Review Alerts reference

Updated

Overview

Alerts highlight risky file activity in your organization, such as when important data is moved to untrusted locations. This article describes the Review Alerts section of the Incydr console, where you view and act on alerts.

For details about creating and managing the criteria that generate alerts, see Create and manage alert rules and Manage Rules reference.

For legacy alerts, see Review Alerts reference (legacy).

Considerations

  • The steps in this article require you to be assigned a user role with permission to view and modify alerts.
  • You may choose to send alert notifications to administrators via email. To ensure alert emails are delivered, update your email server's allowlist to include the address alerts are sent from. For example: noreply@prod.ffs.us2.code42.com. If you suspect that email is not arriving from Incydr, contact our Technical Support Engineers.
  • In the Incydr API, the v1/sessions APIs use the newer alerts framework to group related activity into a single alert. This matches how alerts are displayed in the Incydr console. The v1/alerts APIs are deprecated and use the legacy alert framework, which does not group related events into a single alert.  

Review Alerts

The Review Alerts page shows when activity is detected that matches the settings defined in your alert rules. In addition, the Risks not covered by alerts section highlights potential risks not included in your existing alert rules, which helps you identify exfiltration activity that may otherwise go unnoticed.

To view alerts:

  1. Sign in to the Incydr console.
  2. Select Alerts > Review Alerts.
    The first section displays up to 5 risks not covered by existing alerts. The second section displays the alerts based on your defined alert rules.
  3. Click View detail to see more specifics about any item.
Investigate before responding
Incydr identifies potential risks, and an alert about file activity is just one piece of information that contributes to an investigation. Use the alert details as a starting point to determine if the activity is a legitimate threat.

List of alerts review

Alerts are only created for untrusted activity
Alerts only apply to events outside your list of trusted activity. Trusted file activity is still captured by Incydr and is visible in Forensic Search, but it does not generate alerts.
Item Description
a

Alert settings

Click to view settings to enable and disable alerts for specific activity. Click the edit 7.0_console_edit_icon__1_.png icon next to an item to edit its settings.

  • Likely personal activity destinations: Includes activity where the destination is unlikely to pose an exfiltration risk. For example, files sent to e-commerce, entertainment, or personal health, insurance, and financial destinations.
    • Select Alert to receive alerts for this activity.
      Based on your existing alert rules. If no rules match this criteria, no alerts are sent.
    • Select Don't alert to stop receiving alerts for this activity.

  • Printer name: Enter one or more printer names to stop generating alerts for print activity on a specific printer. 

  • Removable media serial number: Enter one or more removable media serial numbers to stop generating alerts for activity on a specific removable media drive destination. For example, corporate-approved removable media. 

  • Remote hostname: Enter one or more remote hostnames to stop generating alerts for file activity on a specific device.

  • Email recipients: Enter one or more email addresses to stop generating alerts for emails sent to a specific recipient.

While editing a setting, click Preview activity that matches this criteria to view recent file events that would be affected by this setting. Review the results to confirm whether you want to stop alerts for this activity or not.

Stopping alerts does not stop Incydr from capturing the activity. You can still search for it in Forensic Search with the Activity tier filter set to Informational.
b Risk settings

Click to open Risk settings, where you can view and customize the scores for each risk indicator. Scores are used to calculate the severity of each file event. For more information, see the Risk settings reference.
c Alerts summary

Displays a summary of open, in progress, closed, and account takeover1 alerts. Click an alert count summary or View all to filter the list below to include only those alerts.

 

1 Not pictured. Account takeover alerts require:

  • A Mimecast Critical, Advanced, or Premium email security package.
  • A user with the Basic Admin, Full Admin, or Super Admin role. Custom roles are not supported.
d

Risks not covered by alerts

Displays up to 5 potential risks not included in your existing alert rules, which helps you identify exfiltration activity that may otherwise go unnoticed.

Select any item to view more details and to choose how to respond.

