boundary. Or maybe computer-aided design (CAD) or drafting files are paramount to your company. Review the use cases and examples in Alert rule settings reference and Recommended rules reference for ideas on how to identify your organization's most valuable business data.
  • Use risk settings and severities to identify how important that data is to you. For example, if your business runs on spreadsheets and it's vitally important to know whenever they're shared publicly, you might set up a rule for all spreadsheet files with risk severities of moderate and above.
  • Set up trusted activity to identify the corporate boundaries that facilitate vital collaboration between your employees and business partners. Alert rules only notify you about the activity that takes place outside of these boundaries on untrusted locations that represent real risk to your organization.
  • Remember that Code42 automatically monitors activity on all destinations and exfiltration vectors. Add Destination settings to a rule when you want to filter notifications to activity that occurs on only those selected destinations.

Create a rule

You can create a new rule in several ways: from a template, from scratch, from a watchlist, or by copying and modifying an existing rule.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains, URL paths, or Slack workspaces you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you are not notified by alert rules for trusted events.

Use a template

To get you up and running, Code42 includes a number of pre-configured rule templates that contain recommended settings. You can quickly create rules from these templates, modifying the default settings to match your needs and environment.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Under Recommended rules, select the template to use as a starting point.
    • If the recommended rule you want to use already appears in the list, click its name.
    • Otherwise, click View all recommendations to view all recommended rules, and then click the rule name.
    After you select the recommended rule to use, the Step 1 of X panel opens and displays the pre-configured settings used in that template.
  4. Review the alert rule settings and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add settings. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. If needed, edit the existing settings to match the behavior you want to alert on.
      • To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.
      • To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
        Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.
    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings.
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  5. If you have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor, select the lesson to send via Slack or email to users when their risky activity triggers this alert rule. (Optional) Select Dismiss the alert once the lesson is sent, then click Next.
    Click View Instructor lessons to open Code42 Instructor and view more information about the lessons available. To avoid lesson "fatigue," lessons are automatically sent to users only once every 30 days even if they repeat the risky activity within that timeframe.
  6. Enter the email addresses to use for alert notifications created from this rule, separated by commas. Click Next when you finish.
    When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
  7. Enter the rule name and description. Click Save when you finish to save the new rule.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
  8. Review the rule's settings, actions, and notifications, then close the View rule panel.

Create a rule from scratch

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Click Create Rule
  4. When the Create rule panel opens, click an alert rule setting to add it to the rule.
  5. Select the options that you want to use for that setting in the rule and then click Save.
    The Step 1 of X panel opens and summarizes the criteria for the new rule.
  6. Review the criteria for the new rule and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add settings. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. If needed, edit the existing settings to match the behavior you want to alert on.
      • To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.
      • To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
        Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.
    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings.
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  7. If you have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor, select the lesson to send to users via email or Slack when their risky activity triggers this alert rule. (Optional) Select Dismiss the alert once the lesson is sent, then click Next.
    Click View Instructor lessons to open Instructor and view more information about the lessons available. To avoid lesson "fatigue," lessons are automatically sent to users only once every 30 days even if they repeat the risky activity within that timeframe.
  8. Enter the email addresses to use for alert notifications created from this rule, separated by commas. Click Next when you finish.
    When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
  9. Enter the rule name and description. Click Save when you finish to save the new rule.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
  10. Review the rule's settings, actions, and notifications, then close the View rule panel.

Create a rule for a watchlist

  1. Sign in to the Code42 console.
  2. Go to User Activity > Watchlists.
  3. Click an existing watchlist. You can also add a new one, if needed.
    The watchlist opens.
  4. In the upper-right, click one of the following:
    • If no alerts have yet been added to the watchlist, click Add alerts.
    • If alerts have been added to the watchlist, click Edit alerts.
  5. Do one of the following:
    • Click View to create a rule that contains this watchlist from one of the recommended watchlist alert templates.
    • Click Create new alert to create a rule that uses the other alert rule settings.
    The Create rule: Step 1 of 3 panel opens in a new tab and summarizes the settings used in the new rule.
  6. Review the alert rule settings and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add settings. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. If needed, edit the existing settings to match the behavior you want to alert on.
      • To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.
      • To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
        Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.
    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings.
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  7. If you have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor, select the lesson to send to users via email or Slack when their risky activity triggers this alert rule. (Optional) Select Dismiss the alert once the lesson is sent, then click Next.
    Click View Instructor lessons to open Instructor and view more information about the lessons available. To avoid lesson "fatigue," lessons are automatically sent to users only once every 30 days even if they repeat the risky activity within that timeframe.
  8. Enter the email addresses to use for alert notifications created from this rule, separated by commas. Click Next when you finish.
    When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
  9. Enter the rule name and description. Click Save when you finish to save the new rule.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
  10. Review the rule's settings, actions, and notifications, then close the View rule panel.

