Code42
Code42 Pack.#
This Integration is part of theUse the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
#
Configure Code42 on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Code42.
Click Add instance to create and configure a new integration instance.
Parameter Required Code42 Console URL for your Code42 environment True API Client ID True Password True Fetch incidents False Incident type False Alert severities to fetch when fetching incidents False First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes) False Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once False Include the list of files in returned incidents. False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
code42-securitydata-searchSearches for file events by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.
#
Base Commandcode42-securitydata-search
#
InputArgument Name | Description | Required |
---|---|---|
json | JSON query payload using Code42 query syntax. | Optional |
hash | MD5 or SHA256 hash of the file to search for. | Optional |
username | Username to search for. | Optional |
hostname | Hostname to search for. | Optional |
exposure | Exposure types to search for. Values can be "All", "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", "SharedViaDomain", or "OutsideTrustedDomains". When "All" is specified with other types, other types would be ignored and filter rule for all types would be applied. Possible values are: All, RemovableMedia, ApplicationRead, CloudStorage, IsPublic, SharedViaLink, SharedViaDomain, OutsideTrustedDomains. | Optional |
results | The number of results to return. The default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityData.EventTimestamp | date | Timestamp for the event. |
Code42.SecurityData.FileCreated | date | File creation date. |
Code42.SecurityData.EndpointID | string | Code42 device ID. |
Code42.SecurityData.DeviceUsername | string | The username that the device is associated with in Code42. |
Code42.SecurityData.EmailFrom | string | The sender email address for email exfiltration events. |
Code42.SecurityData.EmailTo | string | The recipient email address for email exfiltration events. |
Code42.SecurityData.EmailSubject | string | The email subject line for email exfiltration events. |
Code42.SecurityData.EventID | string | The Security Data event ID. |
Code42.SecurityData.EventType | string | The type of Security Data event. |
Code42.SecurityData.FileCategory | string | The file type, as determined by Code42 engine. |
Code42.SecurityData.FileOwner | string | The owner of the file. |
Code42.SecurityData.FileName | string | The file name. |
Code42.SecurityData.FilePath | string | The path to file. |
Code42.SecurityData.FileSize | number | The size of the file (in bytes). |
Code42.SecurityData.FileModified | date | The date the file was last modified. |
Code42.SecurityData.FileMD5 | string | MD5 hash of the file. |
Code42.SecurityData.FileHostname | string | Hostname where the file event was captured. |
Code42.SecurityData.DevicePrivateIPAddress | string | Private IP addresses of the device where the event was captured. |
Code42.SecurityData.DevicePublicIPAddress | string | Public IP address of the device where the event was captured. |
Code42.SecurityData.RemovableMediaType | string | Type of removable media. |
Code42.SecurityData.RemovableMediaCapacity | number | Total capacity of removable media (in bytes). |
Code42.SecurityData.RemovableMediaMediaName | string | The full name of the removable media. |
Code42.SecurityData.RemovableMediaName | string | The name of the removable media. |
Code42.SecurityData.RemovableMediaSerialNumber | string | The serial number for the removable medial device. |
Code42.SecurityData.RemovableMediaVendor | string | The vendor name for removable device. |
Code42.SecurityData.FileSHA256 | string | The SHA256 hash of the file. |
Code42.SecurityData.FileShared | boolean | Whether the file is shared using a cloud file service. |
Code42.SecurityData.FileSharedWith | string | Accounts that the file is shared with on a cloud file service. |
Code42.SecurityData.Source | string | The source of the file event. Can be "Cloud" or "Endpoint". |
Code42.SecurityData.ApplicationTabURL | string | The URL associated with the application read event. |
Code42.SecurityData.ProcessName | string | The process name for the application read event. |
Code42.SecurityData.ProcessOwner | string | The process owner for the application read event. |
Code42.SecurityData.WindowTitle | string | The process name for the application read event. |
Code42.SecurityData.FileURL | string | The URL of the file on a cloud file service. |
Code42.SecurityData.Exposure | string | The event exposure type. |
