Code42 cloud 2023 release notes

Updated July 08, 2025 19:13

Overview

This page lists new features and bug fixes released to the Code42 cloud in 2023.

For the most recent updates, see Code42 cloud release notes.

December 2023

Updates

December 15, 2023

To improve device performance, individual files over 10 GB will soon be automatically excluded from backups. This update will be rolled out to all devices in the coming weeks. If you have questions about this change, click the Sign in to create ticket button above to contact our technical support engineers.
The Watchlist section of the User profile now includes more details about the user's watchlist membership. In addition to listing the watchlist names, the section now also includes the risk score for each watchlist, which preventative controls are enabled, and any alerts that explicitly include or exclude the watchlist.

December 7, 2023

In Forensic Search, the Web browser name search filter now includes options for Island and Talon. (Forensic Search already includes file events from these browsers for devices with the Incydr browser extension; this update enables you to filter results to only return Island or Talon events.)

December 5, 2023

In the Alert rule settings, the option to View activity that matches this rule criteria now previews the matching file events in the current alert settings window. Previously, the events appeared in a separate Forensic Search window.

Bug fixes

December 12, 2023

Fixed an issue where downloading a Salesforce report to a monitored endpoint could generate a false positive exfiltration event in some circumstances.

November 2023

Updates

November 16, 2023

On October 25, 2023, risk indicators were updated to better specify files shared and emailed to personal domains. For a small number of alert rules with both external sharing and destination risk indicators, this update caused existing alert rules to stop generating alert notifications. If any of your rules were affected, we have already emailed you directly.

In these rare cases, it now takes two separate rules to monitor activity that was previously covered by a single rule. To fix this issue, Code42 duplicated the affected rules, resulting in two alert rules for each affected rule. The combination of these two rules restores previous alert functionality:

The original rule, which was modified to remove all External sharing risk indicators, but retains the Destination risk indicators.
A copy of the original rule, which includes the External sharing risk indicators, but does not include the Destination risk indicators. This copy uses the same name as the original and adds “- External sharing” to the end of the rule name.

For more details and for instructions about how to review file activity that did not generate an alert, see Updates to alert rules with external sharing risk indicators.

November 9, 2023

Alert rule settings now include an option to View activity that matches this rule criteria. Use this preview while creating or editing a rule to help determine if your selected rule criteria returns the results you expect.

Bug fixes

November 20, 2023

Fixed an issue on the User Activity > All Users page where searching for a user could return suggestions for users who do not have a user profile to display, such as deactivated or out-of-scope users.

November 16, 2023

Fixed an issue where some users could not be added to watchlists by processes that use the Code42 API (including Incydr Flows, first and third-party integrations, and custom API scripts).

October 2023

Features

Custom source and destination risk indicators

October 20, 2023

Custom source and destination risk indicators enable you to assign risk scores to files acquired from or sent to a location you define, including domains, source code repositories, and network storage. This improves your ability to apply higher risk severity to:

Files acquired from key locations that represent your most critical intellectual property
Files sent to locations you don't control

Once you've created a custom risk indicator, you have the option to create an alert for activity at that location. You can also automatically send a Code42 Instructor video lesson to the user.

To add a custom risk indicator:

Sign in to the Code42 console.
Select Risk settings.
Scroll down and click Destination risk indicators > Custom destination risk indicators or Source risk indicators > Custom source risk indicators.
Click Add custom risk indicator to create a new risk indicator, or click the edit icon to update an existing one.

Preventative controls are now generally available

October 4, 2023

Incydr preventative controls—which were released broadly in June for early access—are now generally available. Preventative controls complement Incydr's other response controls by enabling you to restrict users from performing specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

These optional controls give you another tool to help prevent unauthorized data movement and ensure your sensitive data remains within approved corporate destinations.

Key features of Incydr preventative controls include:

Block browser uploads: Restricts uploads to domains and URL paths not on your trusted activity list. You can choose to block untrusted uploads or temporarily allow untrusted uploads with user confirmation.
Block pasting to the browser: Restricts pasting from the clipboard to domains and URL paths not on your trusted activity list. Similar to browser uploads, you can block untrusted pasting or temporarily allow untrusted pasting with user confirmation.
Block unsupported browsers: Prevents users from bypassing preventative controls by launching common web browsers not supported by the Code42 Incydr extension.
Block private browsing: Prevents users from bypassing preventative controls by opening a private/incognito window.
Block removable media mounting: Prevents the mounting of removable media volumes (USB Mass Storage) on user endpoints.
Block cloud sharing: Blocks sharing directly with users outside your organization and making files accessible to anyone with the link.