Copy and modify an existing rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to copy.
  4. Click Actions Actions and select Make a copy.
    The Step 1 of 3 panel opens and summarizes the criteria for the copied rule.
  5. Review the criteria for the new rule and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add settings. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. If needed, edit the existing settings to match the behavior you want to alert on.
      • To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.
      • To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
        Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.
    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings.
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  6. If you have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor, select the lesson to send to users via email or Slack when their risky activity triggers this alert rule. (Optional) Select Dismiss the alert once the lesson is sent, then click Next.
    Click View Instructor lessons to open Instructor and view more information about the lessons available. To avoid lesson "fatigue," lessons are automatically sent to users only once every 30 days even if they repeat the risky activity within that timeframe.
  7. Enter the email addresses to use for alert notifications created from this rule, separated by commas. Click Next when you finish.
    When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
  8. Enter the rule name and description. Click Save when you finish to save the new rule.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
  9. Review the rule's settings, actions, and notifications, then close the View rule panel.

Edit a rule

  1. Sign in to the Code42 console
  2. Select the rule you want to edit.
    • To edit a rule from an alert notification:
      1. Go to Alerts > Review Alerts.
      2. In the list of alerts, select the alert notification to view.
      3. In Alert details, click the View rule link under the rule name.
    • To edit a rule in the Manage Rules table:
      1. Go to Alerts > Manage Rules.
      2. In the list of rules, locate the rule and click View View icon.
    • To edit a rule from a watchlist:
      1. Go to User Activity > Watchlists.
      2. Click the expand button  to see all watchlists and then select an existing watchlist. You can also add a new one, if needed.
        The watchlist opens.
      3. In the upper-right, click Edit alerts.
      4. Click Edit next to the assigned alert you want to edit.
        You can also add a rule from another recommended watchlist alert template or create a new alert rule, if needed.
  3. Update the Rule settings, if needed. Click Save when you finish.
    1. To add a new setting to the rule, click Add settings. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. If needed, edit the existing settings to match the behavior you want to alert on.
      • To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.
      • To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
        Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.
    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings.
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  4. If you have an Code42 Instructor product plan or an Incydr product plan that includes Code42 Instructor, click Edit  under Actions to change the lesson to send to users via email or Slack when their risky activity triggers this alert rule. (Optional) Select Dismiss the alert once the lesson is sent, then click Next.
    Click View Instructor lessons to open Instructor and view more information about the lessons available. To avoid lesson "fatigue," lessons are automatically sent to users only once every 30 days even if they repeat the risky activity within that timeframe.
  5. Under Notifications, click Edit  to update the email addresses for the users the alert notification is sent to, if needed. Click Save when you finish.
  6. To change the name or description, click Actions Actions and select Edit name & description, then make your changes and click Save.
  7. Close the View rule panel.

Disable a rule

Disabling a rule prevents it from alerting you about the suspicious file activity it monitors.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules and locate the rule that you want to disable.
  3. Click the Enable column for that rule to disable it. Click it again to enable that rule.
    The Enable column indicates when a rule is disabled   or enabled  .

Delete a rule

Deleting a rule stops those alerts
Deleting a rule stops all alerts for that rule for all users. Any previous alert notifications for the rule remain in the Review Alerts table.
  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to delete.
  4. Click Actions Actions and select Delete.
    A confirmation dialog appears.
  5. Click Delete Rule.
    The rule is removed from the list and all future notifications for that alert are stopped. 
  • Was this article helpful?