User Profile reference

Overview

From the User Profile, you can review the file activity of an employee, helping you to:

  • Quickly identify suspicious file movement
  • Review endpoint and cloud services activity
  • See previous file activity

This article describes the information and options in the User Profile.

Considerations

  • Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr
  • To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.
Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

User Profile

To see a user profile from various places in the Code42 console, do the following:

  • Click View profile View profile
  • Click a hyperlinked username

User profile details and activity

 

Item Description
a Risk settings

To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

b Selected time frame Shows the time frame the file activity occurred in. Click to change the time frame.
c Actions

Click the Actions menu and do one of the following:

  • Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships.
  • In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it.
  • Select Send user an Instructor lesson to send a lesson to the user.
  • Select a custom action.
    • Incydr Flows connect other systems or workflows to Code42. These integrations can add contextual information about users and orchestrate response controls.
    • Custom actions are only available if your organization has worked with Code42 Professional Services to set up Incydr Flows and if you have the correct role.
Visibility of actions
You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example:
d User information

Shows details about the user, including name, notes, start and end dates, watchlist membership, and active agents. See User information below for more details.

e Activity overview

For the selected time frame, displays the number of:

  • Alerts generated by the user
  • Instructor lessons sent to the user
  • Cases where the user is the subject

Click View for more details about each item.

f File activity by severity

Shows file events by risk severity and associated risk indicators. Severity is based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate_severity_icon.png 4-6: Moderate
  • Low_severity_icon.png 1-3: Low

For more information about risk indicators, see Risk settings reference

g Source risk indicator activity Shows all of the user's file events where the file came from a source likely to contain company data.
h Destination risk indicator activity

Shows all of the user's file events by where the file was moved to, shared, or sent (destination risk indicator).

i File risk indicator activity

Shows all of the user's file events by file risk indicator

 

User information

User-Profile-Details-2023-12-15-export.png

Item Description
a User information

Displays a summary of the employee's information, including:

  • First and last name
  • Watchlist memberships
  • Code42 username

If you use Code42 User Directory Sync or SCIM provisioning, additional information appears here, including the user's Department, Title, Location, and Manager.

b Start date

Click Add or Edit to add or update a start date for the user. The start date is used with the New hire watchlist.

Start date filtering
The start date can be used to filter and find all employees that have started at your company in the past 30-90 days. Use this filter to determine if new employees are aware of and following your company's data practices.
c Departure date

Click Add or Edit to add or update a departure date for the user. The departure date is used with the Departing watchlist.

Departure date filtering
The departure date is used to filter and find all employees that are leaving your company soon. This date drives the filters shown on the Departing watchlist summary of the Exfiltration dashboard as well as the Departing employee risk report
d Notes

Click Add notes or Edit Click to edit notes to add or update the notes on the User profile. Notes are limited to 1000 characters.

e Watchlist details

Lists the user's current watchlist membership, the risk score for each watchlist, which preventative controls are enabled, and any alerts that explicitly include or exclude the watchlist. 

Click Edit Click to edit watchlists for options to:

  • Remove the user from this watchlist
  • Add the user to a different watchlist
  • Create a new watchlist

If the user is not on a watchlist, click Add to watchlist to add one.

 

Agents

(not pictured)

Lists active insider risk agents for the user (backup agents are not included).

Details include:

  • The device's hostname
  • Last check-in date
  • Device health
    • Green checkmark icon No agent issues
    • Orange exlamation point icon Hover to see known issues with the agent

The Agents section displays the message No active agents when an agent has not been deployed, all agents are deactivated, or the user is out-of-scope.

Source risk indicator activity

Source indicator activity graph

 

Item Description
a Selected time frame

Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. 

b Filter

Click to filter the graph and events in the table by:

c Filtered by Shows the filters currently applied to the data shown in the graph as well as the data available in the source indicators. Click the "x" on a filter to remove it. 
d Showing

Lists the source risk indicator you are viewing.

e

Select source risk indicator

Select a source risk indicator to see where the file was sent and its associated risk. 
 

Source risk indicators are applied to file events where the file came from a source likely to contain company data.

f Events Number of file events associated with the risk indicator for the selected time frame.
g Size Total size of files involved with the file activity.
h Activity preview Shows a visual representation of file activity for the selected time frame.
i View event details View details Click to view more information about the file events.

Destination risk indicator activity

DestinationIndicatorOverTime_04.20.2022.png

Destination risk indicators are dynamic
The list of destination risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.

For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box corporate data connector is not listed.

Item Description
a Selected time frame

Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. 

b Filter

Click to filter the graph and events in the table by:

c Filtered by Shows the filters currently applied to the data shown in the graph as well as the data available in the destination indicators. Click the "x" on a filter to remove it. 
d Showing

Lists the destination risk indicator you are viewing.

e

Select destination risk indicator

Select a destination risk indicator to see where the file was sent and its associated risk. 
 

Destination risk indicators apply risk scores to file events based on where a file is moved or uploaded. See the list of destination risk indicators for more details on what types of destinations you may have in your Code42 environment.

f Events Number of file events associated with the destination for the selected time frame.
g Size Total size of files involved with the file activity.
h Activity preview Shows a visual representation of file activity for the selected time frame.
i View event details View detials Click to view more information about the file events.

File risk indicator activity

FileCategoriesTile_04.26.2022.png

File risk indicators are dynamic
The list of file risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.

For example, if there is no untrusted file activity involving source code, that indicator is not listed.
 
Item Description
a Selected time frame Shows the time frame in which the file activity occurred. Change the time frame in the upper-right corner of the page. 
b Filter

Click to filter the graph and events in the table by:

c Selected file risk indicator

Shows the summary of file activity for the following file risk indicators:

  • Audio
  • Document
  • Executable
  • Image
  • PDF
  • Presentation
  • Script
  • Source Code
  • Spreadsheet
  • Video
  • Virtual Disk Image
  • Zip

For more information about file risk indicators, see Risk settings reference.

d File risk indicators Select a file risk indicator to see its graph.
e Events

Displays the count of total file events for a file risk indicator and a visual representation of the number of file events. File events include when files are:

  • Moved to removable media or cloud sync folders
  • Uploaded via a browser or other app
  • Shared publicly or directly from your corporate cloud storage*
  • Sent from your corporate email provider*

*Requires Code42 have access to monitor your cloud storage environment and email services.

The default sort order is from the highest number of events to the lowest. 

f Size Displays the total file size of file events for a file risk indicator. 
g Activity preview Shows a visual representation of file activity for the selected time frame.
h View details View details Click to view the details of file events for a file risk indicator.