Code42.SecurityData.SharingTypeAdded | string | The type of sharing added to the file. |
File.Name | string | The file name. |
File.Path | string | The file path. |
File.Size | number | The file size (in bytes). |
File.MD5 | string | The MD5 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Hostname | string | The hostname where the file event was captured. |
#
Command example!code42-securitydata-search exposure=All results=3
#
Context Example#
Human Readable Output#
Results
Hostname MD5 Name Path SHA256 Size DESKTOP-H6V9R95 764f90384e56597e6bba691c75d23875 revenue_algorithm.py C:/Users/example/Desktop/ 5cf3d58f1af8ac32ae74bc75d35132f8151f9826b4e6d79131c68475a53106f9 1000000 DESKTOP-H6V9R95 953fd5bd78ed02af93f503af8a924fc6 core_IP.py C:/Users/example/Desktop/ c096682d62c7f4dc8b02dd55e8c595f8374c7b5a5e6f1c87883f6e541f859420 1000000
#
code42-alert-getRetrieve alert details by alert ID
#
Base Commandcode42-alert-get
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityAlert.Username | string | The username associated with the alert. |
Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. |
Code42.SecurityAlert.Description | string | The description of the alert. |
Code42.SecurityAlert.ID | string | The alert ID. |
Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. |
Code42.SecurityAlert.State | string | The alert state. |
Code42.SecurityAlert.Type | string | The alert type. |
Code42.SecurityAlert.Severity | string | The severity of the alert. |
#
Command example!code42-alert-get id="ec45e919-8dd1-4624-9cc8-98d7f8f84bbf"
#
Context Example#
Human Readable Output#
Code42 Security Alert Results
Type Occurred Username Name Description State ID FED_COMPOSITE 2022-03-31T14:48:21.9643340Z user@example.com Example Alerts Example Alert RESOLVED ec45e919-8dd1-4624-9cc8-98d7f8f84bbf
#
code42-alert-resolveResolves a Code42 Security alert.
#
Base Commandcode42-alert-resolve
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityAlert.ID | string | The alert ID of the resolved alert. |
#
Command example!code42-alert-resolve id="ec45e919-8dd1-4624-9cc8-98d7f8f84bbf"
#
Context Example#
Human Readable Output#
Code42 Security Alert Resolved
Type Occurred Username Name Description State ID FED_COMPOSITE 2022-03-31T14:48:21.9643340Z user@example.com Example Alerts Example Alert RESOLVED ec45e919-8dd1-4624-9cc8-98d7f8f84bbf
#
code42-user-createCreates a Code42 user.
#
Base Commandcode42-user-create
#
InputArgument Name | Description | Required |
---|---|---|
orgname | The name of the Code42 organization from which to add the user. | Required |
username | The username to give to the user. | Required |
The email of the user to create. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.Username | String | A username for a Code42 user. |
Code42.User.Email | String | An email for a Code42 user. |
Code42.User.UserID | String | An ID for a Code42 user. |
#
Command example!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"
#
Context Example#
Human Readable Output#
Code42 User Created
UserID Username new.user@example.com 1061727696334321549 new.user@example.com
#
code42-user-blockBlocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
#
Base Commandcode42-user-block
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to block. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | An ID for a Code42 user. |
#
Command example!code42-user-block username="user_a@example.com"
#
Context Example#
Human Readable Output#
Code42 User Blocked
UserID 210019
#
code42-user-deactivateDeactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
#
Base Commandcode42-user-deactivate
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to deactivate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | The ID of a Code42 User. |
#
Command example!code42-user-deactivate username="user_a@example.com"
#
Context Example#
Human Readable Output#
Code42 User Deactivated
UserID 210019
#
code42-user-unblockRemoves a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
#
Base Commandcode42-user-unblock
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to unblock. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | An ID for a Code42 user. |
#
Command example!code42-user-unblock username="user_a@example.com"
#
Context Example#
Human Readable Output#
Code42 User Unblocked
UserID 210019
#
code42-user-reactivateReactivates the user with the given username.
#
Base Commandcode42-user-reactivate
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to reactivate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | The ID of a Code42 User. |
#
Command example!code42-user-reactivate username="user_a@example.com"
#
Context Example#
Human Readable Output#
Code42 User Reactivated
UserID 210019
#
code42-user-update-risk-profileUpdates a User's risk profile.
#
Base Commandcode42-user-update-risk-profile
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to give to the user. | Required |
start_date | The user's start date (used in the New Hire watchlist). | Optional |
end_date | The user's end date (used in the Departing Employee watchlist). | Optional |
notes | Notes about the user. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UpdatedUserRiskProfiles.Username | String | A username for a Code42 user. |
Code42.UpdatedUserRiskProfiles.StartDate | Object | The updated start_date for the user. |
Code42.UpdatedUserRiskProfiles.EndDate | Object | The updated end_date for the user. |
Code42.UpdatedUserRiskProfiles.Notes | String | The updated notes for the user. |
#
Command example!code42-user-update-risk-profile username="user@example.com" start_date="2022-10-10", end_date="2023-10-10", notes="test note."
#
Context Example#
Human Readable Output#
Code42 User Risk Profile Updated
Username StartDate EndDate Notes user@example.com year: 2022\nmonth: 10\nday10 year: 2023\nmonth: 10\nday10 "test note."
#
code42-legalhold-add-userAdds a Code42 user to a legal hold matter.
#
Base Commandcode42-legalhold-add-user
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to add to the given legal hold matter. | Required |
mattername | The name of the legal hold matter to which the user will be added. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
Code42.LegalHold.Username | String | A username for a Code42 user. |
Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
#
Command example!code42-legalhold-add-user username="user_a@example.com" mattername="test"
#
Context Example#
Human Readable Output#
Code42 User Added to Legal Hold Matter
MatterID MatterName UserID Username 1034958750641143371 Example Matter 942876157732602741 user_a@example.com
#
code42-legalhold-remove-userRemoves a Code42 user from a legal hold matter.
#
Base Commandcode42-legalhold-remove-user
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to release from the given legal hold matter. | Required |
mattername | The name of the legal hold matter from which the user will be released. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
Code42.LegalHold.Username | String | A username for a Code42 user. |
Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
#
Command example!code42-legalhold-remove-user username="user_a@example.com" mattername="test"
#
Context Example#
Human Readable Output#
Code42 User Removed from Legal Hold Matter
MatterID MatterName UserID Username 1034958750641143371 Example Matter 942876157732602741 user_a@example.com
#
code42-download-fileDownloads a file from Code42.
#
Base Commandcode42-download-file
#
InputArgument Name | Description | Required |
---|---|---|
hash | Either the SHA256 or MD5 hash of the file. | Required |
filename | The filename to save the file as. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.EntryID | String | The entry ID of the file. |
File.Info | String | File information. |
File.Type | String | The file type. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The file extension. |
#
Command example!code42-download-file hash=764f90384e56597e6bba691c75d23875
#
Context Example#
Human Readable Output#
code42-watchlists-listList all existing watchlists in your environment.
#
Base Commandcode42-watchlists-list
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Code42.Watchlists.ListType | string | The Type of Watchlist. |
Code42.Watchlists.Id | string | The ID of the Watchlist. |
Code42.Watchlists.IncludedUserCount | integer | The count of included users on the Watchlist. |
#
Command example!code42-watchlists-list
#
Context Example#
Human Readable Output#
Watchlists
IncludedUserCount WatchlistID WatchlistType 3 b55978d5-2d50-494d-bec9-678867f3830c DEPARTING_EMPLOYEE 11 2870bd73-ce1f-4704-a7f7-a8d11b19908e SUSPICIOUS_SYSTEM_ACTIVITY 4 d2abb9f2-8c27-4f95-b7e2-252f191a4a1d FLIGHT_RISK 3 a21b2bbb-ed16-42eb-9983-32076ba417c0 PERFORMANCE_CONCERNS 2 c9557acf-4141-4162-b767-c129d3e668d4 CONTRACT_EMPLOYEE 4 313c388e-4c63-4071-a6fc-d6270e04c350 HIGH_IMPACT_EMPLOYEE 3 b49c938f-8f13-45e4-be17-fa88eca616ec ELEVATED_ACCESS_PRIVILEGES 2 534fa6a4-4b4c-4712-9b37-2f81c652c140 POOR_SECURITY_PRACTICES 0 5a39abda-c672-418a-82a0-54485bd59b7b NEW_EMPLOYEE
#
code42-watchlists-add-userAdd a user to a watchlist.
#
Base Commandcode42-watchlists-add-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user to add to Watchlist. | Required |
watchlist | WatchlistID or WatchlistType to add user to. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UsersAddedToWatchlists.Watchlist | string | The ID/Type of the watchlist user was added to. |
Code42.UsersAddedToWatchlists.Username | string | The username added to watchlist. |
Code42.UsersAddedToWatchlists.Success | boolean | If the user was added successfully. |
#
Command example!code42-watchlists-add-user username="user_a@example.com" watchlist="b55978d5-2d50-494d-bec9-678867f3830c"
#
Context Example#
Human Readable Output#
Results
Success Username Watchlist true user_a@example.com b55978d5-2d50-494d-bec9-678867f3830c
#
code42-watchlists-remove-userRemove a user from a watchlist.
#
Base Commandcode42-watchlists-remove-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user to add to Watchlist. | Required |
watchlist | WatchlistID or WatchlistType to remove user from. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UsersRemovedFromWatchlists.Watchlist | string | The ID/Type of the watchlist user was removed from. |
Code42.UsersRemovedFromWatchlists.Username | string | The username removed from watchlist. |
Code42.UsersRemovedFromWatchlists.Success | boolean | If the user was removed successfully. |
#
Command example!code42-watchlists-remove-user username="user_a@example.com" watchlist="b55978d5-2d50-494d-bec9-678867f3830c"
#
Context Example#
Human Readable Output#
Results
Success Username Watchlist true user_a@example.com b55978d5-2d50-494d-bec9-678867f3830c
#
code42-watchlists-list-included-usersList all users who have been explicitly added to a given watchlist.
#
Base Commandcode42-watchlists-list-included-users
#
InputArgument Name | Description | Required |
---|---|---|
watchlist | The WatchlistID or WatchlistType to get a list of included users for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.WatchlistUsers.WatchlistID | string | The ID of the Watchlist. |
Code42.WatchlistUsers.Username | string | The username on the watchlist. |
Code42.WatchlistUsers.AddedTime | datetime | The datetime the user was added to the watchlist. |
#
Command example!code42-watchlists-list-included-users watchlist="DEPARTING_EMPLOYEE"
#
Context Example#
Human Readable Output#
Watchlists
AddedTime Username WatchlistID 2022-02-26T18:41:45.766005 user_a@example.com b55978d5-2d50-494d-bec9-678867f3830c 2022-03-31T20:41:47.2985 user_b@example.com b55978d5-2d50-494d-bec9-678867f3830c 2022-03-31T14:43:48.059325 user_c@example.com b55978d5-2d50-494d-bec9-678867f3830c
#
code42-departingemployee-addAdds a user to the Departing Employee List.
#
Base Commandcode42-departingemployee-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to add to the Departing Employee List. | Required |
departuredate | The departure date for the employee, in the format YYYY-MM-DD. | Optional |
note | Note to attach to the Departing Employee. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
Command Example!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"
#
Human Readable OutputUserID | DepartureDate | Note | Username |
---|---|---|---|
123 | 2020-02-28 | Leaving for competitor | john.user@example.com |
#
code42-departingemployee-removeRemoves a user from the Departing Employee List.
#
Base Commandcode42-departingemployee-remove
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to remove from the Departing Employee List. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
#
Command Example!code42-departingemployee-remove username="john.user@example.com"
#
Human Readable OutputUserID | Username |
---|---|
123 | john.user@example.com |
#
code42-departingemployee-getRetrieve departing employee details.
#
Base Commandcode42-departingemployee-get
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the departing employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
Command Example!code42-departingemployee-get username="partner.demisto@example.com"
#
Context Example#
Human Readable Output#
Retrieve departing employeeDepartureDate | Note | UserID | Username |
---|---|---|---|
Risky activity | 942876157732602741 | partner.demisto@example.com |
#
code42-departingemployee-get-allGet all employees on the Departing Employee List.
#
Base Commandcode42-departingemployee-get-all
#
InputArgument Name | Description | Required |
---|---|---|
results | The number of items to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
Command Example!code42-departingemployee-get-all
#
Context Example#
Human Readable Output#
All Departing EmployeesDepartureDate | Note | UserID | Username |
---|---|---|---|
2020-07-19 | User added from XSOAR | 921286907298179098 | user1@example.com |
2020-07-20 | User added from Jira ticket | 948938588694228306 | user1@example.com |
2020-07-20 | No note. | 912249223544144039 | unicode@example.com |
2020-07-20 | Lots of suspicious activity | 894165832411107815 | testuser@example.com |
2020-07-20 | L3 security risk | 949093399968329042 | user2@example.com |
2020-07-21 | Problems with performance | 942897397520286581 | user3@example.com |
2020-07-21 | Problems with performance | 906619740182876328 | user4@example.com |
2020-07-21 | Was a contract employee | 906619632003387560 | user5@example.com |
2020-07-21 | Was a contract employee | 912338501981077099 | user6@example.com |
2020-07-25 | Leaving for competitor | 951984198921509692 | user7@example.com.com |
2020-07-25 | Leaving for competitor | 895005723650937319 | user8@example.com |
#
code42-highriskemployee-addAdds a user from the High Risk Employee List.
#
Base Commandcode42-highriskemployee-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to add to the High Risk Employee List. | Required |
note | Note to attach to the High Risk Employee. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
Command Example!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"
#
Context Example#
Human Readable Output#
Code42 High Risk Employee List User AddedUserID | Username |
---|---|
942876157732602741 | partner.demisto@example.com |
#
code42-highriskemployee-removeRemoves a user from the High Risk Employee List.
#
Base Commandcode42-highriskemployee-remove
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to remove from the High Risk Employee List. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | Unknown | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | Unknown | The username of the High Risk Employee. |
#
Command Example!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"
#
Context Example#
Human Readable Output#
Code42 High Risk Employee List User RemovedUserID | Username |
---|---|
942876157732602741 | partner.demisto@example.com |
#
code42-highriskemployee-getRetrieve high risk employee details.
#
Base Commandcode42-highriskemployee-get
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
Command Example!code42-highriskemployee-get username="partner.demisto@example.com"
#
Context Example#
Human Readable Output#
Retrieve high risk employeeNote | UserID | Username |
---|---|---|
Risky activity | 942876157732602741 | partner.demisto@example.com |
#
code42-highriskemployee-get-allGet all employees on the High Risk Employee List.
#
Base Commandcode42-highriskemployee-get-all
#
InputArgument Name | Description | Required |
---|---|---|
risktags | To filter results by employees who have these risk tags. Space delimited. | Optional |
results | The number of items to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
Command Example!code42-highriskemployee-get-all
#
Context Example#
Human Readable Output#
Retrieved All High Risk EmployeesNote | UserID | Username |
---|---|---|
Clicked Phishing link | 942897397520286581 | user1@example.com |
Lots of non-work-related activity | 895005723650937319 | user2@example.com |
User added using XSOAR | 912098363086307495 | user3@example.com |
User has performance concerns | 921286907298179098 | user4@example.com |
Highly demanded employee | 942876157732602741 | user5@example.com |
#
code42-highriskemployee-add-risk-tags#
Base Commandcode42-highriskemployee-add-risk-tags
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the High Risk Employee. | Required |
risktags | Space-delimited risk tags to associate with the High Risk Employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to associate with the High Risk Employee. |
#
Command Example!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"
#
Human Readable Output#
Code42 Risk Tags AddedRiskTags | UserID | Username |
---|---|---|
PERFORMANCE_CONCERNS | 1234567890 | partners.demisto@example.com |
#
code42-highriskemployee-remove-risk-tags#
Base Commandcode42-highriskemployee-remove-risk-tags
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the High Risk Employee. | Required |
risktags | Space-delimited risk tags to disassociate from the High Risk Employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to disassociate from the High Risk Employee. |
#
Command Example!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"
#
Context Example#
Human Readable Output#
Code42 Risk Tags RemovedRiskTags | UserID | Username |
---|---|---|
PERFORMANCE_CONCERNS | 942876157732602741 | partner.demisto@example.com |