For details about how to enable preventative controls, see Manage preventative control settings.

Enhancements and updates

October 26, 2023

In Forensic Search > Charts, column charts now include the option to group the Date observed field by hour, day, week, or month. (Previously, results were always grouped by day.)

October 25, 2023

Numerous updates to improve the visibility of files shared or emailed to personal destinations from corporate cloud and email sources.
- Added over 20 new email destination risk indicators.
- Moved the External sharing risk indicators from the Destination category to the Source category. This better reflects the source of the risk. For example, Public link from corporate Google Drive is now a source risk indicator, not a destination risk indicator.
- Updated some risk indicator labels to better indicate file activity may also include sharing with an email address in addition to uploading an attachment:
  - The Email uploads category is now Email domains.
  - Email domain risk indicator labels now specify "to" instead of "upload." For example, Yahoo upload is now To Yahoo.
- The risk score for the Sent from corporate Gmail and Sent from corporate Microsoft O365 risk indicators reduced from 2 to 0.

October 20, 2023

The Administration > Environment > Users page now includes an Elevated Users Report, which enables you to generate a list of users based on the roles you select. This makes it easier to audit access privileges. Requires Customer Cloud Admin permissions.

October 18, 2023

On the Risk Exposure dashboard, the Source, Destination, and File risk indicator activity tables now include a link in each row to Investigate in Forensic Search . Previously, the link to investigate in Forensic Search was only available after opening the details for a specific row.
Added a new Resume movement risk indicator to monitor when a file that matches specific resume naming conventions is moved to an untrusted location. This may indicate the user is a flight risk.

October 5, 2023

Added the option to filter the list of users in the Code42 console by their user role.
You can now add to your list of trusted activity directly from the event details of an untrusted event, eliminating the need to navigate away from your investigative workflow.
- Adding trusted values prevents file activity in those locations from appearing on dashboards, user profiles, and alerts, which reduces the number of events and false positives to review. (However, trusted file activity is still captured and searchable in Forensic Search.)
- From the Risk section of the event details, click the add trust icon next to any untrusted value to add it to your list of trusted activity for future events.

October 3, 2023

As part of our effort to continually refine and improve Incydr’s risk scoring model, the default scores changed for some risk indicators in the Destination > Source code repository uploads category.
- The default score for files sent to Azure Repos, Bitbucket, GitHub, GitLab, and Stash lowered from 5 to 4.
- Changes only affect events starting October 3, 2023. Older events retain the previous score.
- If you manually changed the score for any of these risk indicators, your custom score will not be changed. Changes were only applied to risk indicators still using the default score of 5.

Bug fixes

October 23, 2023

Fixed a rare issue in Forensic Search where performing a search for Events observed in the range, then changing the dates and searching again did not load results for the new dates as expected.

September 2023

Features

Expanded user information for cloud activity

September 29, 2023

File activity captured by Incydr cloud storage data connections is now more consistent, visible, and actionable. Highlights include:

Better attribution of cloud events to a specific user
Cloud users can now be added to Watchlists and Cases
Ability to leverage Incydr's response controls for cloud user activity, including cloud-sharing preventative controls, Instructor lessons, and custom actions from 3rd-party integrations

Prevent users from removing the agent with new uninstall secrets

September 27, 2023

Uninstall secrets prevent unauthorized users from removing the insider risk agent by requiring a code to uninstall. Maintaining better control over who can uninstall the agent helps keep your data more secure by ensuring the insider risk agent continues running on user devices.

For more details about uninstall secrets and how to enable them, see the Deployment reference.

Requires insider risk agent version 1.10.0 or later.

Incydr alerts group related activity into a single notification

September 13, 2023

Incydr's enhanced alerting framework now consolidates related events into a single alert. Grouping events reduces the number of alerts to be triaged, and makes it easier to identify the activity that poses the greatest risk to your organization.

