Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Implement Incydr: Use watchlists and alerts


This article provides best practices for using watchlists to monitor user file activity and alerts to notify you when possible risky file activity occurs. 

Enable endpoint monitoring
You must enable endpoint monitoring before you can use watchlists and alerts.


Code42 Professional Services can help you use watchlists and alerts for Incydr. Contact your Customer Success Manager (CSM) to engage Professional Services.

Best practices for watchlists

High-level watchlists workflow

  1. Receive information that employees need to be monitored. The information can come from a number of places, such as your HR department, an endpoint detection and response (EDR) system, a directory service, and so on. The factors that determine when an employee should be added to a watchlist are defined by your insider risk program.
  2. Add employees to a watchlist.
  3. Monitor high risk exposure activity in the Risk Exposure dashboardalerts, or integrations.
  4. Open a case if suspicious file activity is uncovered.
  5. After investigation is complete and legal and HR have cleared the individual, close the case and remove the employee from the watchlist.

Automatically add users to a watchlist

Install and configure the Code42 command-line interface tool (CLI) tool to automate placing employees on a watchlist. You can also use the Code42 API to pull data from an external application such as a human resources information system (HRIS) or a directory service.

Monitor activity

Respond to incidents uncovered by watchlists daily as appropriate based on frequency and severity. Review the Unauthorized Data Transfer and Deletion Attestation Template with HR and legal teams.

Ingest SCIM source data to populate additional information about a user

Set up SCIM data from a provisioning provider (such as Azure AD, Okta, or PingOne) or implement a Code42 User Directory Sync script.

Best practices for alerts

Create rules to automatically send you alerts when suspicious data exfiltration happens. You can either use templates to create rules or create rules from scratch. You can view alerts in the Code42 console or use an integration such as the CLI or APIs to send alerts to a SIEM or SOAR system. Because context and detail are critical, create rules for alerts on specific, non-acceptable uses such as USB device use or non-sanctioned cloud services.

Use alert emails judiciously

All alert notifications appear in the Code42 console and can be reviewed whenever needed. However, if you'd like, you can also send alert emails. Keep in mind that because sending too many alert emails can result in fatigue on the part of recipients, send them judiciously. Email alerting is ideal for specific objectives, for example:

  • Identify PST file exfiltration
  • Identify USB device use that is outside of sanctioned usage
  • Identify database dumps

Send alerts to SIEM, SOAR, UBA, and ticketing

Get alert data into your primary security incident response platform via CEF or JSON. Use the CLI platform or the Code42 API for integration.

  • Aggregate and normalize event data and associated exposure data.
  • Correlate with directory services for a more contextual view of user, system, device, and access activity.
  • Correlate with other security tools: email security gateway, endpoint detection and response (EDR), URL filtering.
  • Correlate user behavioral data with a human resources information system. 


Code42 University: Investigating Insider Risk

  • Was this article helpful?