Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Manage watchlists

Overview

This article explains how to use watchlists to monitor high-risk employees more closely to mitigate insider risk, how to create and delete watchlists, and how to add and remove users from watchlists.

Watchlists help you more closely monitor the file activity of higher-risk users. They focus on the users who may pose a higher risk. For any watchlist, you can build alerts that notify you when any users on your watchlist require your attention based on alert rules.

For example, sometimes employees are allowed to use removable media to do their jobs. Instead of being alerted when any user in your environment uses a thumbdrive, you can instead add the users who you are most concerned about using a USB device to the Poor security practices watchlist and define when you want to be alerted of those users' USB usage.

Watchlist types

Several types of watchlists are available: 

Departing

Add employees that are about to leave (or have left) the company to this watchlist. Departing employees often take data with them when they leave and sometimes take data after they have left if their access is not properly revoked. Any new file events that occur while a user is on this list are given the Departing risk indicator and its associated risk score, raising the severity of their file events. 

Contractor

Add any contractors or temporary employees to this watchlist for closer monitoring.

New hire

Add brand new employees that have just joined the company and may not be aware of your security practices to this watchlist. Review the file activity of these new employees in their first 30-90 days. This gives you enough data to verify that they understand and are following your company's safe data practices. 

High impact

Place employees on this watchlist that have special roles that require broad access to high-value data (such as intellectual property or other confidential files).

Elevated access

Add employees that have access to highly sensitive data and systems to this watchlist for closer monitoring. 

Flight risk

Sometimes employees reach a point in their tenure when you often see employees leave, or they express job dissatisfaction, get turned down for a promotion, or have teammate conflicts that can lead to touchy situations for all involved. For those tough situations, add the employee to this watchlist to monitor for harmful data activity while they're possibly looking for another job. 

Suspicious system activity

For employees that have tried to access sensitive systems or have raised alerts in other security systems, add them to this watchlist to make sure their behaviors don't continue to be problematic. 

Performance concerns

Sometimes employees have a poor performance review, get a demotion, or are on a performance improvement plan. These employees may not be the most satisfied employees and may be at higher risk of causing data loss to the company. Add these employees to this watchlist to make sure your data remains safe. 

Poor security practices

To make sure their behaviors don't lead to data loss, place employees on this watchlist who use unsanctioned tools or have poor security awareness as shown by consistently falling for phishing tests or failing security training.

For more information about watchlists, see Watchlists reference.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Customer Champions.

  • If you delete a watchlist, all users are removed from the list and any associated alerts. If the assigned alerts are not being used elsewhere in Incydr, the alert rule is also deleted from alerts.
  • To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.

Before you begin

Push groups to Code42

You can add users to watchlists using groups from an external user directory system like Azure Active Directory. For example, you can add users from a Finance directory group to the High impact watchlist, or add users from a Security department to the Elevated access watchlist.

Before you can use groups to add users to watchlists, an Identity Management Administrator must first "push" groups to Code42 from the external user directory system. After the push, the groups are available to add users to watchlists.

The push method the Identity Management Administrator uses differs depending on the type of provisioning provider set up in Identity Management:

  • SCIM provider: Push SCIM groups from SCIM providers to make members of directory groups and departments available to watchlists. For directions, see our articles for Azure and Okta (SCIM groups are not supported for PingOne). To push SCIM groups from other providers, see the provisioning provider's documentation.
  • Code42 User Directory Sync: While directory groups are not available to push from a Code42 User Directory Sync provisioning provider, you can push departments to make their members available to watchlists. If the ldap.attrib.department property is configured in the config.properties file, departments are pushed to Code42 at synchronization

Deleted or renamed groups

If a directory group or department is deleted or renamed in your identity management provider, adjust the watchlist groups accordingly:

  • Directory group deleted: An error appears in Incydr stating that the group no longer exists. Remove the deleted directory group from the watchlist.
  • Directory group renamed: A warning appears in Incydr stating that a directory group no longer exists. Work with your Identity Management Administrator to identify renamed groups. Add the newly renamed groups and remove the old groups from the watchlist.
  • Department deleted or renamed: Due to the nature of department information, a warning does NOT appear in Incydr for missing or renamed departments. Work with your Identity Management Administrator to identify deleted or renamed departments. Add the newly renamed departments and remove the old departments from the watchlist.

