Create and manage alert rules

Overview

This article explains how to configure alert rules using the Manage Rules screen. Alert rules:

• Enable you to define the file activity that poses the greatest file exfiltration risk for your organization
• Notify you when risky activity occurs
• Integrate with Code42 Instructor, enabling you to automatically send targeted, timely educational content to users in response to risky activity

When an alert is created, it appears on the Alerts > Review Alerts screen. 

Considerations

• Alerts are only generated for events outside your list of Trusted activity. Trusted file activity is still captured by Incydr and visible in Forensic Search, but no alerts are created.

• The steps in this article require you to be assigned a user role with permission to view and modify alerts.

Before you begin

Carefully identify the behavior that represents real risks to your organization before creating alert rules. For example, while it may be tempting to create a rule that monitors every file category for all risk severities, overly broad rules can result in notification overload and too much information to sort through to find the real exfiltration risks.

To craft meaningful and focused rules:

• Identify what information poses the most risk to your organization. For example, if source code files are your organization's most valuable intellectual property, you may want to be alerted any time source code is moved to an untrusted location. Review the use cases and examples in Alert rule settings reference and Recommended rules reference for ideas on how to identify your organization's most valuable business data.
• Use risk settings and severities to identify how important that data is to you. For example, if your business runs on spreadsheets and it's vitally important to know whenever they're shared publicly, you might set up a rule for all spreadsheet files with risk severities of moderate and above.
• Review your trusted activity settings to ensure they include the locations you trust and the activity that is a normal part of user collaboration. Alerts only notify you about activity not included in your list of trusted activity, as it is more likely to represent real risk to your organization.

Create a rule

You can create a new rule in several ways: from a template, from scratch, from a watchlist, or by copying and modifying an existing rule.

Define rule criteria

1. In the Create rule panel, review the default Rule settings. Update criteria as needed, then click Next.
   • Click Edit  to update the existing criteria.
   • Click Add setting to include additional criteria. See Alert rule settings for more details about each option.
     • Code42 automatically monitors activity on all destinations and exfiltration vectors. Add Destination settings to a rule when you only want to be alerted about activity on specific destinations.
   • To remove a setting, click Edit , then select Restore defaults.
   • (Optional) Click Show default settings to further refine which activity generates an alert. For example, by default, any user who performs the defined file activity generates an alert, but you can choose to restrict the alert to specific users.
2. If your product plan includes Code42 Instructor, select the lesson to send to users when they trigger this alert rule.
   Click View Instructor lessons for more details about each lesson.
   1. Choose how to send the lesson (email, Microsoft Teams, or Slack).
   2. (Optional) Update the send frequency for users who repeat the same activity.
   3. (Optional) Select Dismiss the alert once the lesson is sent to automatically dismiss the alert.
   4. Click Next.
3. (Optional) Enter a comma-separated list of email addresses to receive alert notifications. Click Next to continue.
   • To ensure you receive alerts, add code42.com to your email server's allowlist.
   • When the alert is triggered, these recipients are emailed about the file activity. If you do not enter any email addresses, no email is sent, but the file activity is visible on the Alerts > Review Alerts screen.
4. Enter a unique Rule name and an optional description. Click Save to continue.
5. Review the rule's details. To make changes, click the edit icon. If the details are correct, close the View rule panel.

Edit a rule

1. Sign in to the Code42 console. 
2. Go to Alerts > Manage Rules.
3. In the list of rules, locate the rule and click View . Alternatively:
   • To edit a rule from an alert notification:
     • Go to Alerts > Review Alerts.
     • Select an alert.
       The Alert details appear.
     • From the Rule name, click View rule .
   • To edit a rule from a watchlist:
     1. Go to User Activity > Watchlists.
     2. Select a watchlist.
     3. In the upper-right, click Edit alerts.
     4. From the list of Assigned alerts, click Edit .
4. Follow the on-screen instructions to edit the rule. For more details, see Define rule criteria.

Disable a rule

Disabling a rule stops new alerts from being created, but the rule remains available for you to re-enable later.

1. Sign in to the Code42 console. 
2. Go to Alerts > Manage Rules and locate the rule that you want to disable.
3. In the Enable column, click the toggle to disable or enable the rule.
   •  indicates the rule is disabled
   •  indicates the rule is enabled

Delete a rule

1. Sign in to the Code42 console. 
2. Go to Alerts > Manage Rules.
3. In the list of rules, locate the rule that you want to delete.
4. Click Actions  and select Delete.
   A confirmation dialog appears.
5. Click Delete Rule.
   The rule is removed from the list and all future notifications for that alert are stopped. 

Related topics

• Recommended rules reference 
• Alert rule settings reference 
• Manage Rules reference
• Review Alerts reference
• View and manage alert notifications