Monitor and improve Incydr environment health

Overview

A healthy Incydr environment is one that actively collects file activity from endpoints and data connections and reports it in the Incydr console for review and investigation, including in dashboards, alerts, Forensic Search, and more. There are several tools available to help you identify devices that may need attention. This article describes how you can use these tools to identify and resolve issues to maintain and improve your environment health.

This article applies to the insider risk agent. For the backup agent, see Identify and resolve device issues in the Incydr console.

Environment monitoring tools

User data sources

The Data Sources tab on the user details screen shows the devices associated with a user along with the date and time those devices last reported any activity to the Incydr cloud. Use this information to identify specific devices that may not have reported any activity within a given timeframe or that may need to be upgraded.

Device details

Clicking a device listed in the Devices table or on the user details Data Sources tab opens the details for that device. Two fields on the device details screen can help you identify devices that may have issues:

Agent version lists the version of the agent installed on the device to help you identify devices that may need to be upgraded.
Last check-in shows the date and time the device last connected to the Incydr cloud. This can help you identify devices that haven't connected in some time and thus may not be reporting file activity or may need to be upgraded.

Data Connections status

Data Connections allow you to monitor file movement and sharing in your corporate cloud storage environments (like Box, Google Drive, or Microsoft OneDrive) as well as monitor files emailed as attachments in your corporate email service (such as Gmail or Microsoft Office 365 email).

If you have authorized an Incydr data connection, you can quickly view its status in the Data Connections table. A connection in an Error state indicates that the connection may not be collecting file activity, which means you might have a blind spot. See one of these articles for more information on troubleshooting data connection errors:

Cloud storage
Email services
- Connect Incydr to Gmail
- Connect Incydr to Microsoft Office 365 email

Incydr API

The APIs available in the Developer Portal give you comprehensive access to information about your environment. You can use them to query for details about users and devices, to integrate with other systems and monitoring tools you use, or to automate tasks or responses. Pay special attention to the following APIs:

Device: List all devices in your environment sorted by the date and time they last connected to the Incydr cloud.
User: Identify the users in your environment who are active, inactive, or blocked, and can list all of the devices owned by specific users.
File Events: Determine whether devices are reporting file activity to Incydr and when that activity was recorded.
Cases: Identify the users who are associated with active investigations and gather information about the file events involved in the case. From this information, you can identify devices that may need to be preserved until the investigation completes.

Code42 CLI

Code42 CLI end-of-life
The Code42 CLI is now deprecated. It has been replaced by the Incydr CLI.

The Code42 CLI will reach end-of-support on January 1, 2026, and end-of-life on January 1, 2027.
To ensure uninterrupted functionality and access to the latest features, migrate your integrations to the Incydr CLI as soon as possible.

For more details, see our FAQ.

The Code42 command-line interface tool gives the same access to data as the API, but lets you interact with your environment without using the Incydr console or making API calls directly. For example, you can use it to extract data for use in a security information and event management (SIEM) tool to visualize and automate environment monitoring. Lists generated from CLI commands can also be saved to CSV or JSON formats for use with other applications.

These APIs in the Code42 CLI are the most useful for identifying environment health issues:

Devices: List the devices in your organization to help identify those that have not connected to the Incydr cloud by a specific date. You can also deactivate specific devices or a number of devices in bulk.
Users: List active and inactive users in your environment and deactivate individual users or a number of users in bulk.
Cases: Identify the users who are associated with active investigations and gather information about the file events involved in the case. From this information, you can identify devices that may need to be preserved until the investigation completes.

Code42 Insider Threat app for Splunk

Actions to improve environment health

Ensure devices are up-to-date

When a device is running an outdated version of the agent, it may not be reporting all file activity efficiently (or may not be reporting activity for new exfiltration vectors and destinations at all), which may represent a weakness in your insider risk management strategy. Use the tools in the Incydr console, API, or CLI to identify devices that aren't running the current version of the agent.

To troubleshoot device updates:

Verify that those devices are still in use and can connect to the Incydr cloud. Deactivate devices that are no longer used to connect to Incydr.
Verify that devices are using current deployment policy properties, scripts, and secrets. If the agent is deployed to a device with incorrect properties, initial installation may not have completed successfully (and thus, subsequent upgrades cannot complete either). Reactivate expired secrets or extend those that are about to expire as needed.
If needed, uninstall and reinstall the agent to resolve issues with upgrading.