Additional updates include:

An improved interface for reviewing alerts.
Updated alert statuses to simplify your workflow:
- Added Closed - True positive and Closed - False positive
- Removed Pending response and Dismissed
- Open and In progress statuses remain unchanged
Alert emails are now sent from a subdomain of code42.com, for example, noreply@prod.ffs.us2.code42.com. Previously, alert emails were sent from donotreply@code42.com. You may need to update your email server's allowlist accordingly.

Enhancements and updates

September 29, 2023

Removed the option to edit or add a cloud alias to a user profile.
Added 5 new Instructor lessons to educate users about the risks of using Airdrop and external storage devices. Like all lessons, these can be sent manually to users, or sent automatically in response to behavior that triggers an alert.
- External Devices: Airdrop Not Allowed
- External Devices: Airdrop Only to Corporate Devices
- External Devices: External Devices Not Allowed
- External Devices: Only Use Approved External Devices
- External Devices: Be Careful Using External Devices

September 25, 2023

The Risk Exposure dashboard now includes details about users with unwatched Instructor lessons expiring in the next 7 days. This makes is easier to identify which users have not watched assigned videos. Additionally, the User profile and Departing Employee risk report now display the total number of Instructor lessons sent to the user.

September 13, 2023

Updates to the Risk Exposure dashboard:

Improved the Alerts, Departing users, and Cases tiles to show more at-a-glance details. For example, the Departing users tile now shows details about specific users. Previously, only the numeric count of users was visible, with more details appearing after clicking View.
Removed the Users and Watchlist activity tiles.
Minor changes to the layout and organization of other tiles.

September 6, 2023

Removed the Off hours user behavior risk indicator. Existing file events with this risk indicator are not affected, but it is no longer being applied to new events.

August 2023

Features

Customized email sender address for Instructor lessons

August 11, 2023

You can now configure Code42 Instructor lesson emails to be sent from a custom email address. With a custom address, users will see lesson emails as coming from your domain, instead of from code42.com.

To add a custom sender email address, go to Administration > Integrations > Message Services, then select Email > Settings.

Enhancements and updates

August 29, 2023

Added a new Printer destination risk indicator for events where a file is sent to a printer. The default risk score for printed events is 3. To change the score, see these steps to access risk settings. (Previously, print activity was monitored and visible in Forensic Search, but risk scores could not be applied to print events.)

July 2023

Features

Alert exclusions

July 20, 2023

Alert rules now have the option to either include or exclude most specified criteria. Previously, exclusions could only be applied to individual users. Now, you can also exclude watchlists, files, sources, destinations, and other criteria. Applying exclusions enables you to further refine your alert rules to identify only the highest risk activity in your environment.

Enhancements and updates

July 26, 2023

The device count for users on a legal hold now only includes devices with the legacy or backup agent installed, since devices with only the insider risk agent cannot perform backups.
Updated the API client token (/oauth/token) to support credentials provided in the request body. Previously, credentials were only accepted from the auth header.
Performance and stability improvements.

June 2023

Features

Instructor lesson completion reporting

June 26, 2023

Code42 Instructor now enables you to track lesson completion statistics without the need to host videos in your own learning management system (LMS). A new report on the Instructor home page shows you:

Which lessons were sent to which users
Date sent, date watched, and the expiration date for each lesson
View status (watched or unwatched)
Delivery status

This enables you to follow up with specific users who did not watch a lesson, and also makes it easier to troubleshoot issues if a lesson was not delivered.

Instructor table of lessons sent to users

Custom file risk indicators

June 7, 2023

Custom file risk indicators enable you to assign risk scores to activity matching any filename or extension pattern you define. This improves your ability to apply higher risk severity to key files that represent your most critical intellectual property.

Previously, you could create alerts to monitor specific files, but could not assign a risk score. Now, you can specify risk scores for this activity.
Existing alert rules with filename criteria have been automatically updated to use a custom risk indicator with your specified criteria.

Enhancements and updates

June 20, 2023

Devices on unsupported operating systems Windows 8.1, Windows 10 20H2, and Ubuntu 18.04 will no longer update to newer versions of the backup and legacy agents.
Performance and stability improvements.

June 6, 2023

To better identify the riskiest file activity in your environment, updated file categories. As a result, you may need to update some of your alert rules. Review the changes and determine if you need to update alert rules.

