Introduction to Incydr


Code42 Incydr brings together three dimensions to quickly and accurately detect and help you respond to insider risks and potential threats:

  • Data: What intellectual property (IP) is most valuable to the business?
  • Vector: When, where, and how is your IP moving?
  • User: Who is moving it?

Incydr monitors data movement to provide details and context for file events that occur on endpoints as well as in corporate cloud and email services. Incydr:

  • Monitors all files for file activity, not just those that have been labeled sensitive. 
  • Detects exposure and exfiltration by web browser, cloud sync, file sharing, Git, and removable media.
  • Adds highly-visible flags to file events that have elevated risk, such as files moving from a trusted corporate source to an untrusted destination, or file mismatches where a file extension may have been changed to conceal exfiltration.


To use Incydr, you must: 

Incydr's features

To protect your data and help detect, investigate, and respond to insider risks, Incydr provides the following features and abilities:

Risk dashboards

Incydr provides several dashboards to help you easily identify and respond to risks:

  • The Exfiltration dashboard highlights where and how your data is moving so that you can quickly identify file events that need your attention. Use the risk indicators to further help you focus your initial investigations on more risky file activity. 
  • The Trends dashboard shows how risk in your organization changes over time. The dashboard shows fluctuations in the number of users causing risky file events, the departments that cause the most untrusted events, the types of files involved in exfiltration events, and the vectors by which that untrusted activity occurs. This data can help you identify where to focus controls, training, and engagement to improve your organization's risk profile. For more information, see View Insider Risk Trends for your organization.
  • The Action Items dashboard displays items requiring attention, including open alerts, top users by critical activity, users departing this week, unwatched Instructor lessons, and open cases.


Alerts give you visibility into when important data may be leaving your company. Alerts automatically notify you about file activity occurring along a number of exfiltration vectors. You can create multiple alert rules to alert you for different exfiltration types, severities, and users causing the file activity. 

All Users list

The All Users list shows all of the users in your Code42 environment sorted by the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity. For more information, see All Users reference.


Adding an employee to a watchlist allows you to more closely monitor their file events. Each watchlist can have its own set of alerts to notify you of any risky behavior. For more information, see Secure data throughout employee tenure.  


Cases allow you to compile, document, and share details about insider risks. This helps you assemble evidence to make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.

Recover and view file contents

Incydr can also recover files, including deleted files and previous file versions. During an investigation you can restore a single file, multiple files, or even an entire device, allowing you to inspect the contents of the files involved.

Additionally, you can download the file from Forensic Search while conducting an investigation into an event to immediately view its contents and better assess risk. 

How Incydr works

Incydr monitors file activity via a light-weight agent on endpoints and integrations with corporate cloud and email services, mitigating file exposure and exfiltration risks without disrupting legitimate collaboration. Incydr can identify the difference between everyday collaboration and the events that represent real risk. It filters out the noise of harmless activity, like sharing files between trusted domains, to reveal only the risks that could harm your business.

Watch the video below for an overview of how Incydr monitors file activity. For more videos about Incydr, visit the Code42 University.

Endpoint file event detection

The agent, running on either Windows, Mac or Linux endpoints, logs all file events (like file creation, deletion, and modification) and captures critical metadata including file name, owner, size, category and MD5 hash. The agent monitors:

  • Files moved to removable media (such as flash drives, hard drives, and cards that connect via USB, eSata, or Thunderbolt), collecting the vendor, name, and serial number of the devices used.
  • Files in cloud sync folders for Dropbox, iCloud, OneDrive, and Box.
  • Files that have been read or uploaded by browsers such as Internet Explorer, Chrome, Firefox, Safari, Edge, Chromium, and Opera. For such activity, the agent logs the browser name, the tab title, and the URL used to upload the file.
  • Files that have been read by web applications such as FileZilla, Windows Secure Copy, Slack, SFTP, FTP, cURL, and Secure Copy.

Cloud and email file event detection

Incydr integrates with corporate cloud services such as Box, Google Drive, and OneDrive to detect when files saved in corporate cloud drives are shared publicly or with external users by employees.

Likewise, Incydr integrates with corporate email services like Gmail and Office 365 to detect potential data exfiltration of file attachments sent to untrusted recipients.

Expected time ranges for events to appear

File events appear in Forensic Search within 75 minutes. Events typically appear on dashboards, Watchlists, and Alerts within 75-90 minutes, but may take up to 2 hours.

For endpoint events, the device must be online and connected to the Code42 cloud for events to appear within the expected time range. If a device is offline, file events are collected and stored locally, but events won't appear in the Code42 console until after the device reconnects to the internet.

Why don't events appear right away?
Incydr prioritizes accuracy, context, and completeness over speed because insider events differ from external threats in a few important ways:
  • Unlike external threats, insider events do not propagate and spread from one person to another. This means responding within hours instead of minutes is generally an acceptable timeframe to mitigate risk.
  • Rushing to act on an insider issue before investigating can have negative consequences for both you and the user. This differs from external threats, where a quick response is necessary to minimize risk.

Metadata collected

Incydr collects the following categories of metadata for file events. For detailed descriptions of all metadata, see File event metadata reference.

  • Risk: The event's overall risk severity and all associated risk indicators.
  • Event: Summary information including date observed, event action, and sharing details.
  • User: Details about the user associated with the event.
  • File: Provides a link to download the file, along with details such as the file's name, path, owner, hash, and other metadata.
  • Source: Provides details about the origin of the file.
  • Destination: Provides details about the where the file was sent or moved.

The metadata applicable to each event varies based on the specifics of the file activity. For example, an event for a file moved to removable media has different details than an event for a file shared via a cloud service.

Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.

Response controls

Incydr provides a range of response controls, including options to:

  • Send automated Code42 Instructor lessons to educate users
  • Revoke links to externally shared files
  • Block uploads, pasting, removable media, and cloud sharing
  • Perform custom actions via an Incydr Flow integration with third-party tools such as Slack or Workday

For more details, see Incydr's response controls.

Get started

To set up Incydr, see Detect and respond to insider risks.

Want to learn more? See a demo of Incydr