Troubleshoot connection issues

If a device is unable to connect, Incydr cannot accurately report security events or file activity occurring on that endpoint. Devices that are not connecting properly are also at risk of missing upgrades and may thus be running outdated versions of the agent.

Causes

The most common reasons that a device cannot connect to the Incydr cloud include:

The user is on extended leave, and his or her endpoint is powered off or is not actively in use.
The user has left the organization but has not been deactivated.
The user has received a new device and no longer needs to use the previous endpoint.
Other applications installed on the device are interfering with connectivity.
Communication between the agent installed on the device and the Incydr cloud is blocked.
An administrator is using deep packet inspection to examine traffic from devices to the Incydr cloud.
Mac devices don't have full disk access, or the .mobileconfig file deployed to the device isn't set up correctly.

Solutions

To resolve device connectivity issues, take the following actions:

Use the Incydr console, API, or CLI to verify that endpoints are connecting to the Incydr cloud and reporting file events as they should.
Verify employee status with managers or your organization's Human Resources department.
Deactivate users that are no longer with your organization.
Deactivate devices that are no longer used to connect to Incydr.
Verify that you have created exceptions for Incydr in any antivirus, security, or endpoint detection and response (EDR) applications your organization uses, and that those exception are valid and working correctly.
Verify that the IP addresses and ports used by Incydr are open and that there is no deep packet inspection on traffic on port 4287. Verify that network traffic settings are optimized for where your employees work.
Use Jamf's Privacy Preferences Policy Control (PPPC) Utility to create and deploy a .mobileconfig file to the Mac devices in your environment to grant these devices full disk access. When creating this file, verify that the settings are correct for your organization:
- In Properties, all areas you want to monitor are selected.
- In Apple Events, all web browsers you want to monitor for uploads are selected.
- In System Extensions, the agent team identifier and system extension are correct.

Deactivate unneeded users and unused devices

An unmanaged environment can include any number of users who are no longer with the organization or devices that are no longer used to connect to Incydr. These unneeded users and unused devices pose risks to your organization's insider risk strategy:

Unnecessary data may violate your organization's data retention policies.
They delay investigations by making it difficult to understand which questions need to be answered.
It's difficult to diagnose which users or devices are involved in risky activity, resulting in unfocused investigations and unclear outcomes.
They cause processing delays and inefficiencies.

An accurate user and device inventory allows you to act with intention and clarity to secure your valuable business data. To identify users and devices that are no longer needed in Incydr:

Work with your Human Resources department to list users that are no longer with your organization. You can also use the Incydr API to develop a list of users who do not have any associated devices, but keep in mind that some of these users may be administrators, security analysts, or other valid users of Incydr that may not have an associated device that's being monitored.
Work with your Legal department to identify users or devices that are currently under investigation and should not be deactivated in Incydr. You can also use the API to list legal holds or cases under investigation in your organization that are associated with users and devices. Remember that users and devices involved in legal holds cannot be deactivated and still contribute to active user and device totals.
Secure your environment by deactivating unneeded users and devices in Incydr.
- Users
  - Deactivate users in the Incydr console.
  - Use the CLI to deactivate specific users or to deactivate a number of users in bulk.
- Devices
  - Deactivate devices in the Incydr console.
  - Use the CLI to deactivate a number of devices in bulk.

Additional resources

Incydr has a number of additional resources available to help you get the most value from your environment while securing your organization's vital data.

Use the tools in our customer toolkit to get up and running quickly and discover how to optimize Incydr to elevate your security and insider risk programs.
Consult with our Professional Services team for help with deploying Incydr across your organization and integrating with tools you already use.
Engage one of our Technical Account Managers (TAMs) to gain extensive insights about the health of your environment and fully leverage all Incydr features, customized for your organization. (TAM services may already be included in your support plan.)

Contact your Customer Success Manager (CSM) for more information about how to access these resources. If you do not know your CSM, please contact our Technical Support Engineers.

Search