Create and manage alert rules

Overview

This article explains how to configure alert rules using the Manage Rules screen. Alert rules:

  • Enable you to define the file activity that poses the greatest file exfiltration risk for your organization
  • Notify you when risky activity occurs
  • Integrate with Code42 Instructor, enabling you to automatically send targeted, timely educational content to users in response to risky activity

When an alert is created, it appears on the Alerts > Review Alerts screen. 

Considerations

Before you begin

Carefully identify the behavior that represents real risks to your organization before creating alert rules. For example, while it may be tempting to create a rule that monitors every file category for all risk severities, overly broad rules can result in notification overload and too much information to sort through to find the real exfiltration risks.

To craft meaningful and focused rules:

  • Identify what information poses the most risk to your organization. For example, if source code files are your organization's most valuable intellectual property, you may want to be alerted any time source code is moved to an untrusted location. Review the use cases and examples in Alert rule settings reference and Recommended rules reference for ideas on how to identify your organization's most valuable business data.
  • Use risk settings and severities to identify how important that data is to you. For example, if your business runs on spreadsheets and it's vitally important to know whenever they're shared publicly, you might set up a rule for all spreadsheet files with risk severities of moderate and above.
  • Review your trusted activity settings to ensure they include the locations you trust and the activity that is a normal part of user collaboration. Alerts only notify you about activity not included in your list of trusted activity, as it is more likely to represent real risk to your organization.

Create a rule

You can create a new rule in several ways: from a template, from scratch, from a watchlist, or by copying and modifying an existing rule.

Use a template

To get you up and running, Code42 includes a number of pre-configured rule templates that contain recommended settings. You can quickly create rules from these templates, modifying the default settings to match your needs and environment.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Under Recommended rules, select a template to use as a starting point. Click View all recommendations for more options.
  4. Follow the on-screen instructions to complete the rule creation. For more details, see Define rule criteria.

Create a rule from scratch

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. Click Create Rule
  4. Select an alert rule setting.
  5. Choose the specific criteria for the rule.
  6. Click Save.
  7. Follow the on-screen instructions to complete the rule creation. For more details, see Define rule criteria.

Create a rule for a watchlist

  1. Sign in to the Code42 console.
  2. Go to User Activity > Watchlists.
  3. Click an existing watchlist. You can also add a new one, if needed.
    The watchlist opens.
  4. In the upper-right, click Edit alerts. (If there are no alerts for this watchlist, click Add alerts.)
  5. Do one of the following: 
    • Click View to create a rule that contains this watchlist from one of the recommended watchlist alert templates.
    • Click Create new alert to create a rule that uses the other alert rule settings.
  6. Follow the on-screen instructions to complete the rule creation. For more details, see Define rule criteria.

Copy and modify an existing rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to copy.
  4. Click Actions Actions and select Make a copy.
  5. Follow the on-screen instructions to complete the rule creation. For more details, see Define rule criteria.

Define rule criteria

  1. Go to Alerts > Manage Rules.
    1. To create a new rule, click Create rule and select a rule type, and the initial criteria.
    2. For an existing rule, locate the rule and click View View icon.
  2. Review the Rule settings. Update criteria as needed, then click Next.
    • Click Edit pencil-shaped edit icon to update the existing criteria.
    • Click Add setting to include additional criteria. See Alert rule settings for more details about each option.
      • Code42 automatically monitors activity on all destinations and exfiltration vectors. Add Destination settings to a rule when you only want to be alerted about activity on specific destinations.
    • To remove a setting, click Edit pencil-shaped edit icon, then select Restore defaults.
    • (Optional) Click Show default settings to further refine which activity generates an alert. For example, by default, any user who performs the defined file activity generates an alert, but you can choose to restrict the alert to specific users.
    • (Optional) Click View activity that matches this rule criteria to view file events from the past 30 days that match these rule settings. Review the results to confirm that the rule identifies the activity you want to generate an alert.
      • If a very large number of results appear, consider further refining the criteria.
      • If few or no results appear, confirm the criteria is defined correctly.
  3. If your product plan includes Code42 Instructor, select the lesson to send to users when they trigger this alert rule.
    Click View Instructor lessons for more details about each lesson.
    1. Choose how to send the lesson (email, Microsoft Teams, or Slack).
    2. (Optional) Update the send frequency for users who repeat the same activity.
    3. (Optional) Select Dismiss the alert once the lesson is sent to automatically dismiss the alert.
    4. Click Next.
  4. (Optional) Enter a comma-separated list of email addresses to receive alert notifications. Click Next to continue.
    • To ensure you receive alerts, add code42.com to your email server's allowlist.
    • When the alert is triggered, these recipients are emailed about the file activity. If you do not enter any email addresses, no email is sent, but the file activity is visible on the Alerts > Review Alerts screen.
  5. Enter a unique Rule name and an optional description. Click Save to continue.
  6. Review the rule's details. To make changes, click the edit icon. If the details are correct, close the View rule panel.
Include and exclude criteria
Most rule types give you the option to either include or exclude specific criteria.
  • Use an exclude setting to refine existing criteria included in a rule. For example, you might create a rule to alert on the first use of a destination but exclude users on the new hire watchlist from that alert.
  • Rules with only exclude criteria may generate an undesirable and very large number of alerts. For example, an alert rule set to only exclude users on the new hire watchlist--with no other criteria defined--would generate alerts for all activity for all users not on that watchlist.
  • If a rule has conflicting Individual users and Watchlists settings, the individual user criteria takes precedence over the watchlist criteria. For example, if you include a specific user in the rule settings but exclude a watchlist containing that user as a member, alerts are still generated for that user.

Edit a rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule and click View View icon. Alternatively:
    • To edit a rule from an alert notification:
      • Go to Alerts > Review Alerts.
      • Select an alert.
        The Alert details appear.
      • From the Rule name, click View rule pencil-shaped edit icon.
    • To edit a rule from a watchlist:
      1. Go to User Activity > Watchlists.
      2. Select a watchlist.
      3. In the upper-right, click Edit alerts.
      4. From the list of Assigned alerts, click Edit pencil-shaped edit icon.
  4. Follow the on-screen instructions to edit the rule. For more details, see Define rule criteria.

Disable a rule

Disabling a rule stops new alerts from being created, but the rule remains available for you to re-enable later.

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules and locate the rule that you want to disable.
  3. In the Enable column, click the toggle to disable or enable the rule.
    • Disable_alerts.png indicates the rule is disabled
    • Enable_alerts.png indicates the rule is enabled

Delete a rule

Deleting a rule stops those alerts
Deleting a rule stops all alerts for that rule for all users. Any previous alert notifications for the rule remain in the Review Alerts table.
  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to delete.
  4. Click Actions Actions and select Delete.
    A confirmation dialog appears.
  5. Click Delete Rule.
    The rule is removed from the list and all future notifications for that alert are stopped.