Code42
Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
#
Configure Code42 on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for Code42.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
console_url | Code42 Console URL for your Code42 environment | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
alert_severity | Alert severities to fetch when fetching incidents | False |
fetch_time | First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes) | False |
fetch_limit | Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once | False |
include_files | Include the list of files in returned incidents. | False |
- Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
code42-securitydata-searchSearches for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.
#
Base Commandcode42-securitydata-search
#
InputArgument Name | Description | Required |
---|---|---|
json | JSON query payload using Code42 query syntax. | Optional |
hash | MD5 or SHA256 hash of the file to search for. | Optional |
username | Username to search for. | Optional |
hostname | Hostname to search for. | Optional |
exposure | Exposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain". | Optional |
results | The number of results to return. The default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityData.EventTimestamp | date | Timestamp for the event. |
Code42.SecurityData.FileCreated | date | File creation date. |
Code42.SecurityData.EndpointID | string | Code42 device ID. |
Code42.SecurityData.DeviceUsername | string | The username that the device is associated with in Code42. |
Code42.SecurityData.EmailFrom | string | The sender email address for email exfiltration events. |
Code42.SecurityData.EmailTo | string | The recipient email address for email exfiltration events. |
Code42.SecurityData.EmailSubject | string | The email subject line for email exfiltration events. |
Code42.SecurityData.EventID | string | The Security Data event ID. |
Code42.SecurityData.EventType | string | The type of Security Data event. |
Code42.SecurityData.FileCategory | string | The file type, as determined by Code42 engine. |
Code42.SecurityData.FileOwner | string | The owner of the file. |
Code42.SecurityData.FileName | string | The file name. |
Code42.SecurityData.FilePath | string | The path to file. |
Code42.SecurityData.FileSize | number | The size of the file (in bytes). |
Code42.SecurityData.FileModified | date | The date the file was last modified. |
Code42.SecurityData.FileMD5 | string | MD5 hash of the file. |
Code42.SecurityData.FileHostname | string | Hostname where the file event was captured. |
Code42.SecurityData.DevicePrivateIPAddress | string | Private IP addresses of the device where the event was captured. |
Code42.SecurityData.DevicePublicIPAddress | string | Public IP address of the device where the event was captured. |
Code42.SecurityData.RemovableMediaType | string | Type of removable media. |
Code42.SecurityData.RemovableMediaCapacity | number | Total capacity of removable media (in bytes). |
Code42.SecurityData.RemovableMediaMediaName | string | The full name of the removable media. |
Code42.SecurityData.RemovableMediaName | string | The name of the removable media. |
Code42.SecurityData.RemovableMediaSerialNumber | string | The serial number for the removable medial device. |
Code42.SecurityData.RemovableMediaVendor | string | The vendor name for removable device. |
Code42.SecurityData.FileSHA256 | string | The SHA256 hash of the file. |
Code42.SecurityData.FileShared | boolean | Whether the file is shared using a cloud file service. |
Code42.SecurityData.FileSharedWith | string | Accounts that the file is shared with on a cloud file service. |
Code42.SecurityData.Source | string | The source of the file event. Can be "Cloud" or "Endpoint". |
Code42.SecurityData.ApplicationTabURL | string | The URL associated with the application read event. |
Code42.SecurityData.ProcessName | string | The process name for the application read event. |
Code42.SecurityData.ProcessOwner | string | The process owner for the application read event. |
Code42.SecurityData.WindowTitle | string | The process name for the application read event. |
Code42.SecurityData.FileURL | string | The URL of the file on a cloud file service. |
Code42.SecurityData.Exposure | string | The event exposure type. |
Code42.SecurityData.SharingTypeAdded | string | The type of sharing added to the file. |
File.Name | string | The file name. |
File.Path | string | The file path. |
File.Size | number | The file size (in bytes). |
File.MD5 | string | The MD5 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Hostname | string | The hostname where the file event was captured. |
