View and manage alert notifications

Last updated
Save as PDF

Overview

This article explains how to review and manage the security notifications that are created when Code42 detects activity that matches the criteria in an alert rule.

When a rule is triggered, an alert notification appears in the Alerts > Review Alerts table. You can add a note to an alert, review and dismiss alerts, or use the filters to search for alerts that have been dismissed to reopen them.

Considerations

To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Technical Support Engineers.
You must connect Code42 to at least one corporate business, cloud storage, or email service to see this download, file sharing, or attachment activity.
To allow email from Code42, ensure that code42.com is added to your email server's allowlist. If you suspect that email is not arriving from Code42, contact our Technical Support Engineers.

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

Review alert notifications

Sign in to the Code42 console.
Go to Alerts > Review Alerts.
For any alert, click View detail to see more details.
The Alert details opens where you can view file details, add notes or statuses, and take other actions on the alert.
- Click Copy Link to copy the link to the alert notification in the Code42 console so that you can share it with others for investigation.
- Click Investigate in Forensic Search to see the files for this event in Forensic Search. If multiple event types are involved in this alert, select the type of events you want to view from the menu that opens:
  - Investigate download events
  - Investigate external device events
  - Investigate browser and app upload events
  - Investigate cloud sync events
  - Investigate cloud sharing events
  - Investigate external email sharing events
  - Investigate Git events
- Click Actions and select an action:
  - Select Send email to compose an email to the user requesting more information about this activity.
    You can customize the email as needed after it opens.
  - Select Send user an Instructor lesson and then select the lesson to send to that user.
- Click View Rule to open and update the rule settings.
- Click View Instructor lessons to open Code42 Instructor and view more information about the lesson sent.
- Select a status to identify the state of your investigation into the alert.
  If you select Dismissed, Code42 automatically dismisses the alert and removes it from the list of open alerts. Click Reopen alert to reopen the alert and change its status to Open, if needed.
- Add a note (or edit any current note) to provide more details about the alert.
- Click View profile to open the User Profile for that user.
  View profile appears only when allowed by your Code42 product plan and role permissions.
(Optional) When you're done reviewing the alert, click Dismiss alert to remove the notification.
When you dismiss an alert, Code42 automatically removes it from the list of open alerts. You can reopen alerts, if needed.

Dismiss multiple notifications at once
To dismiss multiple notifications at once, select the checkbox next to one or more notifications in the Review Alerts list and then click the Dismiss Alerts button that appears at the top-right of the list of notifications.

Add a note

Sign in to the Code42 console.
Go to Alerts > Review Alerts.
For any alert, click to see more details.
In the Notes panel, click Add note.
If the alert already includes a note, click Edit to edit the existing note.
Enter the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save.
Your note is added to the Notes panel in the Alert details. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited. Click Expand note to view long notes.

Dismiss alert notifications

Sign in to the Code42 console.
Go to Alerts > Review Alerts.
For any alert, click Dismiss alert . When the menu opens:
- Select Dismiss to dismiss the alert.
- Select Dismiss with note to add a note to the alert and then dismiss it. Enter your note (or edit the existing note) and then click Save and dismiss.
The notification is removed from the table and entered into the list of dismissed alert notifications.

Reopen dismissed alert notifications

Sign in to the Code42 console.
Go to Alerts > Review Alerts.
Click Filter and apply the Dismissed status to show alerts that have been dismissed.
1. When the Filters panel opens, under Status, clear the Open checkbox and select the Dismissed checkbox.
2. (Optional) Select any other criteria to further filter the list of alerts that are returned.
3. Click Apply.
  You are returned to the Review Alerts table and only the dismissed alerts that meet any other selected criteria are listed.
(Optional) Click Reopen Alert to reopen a notification:
- Select Reopen to reopen the alert.
- Select Reopen with note to add a note to the alert and then reopen it. Enter your note (or edit the existing note) and then click Save and reopen.
The reopened notification is removed from the table and returned to the list of open alert notifications. To view open notifications, repeat step 3 above and select the Open status.