Bug fixes

June 20, 2023

Fixed an issue where the User backup report could indicate an incorrect value in the On Legal Hold field.
Fixed an issue where the purge.path command did not successfully purge some files if the file path contained special characters.

May 2023

Features

Git pull detection

May 23, 2023

Incydr now detects the source repository for Git pull activity. This helps you identify files obtained from repositories identified as high-value sources of company information that are later sent to an untrusted destination. Requires insider risk agent version 1.9.1 or later and a supported product plan.

Enhancements and updates

May 23, 2023

Added new Moved and Renamed event types to make it easier to track file movement. Previously, moves and renames were categorized as separate Delete and Create events. Requires insider risk agent version 1.9.1 or later.
In Forensic Search, the File acquired from metadata now includes Git repository URI, Git repository user, and Git repository email. These are also available as search filters. Requires insider risk agent version 1.9.1 or later and a product plan that supports Git detection.

May 4, 2023

As part of our effort to continually refine and improve Incydr’s risk scoring model, default scores for some risk indicators have changed. These changes will help you better identify the riskiest file activity in your environment by reducing the number of critical and high severity alerts and dashboard events.
- Low and moderate severity events still appear on dashboards, so you may see more of them as a result of fewer critical and high events.
- Risk scores you have manually changed are not affected. Only risk indicators with default scores were updated.

Bug fixes

May 17, 2023

Fixed an issue where pausing a restore on the Code42 backup or legacy agent could incorrectly indicate the restore completed.
Performance and stability improvements.

April 2023

Features

Risk scores for custom watchlists

April 19, 2023

Custom watchlists now enable you to specify a risk score for the list.

Each custom watchlist has a corresponding user risk indicator with a customizable risk score.
The default risk score is 0, but you can change the score by editing the risk settings for the watchlist.
Custom watchlists are now searchable risk indicators in Forensic Search.
Scores are applied to every event for every user on the watchlist.
Visual updates throughout the Code42 console better highlight the watchlist’s risk score.

Forensic Search charts

April 6, 2023

Forensic Search now enables you to create custom charts based on the events returned in search results. To get started, perform a search and then click the Charts tab above the results. Use the drop down menus to select a chart type and define the chart parameters. Select Export chart to download an image of the chart.

Enhancements and updates

April 24, 2023

Updated email file activity detection so that activity unlikely to represent risk does not generate file events, also reducing corresponding alerts.

April 19, 2023

Added new Agents APIs to the Code42 Developer Portal to replace Devices and Computer APIs, which are now deprecated. For details, see the API release notes.
Released version 1.4.0 of the Code42 Insider Threat app for Splunk, which adds the option to use the latest file event details data model, providing additional new fields and enhanced data formatting.

April 18, 2023

Added new Instructor lessons to educate users about the risks of uploading files to unapproved cloud storage. Different lessons offer reminders to use specific approved cloud storage instead (including Google Drive, OneDrive, Box, and Dropbox) so you can choose the lesson and recommendation that matches your corporate environment. Like all lessons, these can be sent manually to users, or sent automatically in response to behavior that triggers an alert.

April 17, 2023

Updated global backup exclusions and version retention settings to improve agent performance and decrease network bandwidth consumption. For a complete list of changes, see Backup policy updates | April 2023.

April 11, 2023

In addition to domains, Trust suggestions now include all the types of activity to which you can apply trust. Use trust suggestions to quickly and easily add the following types of items as trusted activity and remove the file activity from dashboards, user profiles, and alerts.
- Domain
- Specific URL path
- Slack workspace
- Account name
- Git repository URI
Added support for detecting files uploaded via a web browser from network storage (NAS). File events are labeled (and searchable) with a new Network Storage source category. Requires insider risk agent version 1.9.0 or later.

April 6, 2023

Added a new file event metadata and Forensic Search filter for Destination > Remote hostname. This new field provides the domain or IP address details for files moved via file transfer tools, such as SFTP, SCP, FTP, and cURL.

April 4, 2023

Released version 3.1.5 of the Code42 app for Cortex XSOAR, which adds the option to use the latest file event details data model, which provides additional new fields and enhanced data formatting.

