Overview
The Action Items dashboard displays items requiring attention, including open alerts, top users by critical activity, users departing this week, unwatched Instructor lessons, and open cases.
Considerations
- Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
- To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
- Visibility of Incydr data is not limited by your Code42 organization hierarchy. Users with roles that allow access to Incydr features can view insider risk data for users in all organizations.
The Action Items dashboard
To view the Action Items dashboard:
- Sign in to the Code42 console.
- Click the Incydr logo in the upper-left or select Dashboards > Action Items.
Click any of the links below for more information about that corresponding area:
- Risk settings: Displays all risk indicators and associated scores. To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
- Selected time frame: Click to select a date range for data on the dashboard.
- Open alerts: Summary data for all open alerts.
- Export: Click the export icon to save an image of any tile.
- Top users by critical activity: List of users with the most critical file activity.
- Risks not covered by alerts (not pictured): Displays up to 5 potential risks not included in your existing alert rules, which helps you identify exfiltration activity that may otherwise go unnoticed. Select any item to view more details and to choose how to respond.
- Trust recommendations: Displays a summary of activities that frequently generate untrusted events. You can quickly add items as trusted activity (which removes file activity in these locations from alerts, dashboards, and user profiles), or decline the recommendation.
- Departing users: Summary data for all departing users.
- Cases: Summary of open cases and cases scheduled to be archived in the next 30 days.
- Instructor (not pictured): List of users with unwatched Instructor lessons expiring in the next 7 days. Requires a product plan that includes Code42 Instructor.
Differences in file event counts
File events may appear in Forensic Search before they appear in dashboards, alerts, watchlists, the All Users list, and User Profiles. As a result, you may see that the file event counts in Forensic Search differ from the event counts elsewhere. For more details, see Expected time ranges for events to appear.
File events may appear in Forensic Search before they appear in dashboards, alerts, watchlists, the All Users list, and User Profiles. As a result, you may see that the file event counts in Forensic Search differ from the event counts elsewhere. For more details, see Expected time ranges for events to appear.