Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Implement Incydr: Start implementation


This article lists actions to start implementing Incydr at your company. It is not intended as a how-to, but rather a checklist of actions to ensure that you configure Incydr to yield the greatest value.

For a how-to article about implementing Incydr at your company, see Detect and respond to insider risks.


Code42 Professional Services can help you implement Incydr. Contact your Customer Success Manager (CSM) to engage Professional Services.

Insider risk model

As your employees and other insiders perform their jobs in your company, the technology you implement should work continuously to monitor their activities. It should anticipate problems before they happen, detect them if they occur, and help you respond to incidents in a timely way. When you implement Incydr with the actions in this article, it works more effectively at all steps in the insider flow.

Insider threat model

Image source: Carnegie Mellon Software Engineering Institute's Maturing Your Insider Threat Program into an Insider Risk Management Program.

High-level workflow using Incydr

Following is a high-level workflow using Incydr at a typical company. 

The flow starts with file events collected using Incydr. Next, examine the events to determine if they reveal a security incident. If you determine that a security incident occurred, open a case and route it for followup.

High-level Incydr workflow

Incydr top daily activities guide

Following are activities to perform daily.

Activities Incident next step
  • Review watchlists for data exfiltration. Also review incidents triggered by the employees in other systems not tracked by Incydr. 
  • Review removable media use by employees. If the files that are placed on removable media are of high value, add the employees to a watchlist.
  • Review browser/app usage for large exfiltrations. If files are of high value, add the employees to a watchlist.
  • Identify files that have public link access and let owners know they need to change the link access. If owners are repeat offenders, consider adding them to a watchlist.

Escalate to the employee's manager based on the value of the data and the frequency of data exfiltration. Escalate to HR and legal if the employee is exfiltrating valuable intellectual property or personally identifiable Information (PII) that can result in fines or other penalties for mishandling.

Use the CLI tool to generate a list of web activity that the client is observing and export a list of all browser/app usage to .xls.

Determine which applicationssites , and IP addresses are sanctioned. (For example, compare activity against your trusted domain list; Incydr will only alert you for activity outside your trusted domains.) For unsanctioned sites, review with the responsible parties what the need and justification is for using the site. 

Other high-value activities

Activities Incident next step
  • In Forensic Search, search for:
    • Keywords like "resumé" to identify departing employees. (Note: You can also use an alert to look for keywords in a file name.)
    • Names of critical internal projects and new products
    • Names of financial reports, employee data, compensation data, merger and acquisition documents, and executive/board communications
    • Keywords for customer lists, price lists, and customer contracts

Save any helpful searches for future use.

Escalate to the employee's manager based on the value of the data and the frequency of data exfiltration. Escalate to HR and legal if the employee is exfiltrating valuable intellectual property or data (like PII) that can result in fines or other penalties for mishandling.

Use the New hire watchlist to monitor new employees for file downloads during the first 30 days of employment.

Determine if unauthorized intellectual property was downloaded into your environment.

Consider using honeypot files.

If a honey pot file is copied or moved, then add the employee to a watchlist. for closer monitoring.

Identify all sanctioned external platforms for data exfiltration. Set-up searches and alerts for unsanctioned activity.

Utilize a data handling matrix to map out approved and unapproved exfiltration activity.

Top platform integration activities

Activities Guidance
  • Send file activity data recorded by Incydr to the tools you use for incident management and response, such as your Security Information and Event Management (SIEM) system, or your Security Orchestration, Automation, and Response (SOAR) system. For information about SIEM and SOAR applications that provide ready-made integrations to Incydr, see Code42 integrations resources.
  • Identify valuable data in your SIEM and SOAR implementations that is obtained from other systems than Incydr (for example, email security gateway, endpoint detection and response (EDR), URL filtering, network session monitoring). Create correlation between that data and the information obtained from Incydr to provide better incident lifecycle perspective.
  • Create playbooks for SOAR usage where available.
  • Provide data for User and Entity Behavior Analytics (UEBA) modeling and anomaly detection where available.

Contact your Customer Success Manager (CSM) to engage Advisory Services for assistance.

Automate the process of uncovering valuable data about people in watchlists.

Use the Code42 command-line interface (CLI) to ingest file event data and alerts into a SIEM tool.

Automate the process of adding people to watchlists.

Identify a source closest to the human resources information system (HRIS), if not the HRIS system itself. Use information from that system and provide it to the Code42 command-line interface (CLI) to add people a watchlist.

Ingest user information from a directory service (for example, from Azure Active Directory) to populate critical contextual data about employees, such as their job title, department, and manager.

Use Code42 User Directory Sync or Code42 provisioning (including from Azure AD, Okta, and PingOne) to populate critical contextual data about employees.

Build visualizations and alerts using your SOAR or SIEM tool, or use an existing Code42 app for your tool. For more information, see Code42 integrations resources. A Code42 Insider Risk Advisor can assist with dashboard development. Contact your Customer Success Manager (CSM) to engage Advisory Services.


  • Was this article helpful?