Manage watchlists

Overview

This article explains how to use watchlists to mitigate insider risk by more closely monitoring the file activity of higher-risk users. 

For any watchlist, you can build alerts to notify you when a user on the watchlist performs a specific action. Watchlists also enable you to use preventative controls to restrict a user's ability to perform specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

For example, some users may need to use removable media to do their jobs, while others do not. Instead of being alerted when any user in your environment uses a thumb drive, you can add the users you are most concerned about to the Poor security practices watchlist. Then you can define when to be alerted about those users' USB usage, and/or to block those users from being able to mount a USB drive entirely.

Watchlist types

The following types of watchlists are available for you to use, or you can create your own. File events that occur while a user is on a watchlist are given a risk indicator and associated risk score, raising the severity of their file events. Watchlist risk indicators are applied to every event for every user on a watchlist.

Departing

Add employees that are about to leave (or have left) the company to this watchlist. Departing employees often take data with them when they leave and sometimes take data after they have left if their access is not properly revoked.

Contractor

Add any contractors or temporary employees to this watchlist for closer monitoring.

New hire

Add brand new employees that may not be aware of your security practices to this watchlist. Review the file activity of these new employees in their first 30-90 days. This gives you enough data to verify that they understand and are following your company's safe data practices. 

High impact

Place employees on this watchlist that have special roles that require broad access to high-value data (such as intellectual property or other confidential files).

Elevated access

Add employees that have access to highly sensitive data and systems to this watchlist for closer monitoring. 

Flight risk

Sometimes employees reach a point in their tenure when you often see employees leave, or they express job dissatisfaction, get turned down for a promotion, or have teammate conflicts that can lead to touchy situations for all involved. For those tough situations, add the employee to this watchlist to monitor for harmful data activity while they're possibly looking for another job. 

Suspicious system activity

For employees that have tried to access sensitive systems or have raised alerts in other security systems, add them to this watchlist to make sure their behaviors don't continue to be problematic. 

Performance concerns

Sometimes employees have a poor performance review, get a demotion, or are on a performance improvement plan. These employees may not be the most satisfied employees and may be at higher risk of causing data loss to the company. Add these employees to this watchlist to make sure your data remains safe. 

Poor security practices

To make sure their behaviors don't lead to data loss, place employees on this watchlist who use unsanctioned tools or have poor security awareness as shown by consistently falling for phishing tests or failing security training.

Custom watchlists

If none of the above watchlists meet your needs, you can create a custom watchlist. 

  • Creating a custom watchlist automatically creates a corresponding user risk indicator with a customizable risk score.
  • The default risk score for custom watchlists is 0, but you can change the score by editing the risk settings for the watchlist.
  • Like the pre-defined watchlists above, custom watchlists are searchable risk indicators in Forensic Search.

For more information about watchlists, see Watchlists reference.

Considerations

  • To access watchlists, you must have a role with permissions to view and modify watchlist settings. For more information, Permissions for Incydr

Before you begin

Push groups to Code42

You can add users to watchlists using groups from an external user directory system like Azure Active Directory. For example, you can add users from a Finance directory group to the High impact watchlist, or add users from a Security department to the Elevated access watchlist.

Before you can use groups to add users to watchlists, an Identity Management Administrator must first "push" groups to Code42 from the external user directory system. After the push, the groups are available to add users to watchlists.

The push method the Identity Management Administrator uses differs depending on the type of provisioning provider set up in Identity Management:

  • SCIM provider: Push SCIM groups from SCIM providers to make members of directory groups and departments available to watchlists. For directions, see our articles for Azure and Okta (SCIM groups are not supported for PingOne). To push SCIM groups from other providers, see the provisioning provider's documentation.
  • Code42 User Directory Sync: While directory groups are not available to push from a Code42 User Directory Sync provisioning provider, you can push departments to make their members available to watchlists. If the ldap.attrib.department property is configured in the config.properties file, departments are pushed to Code42 at synchronization

Deleted or renamed groups

If a directory group or department is deleted or renamed in your identity management provider, adjust the watchlist groups accordingly:

  • Directory group deleted: An error appears in Incydr stating that the group no longer exists. Remove the deleted directory group from the watchlist.
  • Directory group renamed: A warning appears in Incydr stating that a directory group no longer exists. Work with your Identity Management Administrator to identify renamed groups. Add the newly renamed groups and remove the old groups from the watchlist.
  • Department deleted or renamed: Due to the nature of department information, a warning does NOT appear in Incydr for missing or renamed departments. Work with your Identity Management Administrator to identify deleted or renamed departments. Add the newly renamed departments and remove the old departments from the watchlist.