#
Command Example!code42-securitydata-search hash=eef8b12d2ed0d6a69fe77699d5640c7b exposure=CloudStorage,ApplicationRead
#
Human Readable OutputEventType | FileName | FileSize | FileHostname | FileOwner | FileCategory |
---|---|---|---|---|---|
READ_BY_APP | ProductPhoto.jpg | 333114 | DESKTOP-001 | john.user | IMAGE |
#
code42-alert-getRetrieve alert details by alert ID
#
Base Commandcode42-alert-get
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityAlert.Username | string | The username associated with the alert. |
Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. |
Code42.SecurityAlert.Description | string | The description of the alert. |
Code42.SecurityAlert.ID | string | The alert ID. |
Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. |
Code42.SecurityAlert.State | string | The alert state. |
Code42.SecurityAlert.Type | string | The alert type. |
Code42.SecurityAlert.Severity | string | The severity of the alert. |
#
Command Example!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"
#
Human Readable OutputType | Occurred | Username | Name | Description | State | ID |
---|---|---|---|---|---|---|
FED_CLOUD_SHARE_PERMISSIONS | 2019-10-08T17:38:19.0801650Z | john.user@123.org | Google Drive - Public via Direct Link | Alert for public Google Drive files | OPEN | a23557a7-8ca9-4ec6-803f-6a46a2aeca62 |
#
code42-alert-resolveResolves a Code42 Security alert.
#
Base Commandcode42-alert-resolve
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityAlert.ID | string | The alert ID of the resolved alert. |
#
Command Example!code42-alert-resolve id="eb272d18-bc82-4680-b570-ac5d61c6cca6"
#
Human Readable OutputID |
---|
eb272d18-bc82-4680-b570-ac5d61c6cca6 |
#
code42-departingemployee-addAdds a user to the Departing Employee List.
#
Base Commandcode42-departingemployee-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to add to the Departing Employee List. | Required |
departuredate | The departure date for the employee, in the format YYYY-MM-DD. | Optional |
note | Note to attach to the Departing Employee. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
Command Example!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"
#
Human Readable OutputUserID | DepartureDate | Note | Username |
---|---|---|---|
123 | 2020-02-28 | Leaving for competitor | john.user@example.com |
#
code42-departingemployee-removeRemoves a user from the Departing Employee List.
#
Base Commandcode42-departingemployee-remove
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to remove from the Departing Employee List. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
#
Command Example!code42-departingemployee-remove username="john.user@example.com"
#
Human Readable OutputUserID | Username |
---|---|
123 | john.user@example.com |
#
code42-departingemployee-getRetrieve departing employee details.
#
Base Commandcode42-departingemployee-get
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the departing employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
Command Example!code42-departingemployee-get username="partner.demisto@example.com"
#
Context Example#
Human Readable Output#
Retrieve departing employeeDepartureDate | Note | UserID | Username |
---|---|---|---|
Risky activity | 942876157732602741 | partner.demisto@example.com |
#
code42-departingemployee-get-allGet all employees on the Departing Employee List.
#
Base Commandcode42-departingemployee-get-all
#
InputArgument Name | Description | Required |
---|---|---|
results | The number of items to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
Command Example!code42-departingemployee-get-all
#
Context Example#
Human Readable Output#
All Departing EmployeesDepartureDate | Note | UserID | Username |
---|---|---|---|
2020-07-19 | User added from XSOAR | 921286907298179098 | user1@example.com |
2020-07-20 | User added from Jira ticket | 948938588694228306 | user1@example.com |
2020-07-20 | No note. | 912249223544144039 | unicode@example.com |
2020-07-20 | Lots of suspicious activity | 894165832411107815 | testuser@example.com |
2020-07-20 | L3 security risk | 949093399968329042 | user2@example.com |
2020-07-21 | Problems with performance | 942897397520286581 | user3@example.com |
2020-07-21 | Problems with performance | 906619740182876328 | user4@example.com |
2020-07-21 | Was a contract employee | 906619632003387560 | user5@example.com |
2020-07-21 | Was a contract employee | 912338501981077099 | user6@example.com |
2020-07-25 | Leaving for competitor | 951984198921509692 | user7@example.com.com |
2020-07-25 | Leaving for competitor | 895005723650937319 | user8@example.com |
#
code42-highriskemployee-addAdds a user from the High Risk Employee List.
