Overview
On October 25, 2023, risk indicators were updated to better specify files shared and emailed to personal domains. In some cases, this update caused existing alert rules to stop generating alert notifications due to a logic conflict in the rule builder.
File activity was still detected and logged in Forensic Search. However, you may not have received alert notifications for this activity. Follow the steps below to review the affected activity.
Affects
- Activity that occurred between October 25 and November 16, 2023.
- Alert rules including both:
- At least one source risk indicator in the External sharing category.
- At least one destination risk indicator. (Rules for files sent to "Any destination" are not affected.)
If any of your rules were affected, you were contacted directly by Code42 Technical Services.
Resolution
A side effect of the change implemented on October 25th is that in some cases, it now takes two separate rules to monitor activity that was previously covered by a single rule. As a result, on November 16, 2023, Code42 fixed this issue by duplicating the affected rules to ensure you continue receiving alerts as expected. For each affected rule, there are now two alert rules. The combination of these two rules restores the previous alert functionality:
- The original rule, which was modified to remove all External sharing risk indicators, but retains the Destination risk indicators.
- A copy of the original rule, which includes the External sharing risk indicators, but does not include the Destination risk indicators. This copy uses the same name as the original and adds “- External sharing” to the end of the rule name.
To review activity that did not generate alerts between October 25 and November 16, follow the steps below to view details for both the original and copied rule.
Identify file activity not included in alerts
Use the steps below to identify file activity that did not generate alerts as expected:
- Sign in to the Code42 console.
- Go to Alerts > Manage Rules.
- Identify and select an affected rule.
Affected rules include " - External sharing" at the end of the rule name. - From the Rule settings, click View activity that matches this rule criteria.
A new Forensic Search window opens with a pre-populated search based on the rule criteria. - Update the date filter to Events observed in the range from 10/25/2023 to 11/16/2023.
- Click Update search.
- Review the search results to see activity that did not generate an alert as expected.
- Repeat steps 2 - 7 for the rule with the same name without " - External sharing" at the end. For example, review activity for both Example rule name and Example rule name - External sharing.
Related topics
Comments
Please sign in to leave a comment.