The more you interact with these recommendations, the better they become. Recommendations improve based on your feedback and become more customized to your needs over time.
e

Activity summary

Provides a summary of the potentially risky activity.
f

User details

Provides context about the user who performed the activity, including department, title, and watchlist membership.
g

View details details_chevron_2020-05-28 (1).png

Click to view more details about the activity and to choose how to respond. Response options include:

  • Yes, this was risky, with additional options to:
  • No, this activity was not risky, with additional options to:
h Filter Click to filter alerts by alert type (Incydr or Account takeover), status, date, risk severity, rule name, user, or watchlist. For more details, see Filter alerts below.
i Filtered by Indicates which filters are applied to the list of alerts. Click the X to remove a filter. Remove all filters to view all alerts.
j Select all

Selects all alerts on the page and presents a Change status button. Click the button to move multiple alerts at once to a different status.
k Select individual alerts

When you select one or more alerts, the Change status button appears. Click the button to move the selected alerts to a different status.
- Change status
(not pictured)

When one or more alerts are selected, the Change status button replaces the Filter icon. Click to choose a different status for all selected alerts.
l Severity

The risk severity of the highest-scoring individual file event in this alert, based on its risk indicators and the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

If the risk severity is unknown, appears in this column.

For more information about risk indicators, see Risk settings reference.
m Date observed Date and time the alert data was sent to the Incydr cloud. This may not be the exact time the activity occurred. The Date observed may differ slightly from the event activity timestamp for several reasons, including: related activities occurring around the same time grouped into a single alert, or the device going offline before the activity was sent to the cloud.

Click the column header to sort results by date in ascending or descending order. 
n Summary

Describes the activity that generated the alert. The Summary may also include:

  • Risk indicators that apply to the activity but that are not explicitly included in the alert rule criteria
  • Risk indicators for other activity performed by the user around the same time

These related risk indicators can provide valuable additional context about the activity.
-

Content inspection

(not pictured)

Lists the sensitive content types identified in the exfiltrated files included in the alert (for example, credit card or social security numbers).

Requires the Content inspection add-on.
o Rule name

Indicates the specific rules that triggered the alert.
p User

The Incydr username or the cloud user associated with the file events that generated the alert.

If the user is on a watchlist or department attributes are available, those are also displayed here. Watchlist membership and department attributes reflect the current status of the user, which may differ from when the event occurred.
q Status

The status of the alert.

  • Open: Alerts that have not yet been investigated.
  • In progress: Alerts for which an investigation is underway.
  • Closed - True positive: Resolved alerts that represented a valid risk.
  • Closed - False positive: Resolved alerts that did not present a valid risk.
r View detail View details icon Click to view more details about the alert, including exfiltration activity, user attributes, the rules that triggered this alert, and Instructor lessons sent to the user.

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

Alerts older than your retention period are unavailable
Alerts older than your product plan's event data retention period are removed from the Review Alerts list and are unavailable. To save any alert notifications prior to the end of the retention period, use the Incydr API to export alert notification details to an external file or your security information and event management (SIEM) tool. See the Developer Portal for more information on the Incydr API.

Filter alerts

Click Filter and select criteria to refine which alerts appear in the list.