#
Base Commandcode42-highriskemployee-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to add to the High Risk Employee List. | Required |
note | Note to attach to the High Risk Employee. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
Command Example!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"
#
Context Example#
Human Readable Output#
Code42 High Risk Employee List User AddedUserID | Username |
---|---|
942876157732602741 | partner.demisto@example.com |
#
code42-highriskemployee-removeRemoves a user from the High Risk Employee List.
#
Base Commandcode42-highriskemployee-remove
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to remove from the High Risk Employee List. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | Unknown | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | Unknown | The username of the High Risk Employee. |
#
Command Example!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"
#
Context Example#
Human Readable Output#
Code42 High Risk Employee List User RemovedUserID | Username |
---|---|
942876157732602741 | partner.demisto@example.com |
#
code42-highriskemployee-getRetrieve high risk employee details.
#
Base Commandcode42-highriskemployee-get
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
Command Example!code42-highriskemployee-get username="partner.demisto@example.com"
#
Context Example#
Human Readable Output#
Retrieve high risk employeeNote | UserID | Username |
---|---|---|
Risky activity | 942876157732602741 | partner.demisto@example.com |
#
code42-highriskemployee-get-allGet all employees on the High Risk Employee List.
#
Base Commandcode42-highriskemployee-get-all
#
InputArgument Name | Description | Required |
---|---|---|
risktags | To filter results by employees who have these risk tags. Space delimited. | Optional |
results | The number of items to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
Command Example!code42-highriskemployee-get-all
#
Context Example#
Human Readable Output#
Retrieved All High Risk EmployeesNote | UserID | Username |
---|---|---|
Clicked Phishing link | 942897397520286581 | user1@example.com |
Lots of non-work-related activity | 895005723650937319 | user2@example.com |
User added using XSOAR | 912098363086307495 | user3@example.com |
User has performance concerns | 921286907298179098 | user4@example.com |
Highly demanded employee | 942876157732602741 | user5@example.com |
#
code42-highriskemployee-add-risk-tags#
Base Commandcode42-highriskemployee-add-risk-tags
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the High Risk Employee. | Required |
risktags | Space-delimited risk tags to associate with the High Risk Employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to associate with the High Risk Employee. |
#
Command Example!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"
#
Human Readable Output#
Code42 Risk Tags AddedRiskTags | UserID | Username |
---|---|---|
PERFORMANCE_CONCERNS | 1234567890 | partners.demisto@example.com |
#
code42-highriskemployee-remove-risk-tags#
Base Commandcode42-highriskemployee-remove-risk-tags
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the High Risk Employee. | Required |
risktags | Space-delimited risk tags to disassociate from the High Risk Employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to disassociate from the High Risk Employee. |
#
Command Example!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"
#
Context Example#
Human Readable Output#
Code42 Risk Tags RemovedRiskTags | UserID | Username |
---|---|---|
PERFORMANCE_CONCERNS | 942876157732602741 | partner.demisto@example.com |
#
code42-user-createCreates a Code42 user.
#
Base Commandcode42-user-create
#
InputArgument Name | Description | Required |
---|---|---|
orgname | The name of the Code42 organization from which to add the user. | Required |
username | The username to give to the user. | Required |
The email of the user to create. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.Username | String | A username for a Code42 user. |
Code42.User.Email | String | An email for a Code42 user. |
Code42.User.UserID | String | An ID for a Code42 user. |
#
Command Example!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"
#
Human Readable Output#
Code42 User CreatedUserID | Username | |
---|---|---|
created.in.cortex.xsoar@example.com | 1111158111459014270 | created.in.cortex.xsoar@example.com |
#
code42-user-blockBlocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
#
Base Commandcode42-user-block
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to block. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | An ID for a Code42 user. |
#
Command Example!code42-user-block username="partner.demisto@example.com"
#
Human Readable Output#
Code42 User BlockedUserID |
---|
C2345 |
#
code42-user-unblockRemoves a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
#
Base Commandcode42-user-unblock
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to unblock. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | An ID for a Code42 user. |
#
Command Example!code42-user-unblock username="partner.demisto@example.com"
#
Human Readable Output#
Code42 User BlockedUserID |
---|
C2345 |
#
code42-user-deactivateDeactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
#
Base Commandcode42-user-deactivate
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to deactivate. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | The ID of a Code42 User. |
#
Command Example!code42-user-deactivate username="partner.demisto@example.com"
#
Human Readable Output#
Code42 User DeactivatedUserID |
---|
123456790 |
#
code42-user-reactivateReactivates the user with the given username.
#
Base Commandcode42-user-reactivate
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to reactivate. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | The ID of a Code42 User. |
#
Command Example!code42-user-reactivate username="partner.demisto@example.com"
#
Human Readable Output#
Code42 User ReactivatedUserID |
---|
123456790 |
#
code42-legalhold-add-userAdds a Code42 user to a legal hold matter.
#
Base Commandcode42-legalhold-add-user
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to add to the given legal hold matter. | Required |
mattername | The name of the legal hold matter to which the user will be added. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
Code42.LegalHold.Username | String | A username for a Code42 user. |
Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
#
Command Example!code42-legalhold-add-user username="partner.demisto@example.com" mattername="test"
#
Context Example#
Human Readable Output#
Code42 User Added to Legal Hold MatterMatterID | MatterName | UserID | Username |
---|---|---|---|
932880202064992021 | test | 942876157732602741 | partner.demisto@example.com |
#
code42-legalhold-remove-userRemoves a Code42 user from a legal hold matter.
#
Base Commandcode42-legalhold-remove-user
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to release from the given legal hold matter. | Required |
mattername | The name of the legal hold matter from which the user will be released. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
Code42.LegalHold.Username | String | A username for a Code42 user. |
Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
#
Command Example!code42-legalhold-remove-user username="partner.demisto@example.com" mattername="test"
#
Context Example#
Human Readable Output#
Code42 User Removed from Legal Hold MatterMatterID | MatterName | UserID | Username |
---|---|---|---|
932880202064992021 | test | 942876157732602741 | partner.demisto@example.com |
#
code42-download-fileDownloads a file from Code42.
#
Base Commandcode42-download-file
#
InputArgument Name | Description | Required |
---|---|---|
hash | Either the SHA256 or MD5 hash of the file. | Required |
#
Command Example!code42-download-file hash="bf6b326107d4d85eb485eed84b28133a"
#
Human Readable Output#
Code42 User DeactivatedType | Size | Info | MD5 | SHA1 | SHA256 | SHA512 | SSDeep |
---|---|---|---|---|---|---|---|
application/vnd.ms-excel | 41,472 bytes | Composite Document File V2 Document, Little Endian, Os: MacOS, Version 14.10, Code page: 10000, Last Saved By: John Doe, Name of Creating Application: Microsoft Macintosh Excel, Create Time/Date: Fri Feb 21 17:35:19 2020, Last Saved Time/Date: Mon Apr 13 11:54:08 2020, Security: 0 | 2e45562437ec4f41387f2e14c3850dd6 | 59e552e637bfe5254b163bb4e426a2322d10f50d | d3f8566d04df5dc34bf2607ac803a585ac81e06f28afe81f35cc2e5fe63d2ab5 | 776bd9626761cd567a4b498bafe4f5f896c3f4bc9f3c60513ccacd14251a2568fa3ba44060000affa8b57fb768c417cf271500086e4e49272f26b26a90627abb | 768:pudkQzl3ZpWh+QO3uMdS9dSttRJwyE/KtxA1almvy6mhk+GlESOwWoqSY7bTKCUv:siQzl3ZpWh+QO3uMdS9dSttRJwyE/KtF |