You must enable endpoint monitoring before you can use watchlists and alerts.
Code42 Professional Services can help you use watchlists and alerts for Incydr. Contact your Customer Success Manager (CSM) to engage Professional Services.
Best practices for watchlists
High-level watchlists workflow
- Receive information that employees need to be monitored. The information can come from a number of places, such as your HR department, an endpoint detection and response (EDR) system, a directory service, and so on. The factors that determine when an employee should be added to a watchlist are defined by your insider risk program.
- Add employees to a watchlist.
- Monitor high risk exposure activity in the Risk Exposure dashboard, alerts, or integrations.
- Open a case if suspicious file activity is uncovered.
- After investigation is complete and legal and HR have cleared the individual, close the case and remove the employee from the watchlist.
Automatically add users to a watchlist
Install and configure the Code42 command-line interface tool (CLI) tool to automate placing employees on a watchlist. You can also use the Code42 API to pull data from an external application such as a human resources information system (HRIS) or a directory service.
Respond to incidents uncovered by watchlists daily as appropriate based on frequency and severity. Review the Unauthorized Data Transfer and Deletion Attestation Template with HR and legal teams.
Best practices for alerts
Create rules to automatically send you alerts when suspicious data exfiltration happens. You can either use templates to create rules or create rules from scratch. You can view alerts in the Code42 console or use an integration such as the CLI or APIs to send alerts to a SIEM or SOAR system. Because context and detail are critical, create rules for alerts on specific, non-acceptable uses such as USB device use or non-sanctioned cloud services.
Use alert emails judiciously
All alert notifications appear in the Code42 console and can be reviewed whenever needed. However, if you'd like, you can also send alert emails. Keep in mind that because sending too many alert emails can result in fatigue on the part of recipients, send them judiciously. Email alerting is ideal for specific objectives, for example:
- Identify PST file exfiltration
- Identify USB device use that is outside of sanctioned usage
- Identify database dumps
Send alerts to SIEM, SOAR, UBA, and ticketing
- Aggregate and normalize event data and associated exposure data.
- Correlate with directory services for a more contextual view of user, system, device, and access activity.
- Correlate with other security tools: email security gateway, endpoint detection and response (EDR), URL filtering.
- Correlate user behavioral data with a human resources information system.
Code42 University: Investigating Insider Risk
Other articles in this series: