Code42 cloud 2024 release notes

Updated

Overview

This page lists features, updates, and bug fixes released to the Code42 cloud in 2024.

For the most recent updates, see Incydr cloud release notes.

December 2024

Features

Introducing content inspection: Detect sensitive data in exfiltrated files

December 9, 2024

Incydr now includes robust content inspection capabilities, providing an additional level of protection for your organization's most sensitive data. Incydr's content inspection works by inspecting exfiltrated files for PII, PCI, and other sensitive content types, then showing you how this data is leaving your organizaiton and where it's going.

In addition, Incydr's content inspection:

  • Supports compliance controls to protect regulated data with minimal configuration.
  • Adds a new layer of context to PRISM scores, enabling Incydr to better detect file sensitivity.
  • Enables you to define Custom file content risk indicators to detect important keywords and patterns unique to your environment.
  • Supports real-time alerts to notify you as soon as exfiltration of sensitive content is detected.
  • Does not slow down users or endpoints. All content inspection processing is performed in the Incydr cloud.
  • Does not require writing or maintaining complex regex policies.

To learn more or to enable the content inspection add-on SKU, contact your Customer Success Manager (CSM).

CI-collage2.png

Updates

December 9, 2024

  • A new Data sent to AI tools recommended rule enables you to quickly set up an alert rule to notify you when filenames that imply corporate data are uploaded to unapproved AI tools. The rule is also configured to automatically send an Instructor lesson to the user.

December 5, 2024

  • Improvements to Agent filters in the Incydr console:
    • Added new options to filter by Username and Serial number.

    • Reorganized the list of filters to group them by Org and username filters and Agent filters.

November 2024

Updates

November 20, 2024

  • The list of Saved Searches now includes two new columns to show the status of searches emailed on a set schedule.
    • Last scheduled email shows the most recent time the results were scheduled to be sent, along with the list of recipients.
    • Email delivery status shows whether the last scheduled email report delivery succeeded or failed.
  • You can now create a new custom Instructor lesson while defining rule criteria for an alert. (Previously, only existing lessons could be added to an alert.)

Create custom lesson button in Alert rule builder

November 14, 2024

  • A new Incydr Flow integration with Crowdstrike enables you to leverage the Falcon agent from the Incydr console to block access to USB ports on a user's endpoint.

November 1, 2024

  • The Code42 console now features Mimecast branding. Changes include updates to colors and logos, but there are no functional differences. All Incydr features and menu options remain the same.

Console-Navigation-Menu-2024-10-31-export.png

October 2024

Features

Custom Instructor lessons

October 15, 2024

Instructor now supports creating custom lessons to send to users. You can provide your own message text and optionally include relevant media, such as a link to a video, a PDF, or internal documentation.

Custom lessons appear alongside pre-built lessons, and can be automatically sent to users via an alert rule.

To create a custom lesson:

  1. In the Code42 console, select Instructor.
  2. In the Custom lessons section, select Create custom lesson.
  3. Follow the on-screen instructions to complete the lesson details.
    For more details, see Instructor custom lessons.

Instructor-Lesson-Types-2024-10-01-export.png

Updates

October 29, 2024

  • Alert rule settings now include the option to exclude paste activity to AI destinations from alerts (paste activity is included by default). To change the setting:
      1. In the Code42 console, select Alerts > Manage Rules.
      2. Select a rule.
      3. In the rule settings, click to toggle Paste to AI destinations on or off.
  • Alert rule settings now automatcailly display all defaults. Previously, you needed to click Show default settings to view these settings.

September 2024

Updates

September 6, 2024

  • The user information section of the User Profile now lists the user's active agents, including the device hostname, agent health status, and the most recent check-in date. This additional context helps you quickly gather details about agent health and the user's devices.

    User Profile with agent details

September 5, 2024

  • OneDrive recently removed all spaces from the name of the default sync folder on Mac endpoints. To maintain expected behavior for OneDrive accounts you already trust, Code42 automatically added duplicate Account name entries without spaces to your list of trusted activity.
    • For example, if you previously trusted the account name “OneDrive - Acme Co,” Code42 added a new trusted account name entry for “OneDrive-AcmeCo.”

August 2024

Updates

August 19, 2024

  • Trusted domain settings now include the option to choose whether to trust files uploaded via file transfer tools, such as cURL, SCP, and FTP. Previously, uploads via file transfer tools were always categorized as untrusted activity.

August 13, 2024

  • Added point limits of 4 or 5 for each risk category to ensure all aspects of risk are effectively weighted and represented in the PRISM score. This helps prevent a single risk indicator from having a disproportionate effect on an event's severity.

July 2024

Features

AI Tools risk indicators now also apply to pasted data

July 31, 2024

AI Tools risk indicators are now also applied when users paste data to common artificial intelligence (AI) tools. Previously, these risk indicators were only applied to file upload activity. This update makes it easier to identify when corporate data is exfiltrated to an AI tool.

Incydr’s AI Tools risk indicators cover 14 common AI tools, including ChatGPT, Claude, and Gemini. For a complete list of risk indicators and associated risk scores, sign in to the Code42 console and select Risk Settings > Destination risk indicators > AI Tools.

New Proactive Risk Identification and Severity Model (PRISM) to better prioritize risk

July 18, 2024

Introducing Incydr's new Proactive Risk Identification and Severity Model (PRISM) for identifying and responding to data risks in your environment. PRISM is a redesigned prioritization model that analyzes 250+ risk indicators to provide weighted severity scores and better identify critical risks.

Highlights include:

  • PRISM uses three-dimensional context analysis across data, user, and destination to automatically identify both known and unknown risks without predefined rules
  • The PRISM score (formerly "risk score") for each event is now capped at 10.
  • To help prevent a single risk indicator from having a disproportionate effect on an event's severity, there are now limits to how much each risk indicator type (File, Source, Destination, and User) contributes to the PRISM score.

These changes reduce critical event volume, which means you’ll spend less time investigating critical events.

Learn more about PRISM scores.

PRISM illustration of data activity and prioritized risk

Expanded app-blocking options 

July 15, 2024

Preventative controls now allow you to define a custom list of applications to block on user endpoints. In addition, you can now also individually select which common web browsers to block or allow (previously, blocking browsers not supported by the Incydr browser extension used a single setting that applied to all browsers).

These updates offer you greater control over how to manage and respond to data exfiltration risks across applications in your environment.

To define blocking settings for browsers and apps:

  1. Go to User ‌Activity > Watchlists.
  2. Select a watchlist.
  3. In the Watchlist settings section, go to Preventative controls and click the edit Pencil-shaped edit icon icon or Add (if no preventative controls are enabled yet).
  4. Toggle the Block unsupported browsers and apps control to On.
  5. Click Edit browsers and apps to specify which apps to block.

Updates

July 29, 2024

  • Git fetch activity is now visible in Forensic Search, in addition to the existing Git pull, push, and clone activity. To search for Git fetch events, select the filter Event action, then choose the value Git fetch.

July 15, 2024

  • Added a new Unapproved AI Tool Instructor lesson to educate users about the risks of supplying sensitive data to AI tools that are not approved for company use. Like all lessons, it can be sent manually to users, or sent automatically in response to behavior that triggers an alert.

July 11, 2024

  • In the Source Code dashboard, it's now easier to investigate all activity for a specific item in Forensic Search. Previously, in some cases, the search icon contained separate links for browser upload events and Git push events. Now, Forensic Search displays all events with a single link.

July 8, 2024

  • The list of Instructor lessons sent to users now includes two new filterable view statuses:
    • Untrackable: Identifies lessons not hosted on Vimeo.
    • Unwatchable: Identifies lessons that were not sent. This includes lessons that were skipped because the user already received this lesson recently, as well as lessons that failed to send due to an error with the Message Services configuration. 

