Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Identify file activity with increased risk severity

Overview

Risk severity is highlighted throughout Incydr to show you the file activity with the greatest exposure and exfiltration risk. Locations include:

For more information about how severity is calculated, see Risk settings reference.

Considerations

Risk severity only applies to untrusted file activity
File events in locations on your list of trusted activity receive a risk score of 0, even if something that would be considered a risk indicator in a different context is present. For example, uploading a source code file to a trusted location like your corporate domain is not considered an exfiltration or exposure risk.

The Risk Exposure dashboard

The Top users by critical activity graph on the Risk Exposure dashboard shows a prioritized view for all users of critical and high severity file events.

Top users by critical activity

The Watchlists summary on the Risk Exposure dashboard shows you the number of users with critical activity that are on a watchlist

Watchlist summary on the Risk Exposure dashboard

To see the Risk Exposure dashboard, sign in to the Code42 console. If you are already signed in, click the Incydr logo in the upper left. For complete details, see Top users by critical activity reference.

The Insider Risk Trends dashboard

The Risk in my environment graph on the Insider Risk Trends dashboard shows how the number of users causing critical and high severity events has fluctuated over time. Use this graph (along with the other graphs on the dashboard) to identify where to focus controls, training, and engagement to improve your organization's risk profile. To access the dashboard, select Dashboards > Insider Risk Trends.

Insider Risk Trends dashboard - Risk in my environment graph

Watchlists

Watchlists show you all the users on your watchlists with any file severity. Use the quick filters at the top of the page to filter the list to show a specific severity. To see watchlists, go to User Activity > Watchlists.

Watchlists

All Users list

The All Users list shows all of the users in your Code42 environment sorted on the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity. To access the All Users list, go to User Activity > All Users.

All Users list

Forensic Search

Forensic Search provides a Risk severity filter and displays risk scores and severity in the search results. To search file activity with the greatest exposure and exfiltration risk:

  1. Sign in to the Code42 console.
  2. Go to Search > Forensic Search.
  3. Choose a date range.
  4. (Optional) To return only file events with a specific risk score, select the search filter Risk severity. To limit the type of risk, select the search filter Risk indicators.
    1. Select the operator includes any.
    2. Select one or more values.
  5. (Optional) Click the plus icon to add more search criteria.
  6. Click Search.
  7. In the search results, review the Risk score column to identify file events with the greatest risk potential. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:
    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  8. From the search results, click View details > to show all metadata for an event. The Risk section displays the Risk severity, the Risk score, and lists all applicable Risk indicators.

Search critical and high severity file activity in Forensic search

Cases

Cases displays risk scores and severity for each file event in the case. To view risk severity:

  1. Sign in to the Code42 console.
  2. Go to Cases.
  3. From the list of cases, select a case. Optionally, click the filter icon Cases filter icon to search by case status, date created, case name, or case subject.
    The case details appear.
  4. In the File activity section, review the Risk score column to identify file events with the greatest risk potential. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:
    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  5. From the File activity list, click View details > to show all metadata for an event. The Risk section displays the Risk severity, the Risk score, and lists all applicable Risk indicators.

Alerts

Add the new Risk severity setting to alert rules to be notified when file events with increased risk occur. In turn, notifications and emails generated by rules with this new setting identify those file events and their risk scores.

Alert rule setting

  1. Sign into the Code42 console.
  2. Go to Alerts > Manage Rules.
  3. From the list of alert rules, select a rule. Or, click Create rule to create a new rule.
  4. Add the Risk severity rule setting.
    • If you're editing an existing rule, click Add setting on the View rule panel, then click Risk severity.
    • If you're creating a new rule, click Risk severity on the Create rule panel.
  5. Select the severity of events that you want to be notified about and click Save.
    Risk severity settings
  6. Complete the rule.
    • If you're editing an existing rule, make any other changes needed and then close the View rule panel to return to the Manage Rules table.
    • If you're creating a new rule:
      1. Click Next.
      2. Enter the rule name and description, select a severity to use to filter and prioritize this rule and its notifications, and then click Next.
      3. Enter the email addresses to use for alert notifications created from this rule, and then click Save.
        The new rule is added to the Manage Rules table.

Alert notifications and emails

When file activity matching an alert rule that contains the new Risk severity setting is detected, the files associated with increased risk are identified in the alert notification and email.

  • Risk severity in the Review Alerts table and in the Overview of the alert notification or email identifies a file event's overall risk severity, which is based on the following ranges:
    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  • Risk summary in the Overview of the alert notification or email quickly summarizes the number of file events associated with each severity and the type of activity that generated those events.
  • Filename/Details and Risk score in the Endpoint events and Cloud sharing events sections of the notification or email identify the filename involved in the event and type of activity that contributed to its risk score. Additional details list the date the file event activity was observed, and other information captured about the event (such as the URL a file was uploaded to or the browser tab that was active during the event).
  • Was this article helpful?