Create a watchlist

  1. Go to User Activity > Watchlists.
  2. Add a watchlist.
    1. If this is your first watchlist, click any of the tiles shown to create that watchlist. 
    2. If you already have some watchlists created but would like to make another, click Create watchlist.
  3. For custom watchlists only: Enter a unique name for the watchlist, and optionally, add a short description. You can also edit the name, description, and risk score later from the Watchlist's Actions Actions menu.png menu.

Add users to a watchlist

To add users to an existing watchlist: 

  1. Go to User Activity > Watchlists.
  2. Select the watchlist you would like to add users to or create a new one.
    The watchlist opens.
  3. In the watchlist settings next to Users, click Add or Edit, or click Add or Edit users in the upper-right.
  4. Add users by groups or as individuals
To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.

Add users by groups

  1. On the By group tab, click Add for one of the following: 
    • Directory group: Use this option to add users in a directory group to a watchlist. 
    • Department: Use this option to add all the users in a department to a watchlist.
    • Excluded users: Use this option to keep users off a watchlist, regardless of their directory group or department membership.
      • For example: You want to more closely monitor your entire Engineering department for exfiltrated source code, but you also know that there a few engineers who will cause excessive alerts due to the nature of their work. Add the entire Engineering department to the Department section, and then add the users that will cause excessive alerts to Excluded users.
  2. Enter the group or department to add to your watchlist and select the name from the list provided.
  3. Click Save.

Add individual users

  1. On the By individuals tab, click Add.
  2. Enter the Code42 username of the user to add to your watchlist and select their username from the list provided. If the username you were expecting doesn't appear, verify that the user exists in your Code42 environment.
  3. (Optional): If available, add the following dates to the user's profile. These dates are helpful when filtering your watchlists and are used to populate the summary information that tells you how many users are leaving your organization today.
    • Departure date: The date the employee is planning to leave your company. (Departing watchlist only)
    • Start date: The date the employee began working at your company. (New hire watchlist only)
  4. Click Save.
    Users are added to the watchlist.
Excluded users
If a user is added to the Excluded users list, that user will not appear on the watchlist. This is true even if they are in a directory group or department that has been added to the watchlist or if they have been added via the By individuals tab.
Automatically add users to a watchlist
Use integrations to automatically add users to a watchlist based on the user's status in your company's systems. 

Remove users from a watchlist

  1. Go to User Activity > Watchlists.
  2. Select the watchlist you would like to remove users from. 
    The watchlist opens.
  3. In the watchlist settings next to Users, click Edit.
    A panel slides in from the right.
  4. You can remove users by groups or individually

Remove users by groups

You can remove users by directory group or department: 

  • Directory group: This option allows you to remove a directory group that was used to populate the watchlist. When you remove a directory group, all the users in that group are removed from the watchlist, unless they are on the watchlist for other reasons such as by department or added individually. 
  • Department: This option allows you to remove a department that was used to populate the watchlist. When you remove a department, all the users in that group are removed from the watchlist, unless they are on the watchlist for other reasons such as by directory group or added individually. ​​​​​

To remove a single directory group or department:

  1. On the Groups tab, click the delete button Click to delete next to the directory group or department you would like to remove from the watchlist.
  2. In the confirmation message that appears, click Remove.

To remove multiple directory groups or departments at once:

  1. On the Groups tab, select the corresponding checkbox to the left of the directory groups or departments you would like to remove from the watchlist. 
  2. Above the list of selected groups, click Remove.
  3. In the confirmation message that appears, click Remove.

Remove individual users

Use this option to remove users that were added individually to a watchlist. If the user is in a directory group or department used to populate the watchlist, the user will remain on the watchlist. 