June 2024

Features

Send weekly trust recommendation emails

June 25, 2024

Trusted activity settings now include the option to send a weekly email report of trust recommendations. This enables you to easily review activities that frequently generate untrusted events, and optionally add them as trusted activity. Adding trusted activity reduces noise by removing file activity in these locations from alerts, dashboards, and user profiles.

To set up trust recommendation emails:

  1. Go to Administration > Environment > Trusted activity.
  2. Select Settings.
  3. In the Notifications section, enter up to 10 email addresses.

Improved visibility into agent status and device health

June 20, 2024

A redesigned Agents page in the Code42 console makes it easier to track the status of agents in your environment. Changes include:

  • The Devices page has been renamed Agents.
  • Summary data for agents with known issues appears at the top of the page.
  • A new Issues column lists known problems with an agent, such as connection issues or errors sending file events. The agent details view also includes status indicators to highlight known issues.
  • A new serial number field in the agent details view helps uniquely identify each endpoint.
  • Updated filtering options enable you to easily find all agents with known issues.

To view the updated Agents page, go to Administration > Environment > Agents.

Updated agents list view

Send automated email reports for saved searches

June 12, 2024

Forensic Search now includes the option to email saved search results on a set schedule. For any saved search, you can choose to send a daily, weekly, or monthly report of the search results. This enables you to receive notifications about activity you want to monitor without generating an alert. 

To email results of a saved search:

  1. Go to Forensic Search > Saved Searches.
  2. For any search, click the options menu 3-dot options menu icon and select Edit name, notes, and email.
  3. Select Email search results on a set schedule, then specify an email address and the report frequency.

Updates

June 13, 2024

  • Adding a GitHub account or repository to your list of trusted activity now includes recommended values based on recent activity observed in your environment. Click the search icon Search icon to view the events in Forensic Search, or click the plus icon Plus icon to add the recommendation to the Account/repository name field.

Add git repo as trusted activity

June 3, 2024

May 2024

Features

Risk recommendations

May 28, 2024

New risk recommendations help you identify exfiltration activity that may otherwise go unnoticed. Using Incydr's prioritization model, potential risks not included in your existing alert rules are surfaced for your review. These recommendations enable you to more effectively identify and respond to risks in your environment by providing:

  • Better risk prioritization: Risks are identified based on activity in your environment, ensuring you're always aware of the most pressing issues.
  • Flexible response options: You can choose from various response actions, including sending an Instructor lesson to the user, adding the user to a watchlist, creating an alert, creating a saved search, or adding events to a case.
  • Continuous improvement: The more you interact with these recommendations, the better they get. Recommendations improve based on your feedback, becoming more tailored to your specific needs over time.

To view risk recommendations:

  1. Go to Dashboards > Action Items or Alerts > Review Alerts.
  2. Review the Risks not covered by alerts section.
  3. Select any item to view more details and to choose how to respond.

Risks not covered by alerts dashboard tile

New risk indicators highlight uploads to AI destinations

May 2, 2024

File uploads to common artificial intelligence (AI) tools now have dedicated risk indicators, making it easier to identify when corporate data is exfiltrated to an AI tool.

The new risk indicators cover 14 common AI tools, including ChatGPT, Claude, and Gemini. For a complete list of the new risk indicators and associated risk scores, sign in to the Code42 console and select Risk Settings > Destination risk indicators > AI Tools.

Updates

May 28, 2024

When adding a cloud data connection, the initial inventory of in-scope drives is now optional and no longer runs automatically. You can chose to enable or disable the Inventory monitored drives setting during the initial data connection authorization process. 

May 20, 2024

Trusted activity settings now include a new Top recommendations section. Recommendations are based on your current trust settings. They highlight items where adding trusted activity has the potential to reduce noise by removing file activity in these locations from alerts, dashboards, and user profiles.