Create a watchlist

  1. Go to User Activity > Watchlists.
  2. Add a watchlist.
    1. If this is your first watchlist, click any of the tiles shown to create that watchlist. 
    2. If you already have some watchlists created but would like to make another, click the expand button Click to expand watchlists panel  to see all of your watchlists and then click Add.
  3. Add users to the watchlist.
    1. In the panel that appears, enter the Code42 username of the user to add to your watchlist and select their username from the list provided.
      If the username you were expecting doesn't appear, verify that the user exists in your Code42 environment.
    2. Click Add
  4. (Optional): Search for and find additional users to add and select their usernames. 
  5. (Optional): If available, add the following dates to the user's profile. These dates are helpful with filtering your watchlists.
    • Departure date: The date the employee is planning to leave your company. (Departing watchlist only)
    • Start date: The date the employee began working at your company. (New hire watchlist only)
  6. Click Save.
    Users are added to the watchlist.
  7. (Optional): Click Add alerts to be notified of file activity you're concerned about with users on this watchlist. 
    1. From the list of recommended alerts, click View.
      The Manage rules page appears with the recommended alert started so that you can finish setting up the new alert.
    2. To create an alert that isn't listed, click Create new alert
      The Manage rules page appears with the Create rule drawer open. 

Add users to a watchlist

To add users to an existing watchlist: 

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist you would like to add users to. 
    The watchlist opens.
  3. From the upper-right:
    1. If you haven't yet added users to the watchlist, click Add users.
    2. To add more users or to adjust who appears on the watchlist, click Edit users
  4. Add users by groups or as individuals

Add users by groups

  1. On the Groups tab, click Add for one of the following: 
    • Directory group: Use this option to add users in a directory group to a watchlist. 
    • Department: Use this option to add all the users in a department to a watchlist.
    • Excluded users: Use this option to keep users off a watchlist, regardless of their directory group or department membership.
      • For example: You want to more closely monitor your entire Engineering department for exfiltrated source code, but you also know that there a few engineers who will cause excessive alerts due to the nature of their work. Add the entire Engineering department to the Department section, and then add the users that will cause excessive alerts to Excluded users.
  2. Enter the group or department to add to your watchlist and select the name from the list provided.
  3. Click Save.

Add individual users

  1. On the Individuals tab, click Add.
  2. Enter the Code42 username of the user to add to your watchlist and select their username from the list provided. If the username you were expecting doesn't appear, verify that the user exists in your Code42 environment.
  3. (Optional): If available, add the following dates to the user's profile. These dates are helpful when filtering your watchlists.
    • Departure date: The date the employee is planning to leave your company. (Departing watchlist only)
    • Start date: The date the employee began working at your company. (New hire watchlist only)
  4. Click Save.
    Users are added to the watchlist.
Excluded users
If a user is added to the Excluded users list, that user will not appear on the watchlist. This is true even if they are in a directory group or department that has been added to the watchlist or if they have been added via the Individual tab.
Automatically add users to a watchlist
Use integrations to automatically add users to a watchlist based on the user's status in your company's systems. 

Remove users from a watchlist

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist you would like to remove users from. 
    The watchlist opens.
  3. In the upper-right, click Edit users.
    A panel slides in from the right.
  4. You can remove users by groups or individually

Remove users by groups

You can remove users by directory group or department: 

  • Directory group: This option allows you to remove a directory group that was used to populate the watchlist. When you remove a directory group, all the users in that group are removed from the watchlist, unless they are on the watchlist for other reasons such as by department or added individually. 
  • Department: This option allows you to remove a department that was used to populate the watchlist. When you remove a department, all the users in that group are removed from the watchlist, unless they are on the watchlist for other reasons such as by directory group or added individually. ​​​​​

To remove a single directory group or department:

  1. On the Groups tab, click the delete button Click to delete next to the directory group or department you would like to remove from the watchlist.
  2. In the confirmation message that appears, click Remove.