To remove a single individually added user:

  1. On the Individuals tab, click the delete button Click to delete next to the user you would like to remove.
  2. In the confirmation message that appears, click Remove.
    The user is removed from the watchlist.

To remove multiple individually added users at once:

  1. On the Individuals tab, select the corresponding checkbox to the left of the users you would like to remove from the watchlist.
  2. Above the list of selected users, click Remove
  3. In the confirmation message that appears, click Remove.
    The users are removed from the watchlist.
I removed an individual, but they're still on the watchlist
If you removed an individual user via the Individual tab, but they are still on the watchlist, it's likely that they are a member of a directory group or department used to populate the watchlist. 

Directory group and department membership cannot be managed within Incydr. Instead, work with your Identity Management Administrator to change their group or department membership.

If you cannot change the group or department membership, you can also add the user to the list of Excluded users.
Automatically remove users from a watchlist
Use integrations to automatically remove users from a watchlist based on the user's status in your company's systems. 

Add and edit preventative controls for a watchlist

Preventative controls enable you to restrict a user's ability to perform specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

To configure preventative controls:

  1. Go to User Activity > Watchlists.
  2. Select a watchlist.
  3. In the Watchlist settings section, go to Preventative controls and click the edit Pencil-shaped edit icon icon or Add (if no preventative controls are enabled yet).
  4. Choose to toggle On or Off each preventative control. Settings apply to all users on the selected watchlist. See Manage Incydr prevntative controls for details about each setting.
  5. Click Save.

Modify alerts for a watchlist

  1. Go to User Activity > Watchlists.
  2. Select the watchlist for which you would like to adjust alerts. 
    The watchlist opens.
  3. In the watchlist settings next to Alerts, click Edit, or click Edit alerts in the upper-right, and then do one of the following:
    The Edit alerts panel slides in from the right.  
    1. For assigned alerts: Click Edit.
      A new tab with the alert open appears. 
    2.  To add a new recommended alert: Click View.
      A new tab with the panel to create the recommended alert appears.
    3. To create a new alert: Click Create new alert
      A new tab with the panel to create a new alert appears.
  4. Adjust the alert rule settings as necessary and click Save.

Delete a watchlist

  1. Go to User Activity > Watchlists.
  2. Find the watchlist you want to delete and click Actions Click the Actions menu.
  3. Click Delete watchlist.
    A confirmation message slides in from the right. 
  4. Click Delete watchlist
    • All users are removed from that watchlist. Their User profiles are still available.
    • Cases remain intact for any users on the watchlist. 
    • Associated alerts are removed from the watchlist. If those alerts are not being used elsewhere in Incydr, the alert rule is deleted from Alerts
    • The watchlist is removed from your current list of watchlists and can be recreated at another time.

Manage watchlists with integrations

You can use Code42 integrations to automatically manage user information in watchlists using data from other systems, such as identity access management (IAM), privileged access management (PAM), or human capital management (HCM) systems. Following are Code42 integrations available to automate watchlists management. 

Incydr Flows 

Incydr Flows connect other systems to Code42 allowing you to use information in those systems to update your Code42 environment. For example, ingest user attributes, such as employment milestones, departure date, or elevated access credentials for use in watchlists. 

Incydr Flows requires assistance and setup from Code42 Professional Services. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team. For a general overview of how to start configuring Incydr Flows, see Configure Incydr Flows.

For more information about Incydr Flows, see Introduction to Incydr Flows.

CLI

The Code42 command-line interface (CLI) tool is a command-driven framework to interact with your Code42 environment. To use the CLI to manage watchlists, see Manage watchlist members in the CLI documentation in the Code42 Developer Portal.

For more information about the CLI, see Introduction to the Code42 command-line interface.

py42

py42 is a Python SDK wrapper around the Code42 API that lets you develop your own tools for working with Code42 data. To use py42 to manage watchlists, see Watchlists in the py42 documentation in the Code42 Developer Portal.

For more information about py42, see Introduction to py42, the Code42 Python SDK.

APIs

Code42's API can be used to interact with your Code42 environment using RESTful tools and standards. To use the Code42 API to manage watchlists, integrate the following APIs with external systems:

For more information about the Code42 API, see Code42 API resources.