Trusted activity top recommendations

May 13, 2024

A summary of Trust recommendations now appears on the Actions Items dashboard. This makes it easier to review activities that frequently generate untrusted events and quickly add them as trusted activity. Adding trusted activity reduces noise by removing file activity in these locations from alerts, dashboards, and user profiles.

Trust recommendations summary on the Action Items dashboard

May 1, 2024

  • Trust recommendations now enable you to quickly trust or decline multiple recommendations at once. Click the checkbox next to multiple items, then choose to add or decline all selected recommendations. 

Select multiple trust recommendations to accept or decline

 

April 2024

Features

Source code dashboard

April 22, 2024

Incydr's new Source Code dashboard shows you in-depth details about GitHub activity in your environment, including:

  • Source code files pushed from trusted corporate repositories to unmonitored and potentially risky destinations
  • Patterns of source code movement
  • Top users with risky Git activity
  • Activity for all destination repositories, categorized by ownership type (personal, organization) and privacy settings (public, private)
  • Untrusted repositories with the most activity

The Source Code dashboard also enables you to easily investigate specific Git activity in Forensic Search, as well as add Git repositories and accounts to your list of Trusted activity.

Source code dashboard

GitHub trust improvements

April 22, 2024

It's now easier and simpler to trust GitHub activity. A new dedicated GitHub use case guides you through trusting an entire account or a single repository. After you enter the account or repository name, three distinct trust entry variations are added automatically to cover different URL and URI formats. (Previously, you needed to manually add separate Specific URL path and Git repository URI entries to ensure all activity was trusted.)

To add trust, go to Administration > Environment > Trusted Activity. Click Add trusted activity and select Top use cases > GitHub.

Trust recommendations based on your company name

April 22, 2024

To improve the quality and relevance of trust recommendations, a new setting provides the option to specify one or more company names. Adding your company name results in better recommendations by prioritizing locations that include your name. This may indicate the location is acceptable to trust. To add a name, go to Administration > Environment > Trusted activity, then click Settings.

After adding a name, you can also filter all recommendations for that name. This makes it easier to identify activity you're more inclined to trust among the list of all recommendations.

Incydr Flows improvements

April 15, 2024

Incydr Flows have been rebuilt to be simpler to setup and manage. Setting up a new Flow can now be done in minutes, and Flows can be automatically scheduled at any time you choose. 

Other updates include:

  • A new dedicated page in the Code42 console (Administration > Integrations > Incydr Flows) that provides ongoing health and status updates.

  • A new Flow for Mimecast watchlist management, which enables you to sync membership between Incydr watchlists and Mimecast profile groups, apply email controls via Mimecast to watchlist members, and apply additional preventative controls via Incydr.

About Incydr Flows

Incydr Flows facilitate quick, no-code integrations with other security and IT tools. These integrations help you save time by adding actions from your other tools directly to Incydr. For example:

  • Use your HR systems to automate adding departing employees to Incydr watchlists, which can automatically enable blocking and other preventative controls.
  • Send Incydr alerts to your messaging tools like Slack and Microsoft Teams for further triage.
  • Contain a user’s access or quarantine their endpoint with Microsoft Entra or Crowdstrike directly from the Code42 console.

New dashboards better highlight action items and data movement

April 1, 2024

The Risk Exposure dashboard has a new name, and is now split into two separate dashboards: Action Items and Exfiltration.

Dashboard navigation menu

  • The Action Items dashboard is the new landing page when you sign in to the administration console. The Action Items dashboard displays all open items requiring attention, including open alerts, top users by critical activity, users departing this week, unwatched Instructor lessons, and open cases.
  • The Exfiltration dashboard includes a new interactive Data movement section that shows how data in your environment is moving to untrusted destinations. This enables you to better recognize trends and make decisions to lower overall risk. The Exfiltration dashboard also contains all of the activity reports from the previous Risk Exposure dashboard.
  • The Insider Risk Trends dashboard continues to show activity and trends over time, but is now named Trends.

