Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Manage watchlists

Overview

This article explains why you may want to use watchlists to monitor high-risk employees more closely to mitigate insider risk, how to create and delete watchlists, and how to add and remove users from watchlists.

Watchlists are a tool that you can use to more closely monitor the file activity of higher-risk users. They provide you with special views that help cut through the noise of all the file activity across your organization by focusing on the users you are the most concerned about. For any watchlist, you can build alerts that notify you when any users on your watchlist require your attention based on alert rules.

For example, sometimes employees are allowed to use removeable media to do their jobs. Instead of being alerted when any user in your environment uses a thumbdrive, you can instead add the users that you would be most concerned about using a USB device to the Poor security practices watchlist and define when you want to be alerted of those users' USB usage.

There are several types of watchlists you can create: 

  • Departing: Add employees that are about to leave (or have left) the company to this watchlist. Departing employees often take data with them when they leave and sometimes take data after they have left if their access is not properly removed. Any new file events that occur while a user is on this list are given the Departing risk indicator and its associated risk score, raising the severity of their file events. 
  • Contractor: Add any contractors or temporary employees to this watchlist for closer monitoring.
  • New hire: Add brand new employees that have just joined the company and may not be aware of your security practices to this watchlist. Review the file activity of these new employees in their first 30-90 days. This gives you enough data to verify that they understand and are following your company's safe data practices. 
  • High impact: Place employees on this watchlist that have special roles that require broad access to high-value data (such as intellectual property or other confidential files).
  • Elevated access: Add employees that have access to highly sensitive data and systems to this watchlist for closer monitoring. 
  • Flight risk: Sometimes employees reach a point in their tenure when you often see employees leave, or they express job dissatisfaction, get turned down for a promotion, or have teammate conflicts that can lead to touchy situations for all involved. For those tough situations, add the employee to this watchlist to monitor for harmful data activity while they're possibly looking for another job. 
  • Suspicious system activity: For employees that have tried to access sensitive systems or have raised alerts in other security systems, add them to this watchlist to make sure their behaviors don't continue to be problematic. 
  • Performance concerns: Sometimes employees have a poor performance review, get a demotion, or are on a performance improvement plan. These employees may not be the most satisfied employees and may be at higher risk of causing data loss to the company. Add these employees to this watchlist to make sure your data remains safe. 
  • Poor security practices: To make sure their behaviors don't lead to data loss, place employees on this watchlist who use unsanctioned tools to get their jobs done or have poor security awareness as shown by consistently falling for phishing tests or failing security training.

For more information about watchlists, see Watchlists reference.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Customer Champions.

  • If you delete a watchlist, all users are removed from the list and any associated alerts. If the assigned alerts are not being used elsewhere in Incydr, the alert rule is also deleted from alerts.
  • To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.

Create a watchlist

  1. Go to User Activity > Watchlists.
  2. Add a watchlist.
    1. If this is your first watchlist, click any of the tiles shown to create that watchlist. 
    2. If you already have some watchlists created but would like to make another, click the expand button Click to expand watchlists panel  to see all of your watchlists and then click Add.
  3. Add users to the watchlist.
    1. In the panel that appears, enter the Code42 username of the user to add to your watchlist and select their username from the list provided, then click Add. If the username you were expecting doesn't appear, verify that the user exists in your Code42 environment.
    2. (Optional): Search for and find additional users to add and select their usernames to add them to the pending list. 
    3. (Optional): If available, add the following dates to the user's profile. These dates are helpful with filtering your watchlists.
      • Departure date: The date the employee is planning to leave your company. (Departing watchlist only)
      • Start date: The date the employee began working at your company. (New hire watchlist only)
    4. Click Save.
      Users are added to the watchlist.
  4. (Optional): Click Add alerts to be notified of file activity you're concerned about with users on this watchlist. 
    1. From the list of recommended alerts, click View.
      The Manage rules page appears with the recommended alert started so that you can finish setting up the new alert.
    2. To create an alert that isn't listed, click Create new alert
      The Manage rules page appears with the Create rule drawer open. 

