Overview
Watchlists enable you to create groups of users you want to monitor more closely for risky file activity. Watchlists also enable you to implement preventative controls, such as restricting browser uploads, removable media, and cloud sharing.
Watchlist membership can be based on a wide range of attributes, including departing employees, new hires, contractors, users with elevated access to critical systems or confidential data, department or directory group membership, or any other custom criteria you define.
This reference guide describes the capabilities of the User Activity > Watchlists screen in the Code42 console. For more information about creating and editing watchlists, see Manage watchlists.
Considerations
Watchlists
To access watchlists:
- Sign in to the Code42 console.
- Go to User Activity > Watchlists.
Item | Description | |
---|---|---|
a | Trust settings | |
b | Selected time frame | Shows the time frame in which the file activity occurred. Click to change the time frame. |
c | Create watchlist |
Click to create a new watchlist. |
d | Departing watchlist |
Shows a summary of users on the Departing watchlist. |
e | Watchlist recommendations |
Shows the options for recommended watchlists you have not created yet. |
f | List name |
The name of the watchlist and the risk score applied to events for users on the list. |
g | Total users |
The number of users on the watchlist. |
h | Users with critical events |
The number of users on the watchlist with critical events. |
i | User assignments |
Indicates the criteria for defining the users on this watchlist:
|
j | Alert rules |
Lists the alert rules that include this watchlist as a rule setting. |
k | Preventative controls |
Indicates which preventative controls are applied to users on this watchlist. |
l | Actions |
Clicks Actions for options to:
|
m | View details |
Click View details to open the watchlist details (see below). |
Watchlist details
Item | Description | |
---|---|---|
a |
Identifies the risk indicator and risk score added to file events for all users on this watchlist. For more information about risk indicators and how they work, see Risk settings reference. |
|
b | Trust settings | |
c | Search | Enter a username to find file activity for a specific user on the this watchlist. This searches across your entire Code42 environment and includes deactivated users. |
d | Selected time frame | Shows the time frame in which the file activity occurred. Click to change the time frame. |
e | Edit alerts | Click to see and modify the alerts that include this watchlist. |
f | Edit users |
Click to add users or remove users from the watchlist. If no users have been added yet, the button is labeled Add users. |
g | Action menu |
Edit title and description: Click to change the watchlist name or its description. Delete watchlist: Any users and alerts assigned to the watchlist are removed from the watchlist.
|
h | Watchlist settings |
Shows the following:
Click Edit to change the settings. |
i |
Departing users Departing watchlist only |
Shows a summary of users on the Departing watchlist, including the number of users departing today, as well as in the next 7 and 30 days. |
j | User activity by severity | Shows the number of users with file events for each severity. Click a severity to filter the list of users to include only file events of that severity. |
k | Filter |
Click to filter the list by:
|
l | List of users | Shows all users on the watchlist, sorted by the highest number of critical-severity file events, then by high-severity file events. See below for detailed descriptions of each column. |
m |
Risk report Departing watchlist only |
Click to view a risk report for the departing user, summarizing activity from the past 90 days. The report includes a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees. |
n | Actions |
Click Actions for options to:
|
o | View details | Click to see more details about the user's file activity, including open alerts, cases, and file events with risk indicators applied. |
List of users
View details
From the list of users, click View event details to see more information about a user's file activity.