View and manage alert notifications (legacy)

Overview

This article applies to the legacy Alerts view in the Code42 console. For the current Alerts view, see Review Alerts reference.

This article explains how to review and manage the security notifications that are created when Code42 detects activity that matches the criteria in an alert rule.

When a rule is triggered, an alert notification appears in the Alerts > Review Alerts table. You can add a note to an alert, review and dismiss alerts, or use the filters to search for alerts that have been dismissed to reopen them.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains, URL paths, or Slack workspaces you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you are not notified by alert rules for trusted events.

Considerations

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

Review alert notifications

Alerts older than your retention period are unavailable
Alert notifications that are older than your product plan's event data retention period are removed from the Review Alerts list and are unavailable. To save any alert notifications prior to the end of the retention period, use the Code42 API to export alert notification details to an external file or your security information and event management (SIEM) tool. See the Code42 Developer's Portal for more information on the Code42 API.
  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click View detail  to see more details.
    The Alert details opens where you can view file details, add notes or statuses, and take other actions on the alert. 
    • Click Copy Link  to copy the link to the alert notification in the Code42 console so that you can share it with others for investigation.
    • Click Investigate in Forensic Search to see the files for this event in Forensic Search. If multiple event types are involved in this alert, select the type of events you want to view from the menu that opens:
      • Investigate download events
      • Investigate external device events
      • Investigate browser and app upload events
      • Investigate cloud sync events
      • Investigate cloud sharing events
      • Investigate external email sharing events
      • Investigate Git events
    • Click Actions and select an action:
      • Select Send email to compose an email to the user requesting more information about this activity.
        You can customize the email as needed after it opens.
      • Select Send user an Instructor lesson and then select the lesson to send to that user.
    • Click View Rule  to open and update the rule settings.
    • Click View Instructor lessons  to open Code42 Instructor and view more information about the lesson sent. 
    • Select a status to identify the state of your investigation into the alert.
      If you select Dismissed, Code42 automatically dismisses the alert and removes it from the list of open alerts. Click Reopen alert to reopen the alert and change its status to Open, if needed.
    • Add a note (or edit any current note) to provide more details about the alert.
    • Click View profile  to open the User Profile for that user.
      View profile appears only when allowed by your Code42 product plan and role permissions.
  4. (Optional) When you're done reviewing the alert, click Dismiss alert to remove the notification. 
    When you dismiss an alert, Code42 automatically removes it from the list of open alerts. You can reopen alerts, if needed.
Dismiss multiple notifications at once
To dismiss multiple notifications at once, select the checkbox next to one or more notifications in the Review Alerts list and then click the Dismiss Alerts button in the upper-right of the list.

Add a note

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click  to see more details.
  4. In the Notes panel, click Add note.
    If the alert already includes a note, click Edit  to edit the existing note. 
  5. Enter the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save.
    Your note is added to the Notes panel in the Alert details. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited. Click Expand note to view long notes.

Dismiss alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. To dismiss a single alert, click Dismiss alert . When the menu opens:
    • Select Dismiss to dismiss the alert.
    • Select Dismiss with note to add a note to the alert and then dismiss it. Enter your note (or edit the existing note) and then click Save and dismiss.
      The notification is removed from the table and entered into the list of dismissed alert notifications.
  4. To dismiss multiple alerts at once, select the checkbox next to specific alerts, or click the checkbox in the header row to select all alerts on the current page.
    • Select Dismiss nn alerts to dismiss only the selected alerts.
    • Select Dismiss all nnn alerts to dismiss all open alerts.

Reopen dismissed alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. Click Filter  and apply the Dismissed status to show alerts that have been dismissed.
    1. When the Filters panel opens, under Status, clear the Open checkbox and select the Dismissed checkbox.
    2. (Optional) Select any other criteria to further filter the list of alerts that are returned.
    3. Click Apply.
      You are returned to the Review Alerts table and only the dismissed alerts that meet any other selected criteria are listed.
  4. (Optional) Click Reopen Alert  to reopen a notification:
    • Select Reopen to reopen the alert.
    • Select Reopen with note to add a note to the alert and then reopen it. Enter your note (or edit the existing note) and then click Save and reopen.
    The reopened notification is removed from the table and returned to the list of open alert notifications. To view open notifications, repeat step 3 above and select the Open status.