Skip to main content

Code42

This Integration is part of the Code42 Pack.#

Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.

Configure Code42 in Cortex#

ParameterRequired
Code42 Console URL for your Code42 environmentTrue
API Client IDTrue
API Client SecretTrue
Fetch incidentsFalse
Incident typeFalse
Alert severities to fetch when fetching incidentsFalse
First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)False
Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at onceFalse
Include the list of files in returned incidents.False
Incidents Fetch IntervalFalse
Use v2 file eventsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

code42-file-events-search#


Search for Code42 Incydr File Events

Base Command#

code42-file-events-search

Input#

Argument NameDescriptionRequired
add-to-contextAdd results to context at 'Code42.FileEvents'. If 'false', the search will only display results as a markdown table.Optional
jsonRaw JSON file event query to be used for search.Optional
resultsThe number of file events to return. Defaults to 50. Default is 50.Optional
min_risk_scoreFilter results by minimum risk score. Default is 1.Optional
hashMD5 or SHA256 hash of the file to search for.Optional
usernameUsername to search for.Optional
hostnameHostname to search for.Optional

Context Output#

PathTypeDescription
Code42.FileEvents.timestampdateThe timestamp when the event occurred.
Code42.FileEvents.eventunknownSummary information about the event, including date observed, event type, and event source.
Code42.FileEvents.userunknownDetails about the user associated with the event (if any).
Code42.FileEvents.destinationunknownDetails about the destination target of the event (if any).
Code42.FileEvents.processunknownDetails about the CPU process involved in the event (if any).
Code42.FileEvents.riskunknownDetails overall risk severity for the event and lists all associated risk indicators.
Code42.FileEvents.gitunknownDetails about git repository involved in event (if any).
Code42.FileEvents.reportunknownDetails about Salesforce reports involved in the event (if any).
Code42.FileEvents.fileunknownDetails about file metadata for file involved in the event (if any).
Code42.FileEvents.sourceunknownInfo about the origin of a file involved in the event (if any).

code42-alert-get#


Retrieve alert details by alert ID

Base Command#

code42-alert-get

Input#

Argument NameDescriptionRequired
idThe alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents.Required

Context Output#

PathTypeDescription
Code42.SecurityAlert.UsernamestringThe username associated with the alert.
Code42.SecurityAlert.OccurreddateThe timestamp when the alert occurred.
Code42.SecurityAlert.DescriptionstringThe description of the alert.
Code42.SecurityAlert.IDstringThe alert ID.
Code42.SecurityAlert.NamestringThe alert rule name that generated the alert.
Code42.SecurityAlert.StatestringThe alert state.
Code42.SecurityAlert.TypestringThe alert type.
Code42.SecurityAlert.SeveritystringThe severity of the alert.

code42-alert-resolve#


Resolves a Code42 Security alert.

Base Command#

code42-alert-resolve

Input#

Argument NameDescriptionRequired
idThe alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents.Required

Context Output#

PathTypeDescription
Code42.SecurityAlert.IDstringThe alert ID of the resolved alert.

code42-departingemployee-add#


Adds a user to the Departing Employee List.

Base Command#

code42-departingemployee-add

Input#

Argument NameDescriptionRequired
usernameThe username to add to the Departing Employee List.Required
departuredateThe departure date for the employee, in the format YYYY-MM-DD.Optional
noteNote to attach to the Departing Employee.Optional

Context Output#

PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

code42-departingemployee-remove#


Removes a user from the Departing Employee List.

Base Command#

code42-departingemployee-remove

Input#

Argument NameDescriptionRequired
usernameThe username to remove from the Departing Employee List.Optional

Context Output#

PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.

code42-departingemployee-get-all#


Get all employees on the Departing Employee List.

Base Command#

code42-departingemployee-get-all

Input#

Argument NameDescriptionRequired
resultsThe number of items to return.Optional
filtertypeFilters the results based on specific filters. Possible values are: EXFILTRATION_30_DAYS, EXFILTRATION_24_HOURS, OPEN, LEAVING_TODAY. Default is OPEN.Optional

Context Output#

PathTypeDescription
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

code42-highriskemployee-add#


Adds a user to the High Risk Employee List.

Base Command#

code42-highriskemployee-add

Input#

Argument NameDescriptionRequired
usernameThe username to add to the High Risk Employee List.Required
noteNote to attach to the High Risk Employee.Optional

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

code42-highriskemployee-remove#


Removes a user from the High Risk Employee List.