  • Alert type
    • Exfiltration: Alerts for file activity detected by Incydr.
    • Account takeover: Alerts for account compromise risks detected by Mimecast Advanced Email Security and Microsoft Entra ID Protection.
      Requires a Mimecast Critical, Advanced, or Premium email security package.
  • Status
    • Open: Alerts that have not yet been investigated.
    • In progress: Alerts for which an investigation is underway.
    • Closed - True positive: Resolved alerts that represented a valid risk.
    • Closed - False positive: Resolved alerts that did not present a valid risk.
    • Any status: Alerts with any of these statuses.
  • Date range
    • Select a pre-defined date range or enter custom start and end dates. Select All dates to view all alerts.
    • Alerts only appear for dates within your product plan's event data retention period. For example, if your data retention period is 90 days, selecting the date range Last 180 days only returns alerts for the last 90 days.
  • Risk severity
    • Filters the list by risk severity: shows alerts with Critical, High, Moderate, or Low severity, or alerts with any risk severity.
    • For more information about risk indicators, see Risk settings reference.
  • Content inspection (requires the content inspection add-on)
    • All activity (no content inspection filter applied): Includes both alerts where sensitive content was identified, and alerts where no sensitive content was identified.
    • PII detected: Alerts where personally identifiable information was identified (for example, credit card or social security numbers).
    • Custom content pattern detected: Alerts where custom content patterns were identified, as defined in your Custom file content risk indicators.
    • Credentials and tokens: Alerts where a token or credential (for example, SAML token or AWS session key) was identified in an exfiltrated source code file.
  • Rule name
    • Filters the list by the alert rule that triggered the alert. Select up to 5 rules.
  • Username
    • Filters the list to only show alerts for a specific user.
  • Watchlists
    • Filters the list to only show alerts for users currently on the selected watchlist.

Click Apply to display alerts that match all filters. To return to the list without applying any filters, click Cancel.

Active filters appear above the list of alerts. Click the X to remove that filter. 

Alert details

Click View detail View details icon for any alert to see more information.

Alert details vary based on the activity that triggered the alert. Alerts may display different details than those shown in the example below.

Alert-Details-2025-11-19-export.png 

Item Description
a Alert ID The unique identifier for the alert notification.
b Date observed

Date and time the alert data was sent to the Incydr cloud. This may not be the exact time the activity occurred. The Date observed may differ slightly from the event activity timestamp for several reasons, including: related activities occurring around the same time grouped into a single alert, or the device going offline before the activity was sent to the cloud.
c Copy link copy_link_icon.png

Click to copy a link to this alert to your clipboard. This link enables you to easily share the alert with others (who have the required permissions to view alerts), or to save the URL for your own future reference.
d Previous/next

Click to view details for the previous or next alert.
e Change status

Click to move this alert to a different status. 
f Actions

Provides actionable response options for the alert:

Incydr actions

Incydr Flows

  • Select from available workflow automations with external systems.
    Must be licensed for at least one Incydr Flow.
g Exfiltration activity

Provides a summary of the activity that generated the alert, including the start and end times of the file activity. The time range starts at the beginning of the observed user activity and ends when there is a 15-minute period of inactivity, or after an hour if the user activity hasn't stopped. 

The summary may also include:

  • Risk indicators that apply to the activity but that are not explicitly included in the alert rule criteria
  • Risk indicators for other activity performed by the user around the same time

These related risk indicators can provide valuable additional context about the activity.
h View details

Click View details View event details arrow iconto view more granular details about the alert, including the individual events and files involved in the activity, risk indicators, PRISM score, and more.

From the alert activity details:

  • Click View event details View event details arrow icon to view the complete metadata for a specific event. For detailed descriptions of each metadata field, see File event metadata reference.
  • Click Investigate in Forensic Search Investigate in Forensic Search magnifying glass icon to view the file events in Forensic Search.
i User

The Incydr username associated with the file events that triggered the alert. If the user is included on any watchlists, the watchlist name appears for reference.
j User profile

Click View profile View user profile icon to see the User Profile for that user. 

User profile details are not available for out-of-scope users, including your internal users not licensed for monitoring and external cloud users acting on a file owned by an in-scope user.
k Alert rules triggered

The names of the rules that generated the alert.
l Instructor lessons Details about Instructor lessons automatically sent when the alert was triggered.
m Notes

Enables you to add notes to the alert.

  • Click Add note to add a note to the alert, then enter the note and click Update.
  • To edit an existing note, click Edit Notes Edit icon, then update the note and click Update. To remove a note, delete all the note's text and click Update.
  • The note saves and displays the username of the last person to edit the note, along with the date and time it was edited.

Related topics

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.