Add users to a watchlist

To add users to an existing watchlist: 

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist you would like to add users to. 
    The watchlist opens.
  3. From the upper-right, click Add users
  4. In the panel that appears, enter the Code42 username of the user to add to your watchlist and select their username from the list provided, then click Add. If the username you were expecting doesn't appear, verify that the user exists in your Code42 environment.
    The user is added to the pending list and is added to the watchlist when you click Save.
  5. (Optional): Search for an find additional users to add and select their usernames to add them to the pending list. 
  6. (Optional): If available, add the following dates to the user's profile. These dates are helpful with filtering your watchlists.
    • Departure date: The date the employee is planning to leave your company. (Departing watchlist only)
    • Start date: The date the employee began working at your company. (New hire watchlist only)
  7. Click Save.
    Users are added to the watchlist.
Automatically add users to a watchlist
Use integrations to automatically add users to a watchlist based on the user's status in your company's systems. 

Remove users from a watchlist

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist you would like to add users to. 
    The watchlist opens.
  3. At the top of the page, search for a user on the watchlist. If the user is not on the watchlist, a "No users found" message appears.
  4. Select the user's name. 
    The list of users on the watchlist filters to show that user.
  5. Click Actions Click to select actions for this user in the user's entry and select Remove user.
    A confirmation message appears.
  6. Click Remove user.
    The user is removed from the watchlist and any alerts associated with that watchlist. 
Automatically remove users from a watchlist
Use integrations to automatically remove users from a watchlist based on the user's status in your company's systems. 

Modify alerts for a watchlist

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist for which you would like to adjust alerts. 
    The watchlist opens.
  3. In the upper-right, click one of the following:
    1. Add alerts (shown if no alerts have yet been added to the watchlist)
      Add alerts slides in from the right.
    2. Edit alerts (shown if alerts have been added)
      Edit alerts slides in from the right.
  4. There are several ways to edit rules:
    1. Click Manage rules page to create or edit all of your alert rules.
    2. Click Edit Click to edit an existing alert rule to adjust the specific settings for that alert.
    3. Click View to add that rule to the watchlist.
    4. Click Create new alert to add a brand new alert to the watchlist.
  5. Adjust the alert rule settings as necessary and click Save.

Delete a watchlist

  1. Go to User Activity > Watchlists.
  2. Click the expand button Click to expand watchlists panel  to see all of your watchlists and then select the watchlist you want to delete. 
    The watchlist opens.
  3. In the upper-right, click Actions Click the Actions menu and select Delete watchlist.
    A confirmation message slides in from the right. 
  4. Click Delete watchlist
    • All users are removed from that watchlist. Their User profiles are still available.
    • Cases remain intact for any users on the watchlist. 
    • Associated alerts are removed from the watchlist. If those alerts are not being used elsewhere in Incydr, the alert rule is deleted from Alerts
    • The watchlist is removed from your current list of watchlists and can be recreated at another time.

Manage watchlists with integrations

You can use Code42 integrations to automatically manage user information in watchlists using data from other systems, such as identity access management (IAM), privileged access management (PAM), or human capital management (HCM) systems. Following are Code42 integrations available to automate watchlists management. 

Incydr Flows 

Incydr Flows connect other systems to Code42 allowing you to use information in those systems to update your Code42 environment. For example, ingest user attributes, such as employment milestones, departure date, or elevated access credentials for use in watchlists. 

Incydr Flows requires assistance and setup from Code42 Professional Services. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team. For a general overview of how to start configuring Incydr Flows, see Configure Incydr Flows.

For more information about Incydr Flows, see Introduction to Incydr Flows.

CLI

The Code42 command-line interface (CLI) tool is a command-driven framework to interact with your Code42 environment. To use the CLI to manage watchlists, see the following articles:

For more information about the CLI, see Introduction to the Code42 command-line interface.

py42

py42 is a Python SDK wrapper around the Code42 API that lets you develop your own tools for working with Code42 data. To use py42 to manage watchlists, see the following articles:

For more information about py42, see Introduction to py42, the Code42 Python SDK.

APIs

Code42's API can be used to interact with your Code42 environment using RESTful tools and standards. To use the Code42 API to manage watchlists, integrate the following APIs with external systems:

For more information about the Code42 API, see Code42 API resources.

  • Was this article helpful?