Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Create and manage alert rules

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

Overview

This article explains how to configure alert rules using the Manage Rules screen. Alert rules monitor the activity that your organization has identified as risky and define the users to notify when that activity occurs. In a rule, you can also define thresholds and severity to help identify when important data may be leaving your company.

When an alert is created, it appears on the Alerts > Review Alerts screen. 

Considerations

Create a rule

You can create a new rule in several ways: from a template, from scratch, from a watchlist, or by copying and modifying an existing rule.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains, URL paths, or Slack workspaces you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you are not notified by alert rules for trusted events.

Use a template

To get you up and running, Code42 includes a number of pre-configured rule templates that contain recommended settings. You can quickly create rules from these templates, modifying the default settings to match your needs and environment.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Under Recommended rules, select the template to use as a starting point.
    • If the recommended rule you want to use already appears in the list, click its name.
    • Otherwise, click View all recommendations to view all recommended rules, and then click the rule name.
    After you select the recommended rule to use, the Step 1 of 3 panel opens and displays the pre-configured settings used in that template.
  4. Review the alert rule settings and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  5. Enter the rule name and description.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Click Next.
  6. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Create a rule from scratch

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Click Create Rule
  4. When the Create rule panel opens, click an alert rule setting to add it to the rule.
  5. Select the options that you want to use for that setting in the rule and then click Save.
    The Step 1 of 3 panel opens and summarizes the criteria for the new rule.
  6. Review the criteria for the new rule and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  7. Enter the rule name and description.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Click Next.
  8. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Create a rule for a watchlist

  1. Sign in to the Code42 console.
  2. Go to User Activity > Watchlists.
  3. Click the expand button   to see all watchlists and then select an existing watchlist. You can also add a new one, if needed.
    The watchlist opens.
  4. In the upper-right, click one of the following:
    • If no alerts have yet been added to the watchlist, click Add alerts.
    • If alerts have been added to the watchlist, click Edit alerts.
  5. Do one of the following:
    • Click View to create a rule that contains this watchlist from one of the recommended watchlist alert templates.
    • Click Create new alert to create a rule that uses the other alert rule settings.
    The Create rule: Step 1 of 3 panel opens and summarizes the settings used in the new rule.
  6. Review the alert rule settings and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  7. Enter the rule name and description.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Click Next.
  8. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Copy and modify an existing rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to copy.
  4. Click Actions Actions and select Make a copy.
    The Step 1 of 3 panel opens and summarizes the criteria for the copied rule.
  5. Review the criteria for the new rule and add more settings as needed. Click Next when you finish.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  6. Enter the rule name and description.
    1. Enter the Rule name.
      Rule names must be unique. Two (or more) rules cannot share the same name.
    2. (Optional) Enter a Description for the rule.
    3. Click Next.
  7. Enter the email addresses to use for alert notifications created from this rule.
    1. (Optional) Enter the email addresses of the recipients to notify, separated by commas.
      When the alert is triggered, Code42 emails these recipients about the file activity. If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.
    2. Click Save.
      The new rule is added to the Manage Rules table.

Edit a rule

  1. Sign in to the Code42 console
  2. Select the rule you want to edit.
    • To edit a rule from an alert notification:
      1. Go to Alerts > Review Alerts.
      2. In the list of alerts, select the alert notification to view.
      3. In Alert details, click the View rule link under the rule name.
    • To edit a rule in the Manage Rules table:
      1. Go to Alerts > Manage Rules.
      2. In the list of rules, locate the rule and click View View icon.
    • To edit a rule from a watchlist:
      1. Go to User Activity > Watchlists.
      2. Click the expand button   to see all watchlists and then select an existing watchlist. You can also add a new one, if needed.
        The watchlist opens.
      3. In the upper-right, click Edit alerts.
      4. Click Edit next to the assigned alert you want to edit.
        You can also add a rule from another recommended watchlist alert template or create a new alert rule, if needed.
  3. Update the rule's details and settings.
    1. To add a new setting to the rule, click Add setting. Click a rule setting name to add it to the rule, then select the options to use for that setting and click Save.
    2. To adjust the existing settings, click Edit Edit and then edit the settings as needed. Click Save to save your changes to the rule.

      To remove a setting from the rule, click Edit Edit. When the settings panel opens, click Restore defaults to remove that setting from the rule.
      Each rule must contain at least one setting. If you remove the last setting from the rule, the Create rule panel opens so that you can select a setting to add to the rule.

    3. By default, Code42 automatically monitors for all file activity, and uses the options you select as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default settings
      You can edit these settings to add them to the rule with specific options as filters, if needed.
  4. To change the name or description, click Actions Actions and select Edit name & description, then make your changes and click Save.
  5. Close the View rule panel to return to either the Review Alerts or the Manage Rules tables.

Disable a rule

Disabling a rule prevents it from alerting you about the suspicious file activity it monitors.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules and locate the rule that you want to disable.
  3. Click the Enable column for that rule to disable it. Click it again to enable that rule.
    The Enable column indicates when a rule is disabled   or enabled  .

Delete a rule

Deleting a rule stops those alerts
Deleting a rule stops all alerts for that rule for all users. Any previous alert notifications for the rule remain in the Review Alerts table.
  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to delete.
  4. Click Actions Actions and select Delete.
    A confirmation dialog appears.
  5. Click Delete Rule.
    The rule is removed from the list and all future notifications for that alert are stopped. 
  • Was this article helpful?