Base Command#

code42-highriskemployee-remove

Input#

Argument NameDescriptionRequired
usernameThe username to remove from the High Risk Employee List.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDUnknownInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernameUnknownThe username of the High Risk Employee.

code42-highriskemployee-get-all#


Get all employees on the High Risk Employee List.

Base Command#

code42-highriskemployee-get-all

Input#

Argument NameDescriptionRequired
risktagsTo filter results by employees who have these risk tags. Comma delimited. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE.Optional
resultsThe number of items to return.Optional
filtertypeFilters the results based on specific filters. Possible values are: EXFILTRATION_30_DAYS, EXFILTRATION_24_HOURS, OPEN. Default is OPEN.Optional

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

code42-highriskemployee-add-risk-tags#


Associates risk tags with the employee with the given username.

Base Command#

code42-highriskemployee-add-risk-tags

Input#

Argument NameDescriptionRequired
usernameThe username of the High Risk Employee.Required
risktagsComma-delimited risk tags to associate with the High Risk Employee. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.RiskTagsUnknownRisk tags to associate with the High Risk Employee.

code42-highriskemployee-remove-risk-tags#


Disassociates risk tags from the user with the given username.

Base Command#

code42-highriskemployee-remove-risk-tags

Input#

Argument NameDescriptionRequired
usernameThe username of the High Risk Employee.Required
risktagsComma-delimited risk tags to disassociate from the High Risk Employee. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.RiskTagsUnknownRisk tags to disassociate from the High Risk Employee.

code42-user-create#


Creates a Code42 user.

Base Command#

code42-user-create

Input#

Argument NameDescriptionRequired
orgnameThe name of the Code42 organization from which to add the user.Required
usernameThe username to give to the user.Required
emailThe email of the user to create. Default is The email to give to the user..Required

Context Output#

PathTypeDescription
Code42.User.UsernameStringA username for a Code42 user.
Code42.User.EmailStringAn email for a Code42 user.
Code42.User.UserIDStringAn ID for a Code42 user.

code42-user-block#


Blocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.

Base Command#

code42-user-block

Input#

Argument NameDescriptionRequired
usernameThe username of the user to block.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringAn ID for a Code42 user.

code42-user-deactivate#


Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.

Base Command#

code42-user-deactivate

Input#

Argument NameDescriptionRequired
usernameThe username of the user to deactivate.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringThe ID of a Code42 User.

code42-user-unblock#


Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.

Base Command#

code42-user-unblock

Input#

Argument NameDescriptionRequired
usernameThe username of the user to unblock.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringAn ID for a Code42 user.

code42-user-reactivate#


Reactivates the user with the given username.

Base Command#

code42-user-reactivate

Input#

Argument NameDescriptionRequired
usernameThe username of the user to reactivate.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringThe ID of a Code42 User.

code42-legalhold-add-user#


Adds a Code42 user to a legal hold matter.

Base Command#

code42-legalhold-add-user

Input#

Argument NameDescriptionRequired
usernameThe username of the user to add to the given legal hold matter.Required
matternameThe name of the legal hold matter to which the user will be added.Required

Context Output#

PathTypeDescription
Code42.LegalHold.UserIDUnknownThe ID of a Code42 user.
Code42.LegalHold.MatterIDStringThe ID of a Code42 legal hold matter.
Code42.LegalHold.UsernameStringA username for a Code42 user.
Code42.LegalHold.MatterNameStringA name for a Code42 legal hold matter.

code42-legalhold-remove-user#


Removes a Code42 user from a legal hold matter.

Base Command#

code42-legalhold-remove-user

Input#

Argument NameDescriptionRequired
usernameThe username of the user to release from the given legal hold matter.Required
matternameThe name of the legal hold matter from which the user will be released.Required

Context Output#

PathTypeDescription
Code42.LegalHold.UserIDUnknownThe ID of a Code42 user.
Code42.LegalHold.MatterIDStringThe ID of a Code42 legal hold matter.
Code42.LegalHold.UsernameStringA username for a Code42 user.
Code42.LegalHold.MatterNameStringA name for a Code42 legal hold matter.

code42-download-file#


Downloads a file from Code42.

Base Command#

code42-download-file

Input#

Argument NameDescriptionRequired
hashEither the SHA256 or MD5 hash of the file.Required
filenameThe filename to save the file as.Optional

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

code42-highriskemployee-get#


Retrieve high risk employee details.