Exfiltration dashboard

Updates

April 29, 2024

  • The default score for the Filename implies corporate data risk indicator increased from 0 to 1.

April 12, 2024

  • Adding a Slack workspace to your list of trusted activity now includes recommended workspace names based on recent activity observed in your environment. Click the search icon Search icon to view the events in Forensic Search, or click the plus icon Plus icon to add the recommendation to the Workspace name field.

Add Slack workspace name to trust

April 11, 2024

  • In the Event details, adding trusted activity with the Add to trust icon Add trust icon for an untrusted value is faster and easier than before. Previously, adding trust required switching to a new tab. Now, trust settings appear in your current workflow, so you can keep investigating without interruption.

April 10, 2024

  • Paste activity is now trusted for username and password fields, and when copy/paste occurs within the same browser tab. This reduces false positives for locations not on your list of trusted activity, since these paste actions do not indicate exfiltration occurred.
    • Activity in these locations has always been allowed for users on watchlists with paste preventative controls enabled, but was previously listed as untrusted.
    • File event details for these events show Trusted activity as True and also include one of the following reasons: Pasted to password field, Pasted to username field, or Copy/pasted in same tab.

April 3, 2024

  • In the Code42 API, v1/alerts are being deprecated and replaced by v1/sessions APIs.
    • The v1/sessions APIs use the newer alerts framework to group related activity into a single alert. This matches how alerts are displayed in the Code42 console.
    • For more details, see the API release notes or visit the Code42 Developer Portal.

March 2024

Updates

March 28, 2024

  • Printer destinations are now included in file activity reported on dashboards and in user profiles. Previously, print events were only visible in Forensic Search. (Does not apply to print events from before March 27, 2024.)

March 27, 2024

  • Trust suggestions have been renamed Recommendations, and now appear on a separate tab within Trusted activity. (Previously, these recommendations were accessed by clicking the "View trust suggestions" button.)
  • Use trust recommendations to review activity that frequently generates untrusted events. For locations you trust, you can quickly add them to your trusted list, which reduces noise by excluding that activity from alerts and dashboards.

Trusted activity recommendations tab

March 6, 2024

  • Alert email notifications now provide more contextual information in the body of the email, and include more links to relevant details in the Code42 console. This helps you review file activity details to quickly triage the alert and determine the appropriate response. Specific updates include the addition of:
    • File event summary information
    • Links to investigate further in Forensic Search
    • Links to the user's profile
    • Links to view details about the alert rules triggered 

March 4, 2024

  • Instructor responsive lessons sent via email and Slack now include an Activity summary section to show users specifically why the lesson was sent. Details include the filename, file path, action taken, date/time, and the file destination. This helps users more easily identify the risky activity that prompted the lesson.

February 2024

Updates

February 27, 2024

  • A new Corporate data moving to likely personal domains recommended rule enables you to quickly set up an alert rule to notify you when files acquired from important sources are uploaded to personal email domains.

February 22, 2024

  • In the Code42 console, the Trusted activity and IP Addresses settings moved from separate tabs within Data Preferences to dedicated pages in the Administration > Environment menu. This makes it easier to find and access these settings:
    • To view trusted activity, select Administration > Environment > Trusted Activity.
    • To view IP addresses, select Administration > Environment > IP Addresses.
      Note that these changes also removed the Data Preferences menu item.

February 21, 2024

  • Added the option to remove exfiltrated file contents from file event details in the Code42 cloud.

    This enables you to prevent other users in your organization (who have permission to view file event activity) from accessing particularly sensitive files. To delete a file:

    1. Open the file event details.
    2. Go to the File > Filename section.
    3. From the option menu, select Delete file contents.Delete file contents from file event details

February 20, 2024

  • For environments with devices using the legacy agent, agent modernization is now automatically enabled for all organizations. As a result, you no longer have the option to enable or disable device upgrades for individual organizations.

