Overview
From the User Profile, you can review the file activity of an employee, helping you to:
- Quickly identify suspicious file movement
- Review endpoint and cloud services activity
- See previous file activity
This article describes the information and options in the User Profile.
Considerations
- Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
- To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
- To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.
User Profile
To see a user profile from various places in the Code42 console, do the following:
- Click View profile
- Click a hyperlinked username
Item | Description | |
---|---|---|
a | Risk settings | |
b | Selected time frame | Shows the time frame the file activity occurred in. Click to change the time frame. |
c | Actions | |
d | User information |
Shows details about the user, including name, notes, start and end dates, watchlist membership, and active agents. See User information below for more details. |
e | Activity overview |
For the selected time frame, displays the number of:
Click View for more details about each item. |
f | File activity by severity |
Shows file events by risk severity and associated risk indicators. Severity is based on the following scoring ranges:
For more information about risk indicators, see Risk settings reference. |
g | Source risk indicator activity | Shows all of the user's file events where the file came from a source likely to contain company data. |
h | Destination risk indicator activity |
Shows all of the user's file events by where the file was moved to, shared, or sent (destination risk indicator). |
i | File risk indicator activity |
Shows all of the user's file events by file risk indicator.
|
User information
Item | Description | |
---|---|---|
a | User information |
Displays a summary of the employee's information, including:
If you use Code42 User Directory Sync or SCIM provisioning, additional information appears here, including the user's Department, Title, Location, and Manager.
|
b | Start date |
Click Add or Edit to add or update a start date for the user. The start date is used with the New hire watchlist.
Start date filtering
The start date can be used to filter and find all employees that have started at your company in the past 30-90 days. Use this filter to determine if new employees are aware of and following your company's data practices. |
c | Departure date |
Click Add or Edit to add or update a departure date for the user. The departure date is used with the Departing watchlist.
Departure date filtering
The departure date is used to filter and find all employees that are leaving your company soon. This date drives the filters shown on the Departing watchlist summary of the Exfiltration dashboard as well as the Departing employee risk report. |
d | Notes |
Click Add notes or Edit to add or update the notes on the User profile. Notes are limited to 1000 characters. |
e | Watchlist details |
Lists the user's current watchlist membership, the risk score for each watchlist, which preventative controls are enabled, and any alerts that explicitly include or exclude the watchlist. Click Edit for options to:
If the user is not on a watchlist, click Add to watchlist to add one. |
Agents (not pictured) |
Lists active insider risk agents for the user (backup agents are not included). Details include:
The Agents section displays the message No active agents when an agent has not been deployed, all agents are deactivated, or the user is out-of-scope. |