Base Command#

code42-highriskemployee-get

Input#

Argument NameDescriptionRequired
usernameEmail id of the user.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

code42-departingemployee-get#


Retrieve departing employee details.

Base Command#

code42-departingemployee-get

Input#

Argument NameDescriptionRequired
usernameEmail id of the departing employee.Required

Context Output#

PathTypeDescription
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

code42-watchlists-list#


List all existing watchlists in your environment.

Base Command#

code42-watchlists-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Code42.Watchlists.ListTypestringThe Type of Watchlist.
Code42.Watchlists.IdstringThe ID of the Watchlist.
Code42.Watchlists.IncludedUserCountintegerThe count of included users on the Watchlist.

code42-watchlists-add-user#


Add a user to a watchlist.

Base Command#

code42-watchlists-add-user

Input#

Argument NameDescriptionRequired
usernameEmail id of the user to add to Watchlist.Required
watchlistWatchlistID or WatchlistType to add user to.Required

Context Output#

PathTypeDescription
Code42.UsersAddedToWatchlists.WatchliststringThe ID/Type of the watchlist user was added to.
Code42.UsersAddedToWatchlists.UsernamestringThe username added to watchlist.
Code42.UsersAddedToWatchlists.SuccessbooleanIf the user was added successfully.

code42-watchlists-remove-user#


Remove a user from a watchlist.

Base Command#

code42-watchlists-remove-user

Input#

Argument NameDescriptionRequired
usernameEmail id of the user to add to Watchlist.Required
watchlistWatchlistID or WatchlistType to remove user from.Required

Context Output#

PathTypeDescription
Code42.UsersRemovedFromWatchlists.WatchliststringThe ID/Type of the watchlist user was removed from.
Code42.UsersRemovedFromWatchlists.UsernamestringThe username removed from watchlist.
Code42.UsersRemovedFromWatchlists.SuccessbooleanIf the user was removed successfully.

code42-watchlists-list-included-users#


List all users who have been explicitly added to a given watchlist.

Base Command#

code42-watchlists-list-included-users

Input#

Argument NameDescriptionRequired
watchlistThe WatchlistID or WatchlistType to get a list of included users for.Required

Context Output#

PathTypeDescription
Code42.WatchlistUsers.WatchlistIDstringThe ID of the Watchlist.
Code42.WatchlistUsers.UsernamestringThe username on the watchlist.
Code42.WatchlistUsers.AddedTimedatetimeThe datetime the user was added to the watchlist.

code42-get-user-risk-profile#


Get the risk profile details for a given user.

Base Command#

code42-user-get-risk-profile

Input#

Argument NameDescriptionRequired
usernameThe user to get risk profile for.Required

Context Output#

PathTypeDescription
Code42.UserRiskProfiles.UsernamestringThe username.
Code42.UserRiskProfiles.StartDatedateThe startDate value of the UserRiskProfile.
Code42.UserRiskProfiles.EndDatedateThe startDate value of the UserRiskProfile.
Code42.UserRiskProfiles.NotesstringThe notes value of the UserRiskProfile.

code42-user-update-risk-profile#


Update a user's risk profile.

Base Command#

code42-user-update-risk-profile

Input#

Argument NameDescriptionRequired
usernameThe user to update.Required
start_dateThe user's start date (useful for New Employee Watchlist).Optional
end_dateThe user's end date (useful for Departing Employee Watchlist).Optional
notesRisk profile notes.Optional

Context Output#

PathTypeDescription
Code42.UpdatedUserRiskProfiles.UsernamestringThe user that was updated.
Code42.UpdatedUserRiskProfiles.StartDatedateThe startDate value of the UserRiskProfile after the update.
Code42.UpdatedUserRiskProfiles.EndDatedateThe startDate value of the UserRiskProfile after the update.
Code42.UpdatedUserRiskProfiles.NotesstringThe notes value of the UserRiskProfile after the update.
Code42.UpdatedUserRiskProfiles.SuccessbooleanIf the risk profile update was successful.

code42-file-events-table#


Render Code42 file events from the context as a markdown table

Base Command#

code42-file-events-table

Input#

Argument NameDescriptionRequired
includeSelect which events to include in the table.
- 'incident' only displays the events that originally triggered the Code42 Alert.
- 'searches' only displays events that have been added to the context from 'code42-file-events-search' commands.
- 'all' will include all events in the table.
. Possible values are: all, incident, searches. Default is all.
Optional

Context Output#

There is no context output for this command.