Introduction to Incydr


Code42 Incydr brings together three dimensions to quickly and accurately detect and help you respond to insider risks and potential threats:

  • Data: What intellectual property (IP) is most valuable to the business?
  • Vector: When, where, and how is your IP moving?
  • User: Who is moving it?

Incydr monitors data movement to provide details and context for file events that occur on endpoints as well as in corporate cloud and email services. Incydr:

  • Monitors all files for file activity, not just those that have been labeled sensitive. 
  • Detects exposure and exfiltration by web browser, cloud sync, file sharing, and the use of removable media.
  • Adds highly-visible flags to file events that have elevated risk, such as those that occur during off-hours for a particular employee or file mismatches where a file extension may have been changed to conceal exfiltration.


To use Incydr, you must: 

Incydr's features

To protect your data and help detect, investigate, and respond to insider risks, Incydr provides the following features and abilities:

Risk Exposure dashboard

The Risk Exposure dashboard gives you a visible representation of where and how your data is moving so that you can quickly grasp file events that need your attention. Use the risk indicators to further help you focus your initial investigations on more risky file activity. 

Insider Risk Trends dashboard

The Insider Risk Trends dashboard shows how risk in your organization changes over time. The dashboard shows fluctuations in the number of users causing risky file events, the departments that cause the most untrusted events, the types of files involved in exfiltration events, and the vectors by which that untrusted activity occurs.

You can use these trends to identify where to focus controls, training, and engagement to improve your organization's risk profile. For more information, see View Insider Risk Trends for your organization.


Alerts give you visibility into when important data may be leaving your company. Alerts automatically notify you about file activity occurring along a number of exposure vectors. You can create multiple alert rules to alert you for different exposure types, severities, and users causing the file activity. 

All Users list

The All Users list shows all of the users in your Code42 environment sorted by the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity. For more information, see All Users reference.


Adding an employee to a watchlist allows you to more closely monitor their file events. Each watchlist can have its own set of alerts to notify you of any risky behavior. For more information, see Secure data throughout employee tenure.  


Cases allow you to compile, document, and share details about insider risks. This helps you assemble evidence to make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.

Recover and view file contents

Incydr can also recover files, including deleted files and previous file versions. During an investigation you can restore a single file, multiple files, or even an entire device, allowing you to inspect the contents of the files involved.

Additionally, you can download the file from Forensic Search while conducting an investigation into an event to immediately view its contents and better assess risk. 

Legal hold 

Adding a user to a legal hold backs up a separate copy of the user's files and retains them for as long as you specify. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.

How Incydr works

Incydr monitors file activity via a light-weight agent on endpoints and integrations with corporate cloud and email services, mitigating file exposure and exfiltration risks without disrupting legitimate collaboration. Incydr can identify the difference between everyday collaboration and the events that represent real risk. It filters out the noise of harmless activity, like sharing files between trusted domains, to reveal only the risks that could harm your business.

Watch the video below for an overview of how Incydr monitors file activity. For more videos about Incydr, visit the Code42 University.

Endpoint file event detection

The agent, running on either Windows, Mac or Linux endpoints, logs all file events (like file creation, deletion, and modification) and captures critical metadata including file name, owner, size, category and MD5 hash. The agent monitors:

  • Files moved to removable media (such as flash drives, hard drives, and cards that connect via USB, eSata, or Thunderbolt), collecting the vendor, name, and serial number of the devices used.
  • Files in cloud sync folders for Dropbox, iCloud, OneDrive, and Box.
  • Files that have been read or uploaded by browsers such as Internet Explorer, Chrome, Firefox, Safari, Edge, Chromium, and Opera. For such activity, the agent logs the browser name, the tab title, and the URL used to upload the file.
  • Files that have been read by web applications such as FileZilla, Windows Secure Copy, Slack, SFTP, FTP, cURL, and Secure Copy.

Cloud and email file event detection

Incydr integrates with corporate cloud services such as Box, Google Drive, and OneDrive to detect when files saved in corporate cloud drives are shared publicly or with external users by employees.

Likewise, Incydr integrates with corporate email services like Gmail and Office 365 to detect potential data exfiltration of file attachments sent to untrusted recipients.

Expected time ranges for events to appear

File events appear in Forensic Search within 1 hour. Events typically appear on the Risk Exposure dashboard, Watchlists, and Alerts within 75-90 minutes, but may take up to 2 hours.

Metadata collected

Incydr collects the following categories of metadata for file events. For detailed descriptions of all metadata, see File event metadata reference.

  • Risk: The event's overall risk severity and all associated risk indicators.
  • Event: Summary information including date observed, event action, and sharing details.
  • User: Details about the user associated with the event.
  • File: Provides a link to download the file, along with details such as the file's name, path, owner, hash, and other metadata.
  • Source: Provides details about the origin of the file.
  • Destination: Provides details about the where the file was sent or moved.

The metadata applicable to each event varies based on the specifics of the file activity. For example, an event for a file moved to removable media has different details than an event for a file shared via a cloud service.

Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.

Response controls

Incydr leverages broad and deep visibility into ALL data activity and user behavior to better understand true risk. Incydr does not rely on classification of data to identify exfiltration events, but instead correlates data, vector, and user information to improve visibility and provide context.

For the times when you need to respond to insider risk, use Incydr to respond appropriately. For example, you can use identity and access management to put users in groups to restrict access based on the alerts and information Incydr provides. For more information about response options, see Introduction to Incydr Flows

For more information about how Incydr prevents data loss without blocking productivity, download our guide.

Get started

To set up Incydr, see Detect and respond to insider risks.

Want to learn more? See a demo of Incydr