April 3, 2023

Added 3 new Instructor lessons to educate users about the risks of sending documents via non-corporate email. Like all lessons, these can be sent manually to users, or sent automatically in response to behavior that triggers an alert.
- Email Uploads: Use Approved Service
- Email Uploads: Use Corporate Gmail
- Email Uploads: Use Corporate Outlook
Fixed an issue where end users could not view their personal restore history in the Code42 console.
On the Agent Modernization screen, the list of devices requiring attention now includes the option to filter by legal hold status.

Bug fixes

April 21, 2023

Fixed an issue introduced on April 18, 2023 which caused a small number of users to receive an "Unable to sign in" error when attempting to sign in to the Code42 agent for the first time.

April 18, 2023

Fixed issues where:

End users could not access the Actions menu in the Code42 console to deactivate their own devices.
Devices in an organization with an agent update delay could unexpectedly upgrade to the latest Code42 agent version ahead of schedule.
In very rare cases, attempting to change an Endpoint Data Collection setting resulted in an error.
Some end users could not sign in to the Code42 console under specific circumstances.
In rare cases, the Administration > Legal Hold > Matters screen did not load properly.
The Reset Two Factor Authentication option was not available to some end users.

March 2023

Features

Improved Code42 console experience

March 14, 2023

The Administration section of the Code42 console has a new and look feel to make managing your environment easier than ever before.

Updates include:

Improved interface to clarify and streamline workflows on the Organizations, Users, Devices, Downloads, Agent Updates, and Deployment screens.
New terminology to distinguish between different agent types available in your environment. These terms now appear throughout the Code42 console and the Code42 support site:
- Insider risk agent: Monitors endpoint and cloud activity to detect risk
- Backup agent: Backs up user files
- Legacy agent: Monitors endpoint and cloud activity to detect risk, and backs up user files (previously "the Code42 app")

For a complete list of affected areas, including how to complete common tasks, see Changes to Code42 console administration.

Collage of refreshed Code42 console screens

Changes affect Incydr Basic, Advanced, and Gov F1 product plans.

Incydr Professional, Enterprise, and Gov F2 product plans were already using the updated Code42 console experience.

Enhancements and updates

March 30, 2023

Added new source and destination risk indicators for:
- Files uploaded to cloud storage, coding tools, file conversion tools, PDF managers, productivity tools, source code repositories, and web hosting.
- Files acquired from cloud storage sources, financial services, HR tools, marketing tools, and source code repositories.
Added Reference Tools as a new source and destination category for file events.

March 24, 2023

Added a new file event metadata and Forensic Search filter for Untrusted Slack workspaces. This new field highlights workspace names that do not match an entry in your list of Trusted activity.

March 21, 2023

The Agent registration issues page now only displays issues from the past 30 days. Older issues are automatically removed to reduce unwanted clutter.
Added backupSetId, planUid, and isLegalHold fields to the Device Status CSV export.
Improvements to archive maintenance.

March 16, 2023

The Risk Exposure dashboard now supports drilling into Forensic Search to view events for a specific watchlist.

March 15, 2023

In the file event details, the link to download a file is now labeled Download file. Previously, it was labeled Exact match or Most recent version.

March 2, 2023

In Forensic Search, added a new Watchlist members filter to search all events for users currently on a specific watchlist.

Bug fixes

March 21, 2023

Fixed issues where:

Some backups that had never completed showed a last completed date of "53 years ago" instead Never.
Removing a backup exclusion could cause the previously excluded files to still be removed during archive maintenance in rare circumstances.
The web restore screen did not load properly for some users on legal hold.
Issuing the purge.path CLI command did not return a response. (The command still worked, but the CLI did not display a success confirmation.)

February 2023

Features

Incydr SDK and CLI

February 16, 2023

The Incydr SDK is a wrapper around the Code42 APIs that provides several utility methods. You can use the SDK to develop your own tools for working with Code42 data while avoiding the overhead of session or authentication management. In addition to a Python client, the Incydr SDK contains a CLI tool extension. The Incydr SDK and CLI replace py42 and the Code42 command-line interface (CLI) for most use cases.

Printer activity detection for Windows

February 10, 2023

Early access

Windows devices now monitor print jobs, enabling detection of printed files as an exfiltration vector. (Print detection is already supported for Mac and Linux devices.)

Requires insider risk agent version 1.8.0 or later.