February 13, 2024

  • Risk indicators can now be included as a column in Forensic Search results. This enables you to more quickly see the risks associated with an event. (Previously, viewing risk indicators required expanding the event details or exporting to CSV.)

February 12, 2024

  • You can now search and filter Trust suggestions for a specific value. For example, search for your company name to only display suggestions with your name in them. This enables you to easily identify locations that are good options to add as trusted activity.

February 9, 2024

  • The Review Alerts list added Watchlists to the filter options. This enables you to filter results by users currently on a specific watchlist.

February 6, 2024

  • The Departing employee risk report now enables you to export images of individual items in the report. (Previously, image exports included the entire report.) To select a section:
    1. Click the export Export icon icon.
    2. Select an image type (png, jpeg, or svg).
    3. Mouse over the section you want to export, then click. To export all content, click the top area of the report.

Export a section of the risk report

February 2, 2024

  • Added two new roles to enable more granular control over which files display a link to access the file contents in the file event details:
    • Security Center - Restore - Cloud enables temporary access to files in cloud storage data connections, but does not allow downloading files captured from a user's endpoint.
    • Security Center - Restore - Endpoint allows downloads of files captured from a user's endpoint, but does not enable temporary access to files in cloud storage data connections.
    • The existing Security Center - Restore role is unchanged and continues to allow access to both cloud and endpoint files.

February 1, 2024

Improvements to trust suggestions:

  • A new Users column displays the count of distinct users with related file activity. This provides additional context about the prevalence of the activity throughout your organization. Items with a higher number of Users may indicate they are appropriate to add as trusted activity.
  • Improved the logic for identifying suggestions, which results in showing more relevant activity, and fewer overall suggestions to review.

January 2024

Updates

January 30, 2024

Improved visibility of Incydr Labs:

  • The link to access Incydr Labs moved from an icon in the upper right of the Code42 console to a new option in the Dashboards menu. To access Incydr Labs now, select Dashboards > Labs.
  • In the file event details, the link to View file history moved from the Event ID options menu to a dedicated link below the Event ID.

Incydr Labs Menu

January 22, 2024

  • The Review Alerts list added Rule name to the filter options. This enables you to filter results by the rules that triggered the alert.

January 17, 2024

  • Added a new Source Code Risk Dashboard to Incydr Labs. This dashboard highlights Git activity in your environment, including source code files pushed from trusted repositories to potentially risky destinations.

January 9, 2024

  • Custom destination risk indicators are now also applied to files shared via cloud storage and sent via email (when configured as a Code42 data connection). Previously, custom destination risk indicators were only applied to browser upload activity.

January 5, 2024

  • A new early access version of the Insider risk trends dashboard is now available. The redesigned dashboard offers an improved view of activity and trends over time for key risk indicators. To view the new dashboard, go to Dashboards > Insider Risk Trends and click the Early Access toggle at the top of the page.

    Early access insider risk trends dashboard
  • The Departing employee risk report now includes the option to export the report as an image (png, jpeg, or svg), in addition to the existing option to export a CSV of the file event details. 
  • Updated the list of files excluded from backups. On a quarterly basis, Code42 re-evaluates and adjusts exclusions to ensure unnecessary files are excluded from backups. New exclusions include:
    • Outlook .pst files (support for Outlook backups ended April 15, 2023)
    • Log files
    • Application executables and installers
    • Access and SQL Lite databases
    • Temporary system files
    • OneDrive sync directories
    • Downloads directory
    • Web browser profiles
    • For the full list of file exclusions, see Files excluded from backup by default.

January 4, 2024

  • Added a new Filename implies corporate data risk indicator for events where the name of the file indicates it likely contains corporate or internal data. The default risk score is 0. To change the score, see these steps to access risk settings.

Previous release notes

For release notes prior to January 2024, see Previous version release notes.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.