To remove multiple directory groups or departments at once:

  1. On the Groups tab, select the corresponding checkbox to the left of the directory groups or departments you would like to remove from the watchlist. 
  2. Above the list of selected groups, click Remove.
  3. In the confirmation message that appears, click Remove.

Remove individual users

Use this option to remove users that were added individually to a watchlist. If the user is in a directory group or department used to populate the watchlist, the user will remain on the watchlist. 

To remove a single individually added user:

  1. On the Individuals tab, click the delete button Click to delete next to the user you would like to remove.
  2. In the confirmation message that appears, click Remove.
    The user is removed from the watchlist.

To remove multiple individually added users at once:

  1. On the Individuals tab, select the corresponding checkbox to the left of the users you would like to remove from the watchlist.
  2. Above the list of selected users, click Remove
  3. In the confirmation message that appears, click Remove.
    The users are removed from the watchlist.
I removed an individual, but they're still on the watchlist
If you removed an individual user via the Individual tab, but they are still on the watchlist, it's likely that they are a member of a directory group or department used to populate the watchlist. 

Directory group and department membership cannot be managed within Incydr. Instead, work with your Identity Management Administrator to change their group or department membership.

If you cannot change the group or department membership, you can also add the user to the list of Excluded users.
Automatically remove users from a watchlist
Use integrations to automatically remove users from a watchlist based on the user's status in your company's systems. 

Modify alerts for a watchlist

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist for which you would like to adjust alerts. 
    The watchlist opens.
  3. In the upper-right, click one of the following:
    1. Add alerts (shown if no alerts have yet been added to the watchlist)
      Add alerts slides in from the right.
    2. Edit alerts (shown if alerts have been added)
      Edit alerts slides in from the right.
  4. There are several ways to edit rules:
    1. Click Manage rules page to create or edit all of your alert rules.
    2. Click Edit Click to edit an existing alert rule to adjust the specific settings for that alert.
    3. Click View to add that rule to the watchlist.
    4. Click Create new alert to add a brand new alert to the watchlist.
  5. Adjust the alert rule settings as necessary and click Save.

Delete a watchlist

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist you want to delete. 
    The watchlist opens.
  3. In the upper-right, click Actions Click the Actions menu and select Delete watchlist.
    A confirmation message slides in from the right. 
  4. Click Delete watchlist
    • All users are removed from that watchlist. Their User profiles are still available.
    • Cases remain intact for any users on the watchlist. 
    • Associated alerts are removed from the watchlist. If those alerts are not being used elsewhere in Incydr, the alert rule is deleted from Alerts
    • The watchlist is removed from your current list of watchlists and can be recreated at another time.

Manage watchlists with integrations

You can use Code42 integrations to automatically manage user information in watchlists using data from other systems, such as identity access management (IAM), privileged access management (PAM), or human capital management (HCM) systems. Following are Code42 integrations available to automate watchlists management. 

Incydr Flows 

Incydr Flows connect other systems to Code42 allowing you to use information in those systems to update your Code42 environment. For example, ingest user attributes, such as employment milestones, departure date, or elevated access credentials for use in watchlists. 

Incydr Flows requires assistance and setup from Code42 Professional Services. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team. For a general overview of how to start configuring Incydr Flows, see Configure Incydr Flows.

For more information about Incydr Flows, see Introduction to Incydr Flows.

CLI

The Code42 command-line interface (CLI) tool is a command-driven framework to interact with your Code42 environment. To use the CLI to manage watchlists, see Manage watchlist members in the CLI documentation in the Code42 Developer Portal.

For more information about the CLI, see Introduction to the Code42 command-line interface.

py42

py42 is a Python SDK wrapper around the Code42 API that lets you develop your own tools for working with Code42 data. To use py42 to manage watchlists, see Watchlists in the py42 documentation in the Code42 Developer Portal.

For more information about py42, see Introduction to py42, the Code42 Python SDK.

APIs

Code42's API can be used to interact with your Code42 environment using RESTful tools and standards. To use the Code42 API to manage watchlists, integrate the following APIs with external systems:

For more information about the Code42 API, see Code42 API resources.

  • Was this article helpful?