Enhancements and updates

February 24, 2023

The Risk Exposure dashboard now displays up to 180 days of data (if your product plan includes 180 days of event retention). Previously, a maximum of 90 days of data was available on the dashboard.

February 22, 2023

The Device Status Report now includes a Backup Set Name column. Including the name of the backup set in the report can help you distinguish between multiple rows for the same device.
On the Organizations list, Users list, and Devices list pages, you can now right-click the view details icon to open those details in a new tab.
Added new fields to the User backup report: Username, Timestamp Last Connected Archive (UTC), Timestamp Last Connected Computer (UTC), Largest Archive Size, Only Cold Storage, Cold Storage Expiration, and On Legal Hold.

February 21, 2023

Devices using unsupported Windows 10 21H1 and macOS 10.15 Catalina will not upgrade to newer versions of the Code42 app.
Improvements to archive maintenance.
Other performance and stability improvements.

February 13, 2022

Alerts now include the option to bulk dismiss all open alerts. Previously, alerts could only be dismissed in bulk for a single page, which limited dismissal to 100 alerts at a time.

February 2, 2023

Updated the list of temporary and system files excluded from backups. On a quarterly basis, Code42 re-evaluates and adjusts exclusions to ensure unnecessary files are excluded from backups. New exclusions include:
- .tmp, .lock, .pid, and .dat files
- .sparsebundle and .sparseimage files
- ISOs, PKGs, RAW files, and memory dumps
- Virtual machines and machine image files
  To see the full list of file exclusions, as well as additional global exclusions you can customize, see Files excluded from backup by default.

Bug fixes

February 21, 2023

Fixed an issue where users were temporarily unable to add or access local backup destinations under certain circumstances.
Fixed a rare issue where devices could unintentionally upgrade to the latest version of the insider risk agent if multiple versions were delayed or blocked.

January 2023

Features

Send Instructor lessons via Microsoft Teams

January 30, 2023

Incydr now supports sending Instructor lessons via Teams, in addition to email and Slack. This enables you to use Teams to automatically send targeted, timely educational content in response to user activity that triggers an alert rule.

For configuration instructions, see Configure message services.

Trust suggestions

January 19, 2023

Trusted activity now includes a list of the domains associated with untrusted file events that may be good candidates for applying trust. Use Trust suggestions to quickly and easily add these domains as trusted activity and remove this file activity from dashboards, user profiles, and alerts.

Trust_suggestions

"File acquired from" details for cloud sync application sources

January 3, 2023

Incydr now captures source information for files downloaded to an endpoint via an installed cloud sync application. This additional source information preserves the context of where the user acquired the file, which helps you evaluate risk in future file events. Related updates include:

Trusted Account names can now be identified as sources with high-value data. This enables you to trust uploads to a cloud account, but still apply risk to files downloaded from that cloud account and later sent to unmonitored or untrusted locations.
Added a new File acquired from Dropbox risk indicator.
Added new source risk indicators for files downloaded to an endpoint via an installed cloud sync application.
File acquired from metadata now includes Source user, Source account name, and Source account type to provide more details about the source of files downloaded to a device via an installed cloud sync application.

Enhancements and updates

January 25, 2023

Added the option to exclude file events by process. Use process exclusions to prevent Incydr from generating file events for any activity triggered by processes that don't add value to insider risk detection or investigation. See File event exclusions for details.

January 24, 2023

The device backup status now more accurately reflects overall progress for devices with multiple backup sets.
Improvements to archive maintenance.
Performance and stability improvements.

January 10, 2023

Added new file event metadata and Forensic Search filters for Untrusted account names, Untrusted domains, Untrusted Git repository URIs, and Untrusted URL paths. These new fields highlight values that do not match an entry in your list of Trusted activity.

January 9, 2023

Improvements to archive maintenance.

January 4, 2023

Added a new User behavior Alerts setting for risky user behaviors, including first and rare use of destinations, off hours activity, remote activity, and file extension mismatches.

January 3, 2023

Added new risk indicators for:

Files uploaded to file transfer tool destinations
Files acquired from healthcare & insurance sources

These additions help you better identify risk by reducing the number of file events with the Other destination risk indicator.

Bug fixes

January 24, 2023

Fixed a very rare issue where files could not be restored for specific devices via a device restore in the Code42 console.

Previous release notes

For release notes prior to January 2023, see Previous version release notes.