Code42
Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
Configure Code42 on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for Code42.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| console_url | Code42 Console URL for your Code42 environment | True |
| credentials | Username | True |
| isFetch | Fetch incidents | False |
| incidentType | Incident type | False |
| alert_severity | Alert severities to fetch when fetching incidents | False |
| fetch_time | First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes) | False |
| fetch_limit | Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once | False |
| include_files | Include the list of files in returned incidents. | False |
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
code42-securitydata-search#
Searches for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.
Base Command#
code42-securitydata-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| json | JSON query payload using Code42 query syntax. | Optional |
| hash | MD5 or SHA256 hash of the file to search for. | Optional |
| username | Username to search for. | Optional |
| hostname | Hostname to search for. | Optional |
| exposure | Exposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain". | Optional |
| results | The number of results to return. The default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.SecurityData.EventTimestamp | date | Timestamp for the event. |
| Code42.SecurityData.FileCreated | date | File creation date. |
| Code42.SecurityData.EndpointID | string | Code42 device ID. |
| Code42.SecurityData.DeviceUsername | string | The username that the device is associated with in Code42. |
| Code42.SecurityData.EmailFrom | string | The sender email address for email exfiltration events. |
| Code42.SecurityData.EmailTo | string | The recipient email address for email exfiltration events. |
| Code42.SecurityData.EmailSubject | string | The email subject line for email exfiltration events. |
| Code42.SecurityData.EventID | string | The Security Data event ID. |
| Code42.SecurityData.EventType | string | The type of Security Data event. |
| Code42.SecurityData.FileCategory | string | The file type, as determined by Code42 engine. |
| Code42.SecurityData.FileOwner | string | The owner of the file. |
| Code42.SecurityData.FileName | string | The file name. |
| Code42.SecurityData.FilePath | string | The path to file. |
| Code42.SecurityData.FileSize | number | The size of the file (in bytes). |
| Code42.SecurityData.FileModified | date | The date the file was last modified. |
| Code42.SecurityData.FileMD5 | string | MD5 hash of the file. |
| Code42.SecurityData.FileHostname | string | Hostname where the file event was captured. |
| Code42.SecurityData.DevicePrivateIPAddress | string | Private IP addresses of the device where the event was captured. |
| Code42.SecurityData.DevicePublicIPAddress | string | Public IP address of the device where the event was captured. |
| Code42.SecurityData.RemovableMediaType | string | Type of removable media. |
| Code42.SecurityData.RemovableMediaCapacity | number | Total capacity of removable media (in bytes). |
| Code42.SecurityData.RemovableMediaMediaName | string | The full name of the removable media. |
| Code42.SecurityData.RemovableMediaName | string | The name of the removable media. |
| Code42.SecurityData.RemovableMediaSerialNumber | string | The serial number for the removable medial device. |
| Code42.SecurityData.RemovableMediaVendor | string | The vendor name for removable device. |
| Code42.SecurityData.FileSHA256 | string | The SHA256 hash of the file. |
| Code42.SecurityData.FileShared | boolean | Whether the file is shared using a cloud file service. |
| Code42.SecurityData.FileSharedWith | string | Accounts that the file is shared with on a cloud file service. |
| Code42.SecurityData.Source | string | The source of the file event. Can be "Cloud" or "Endpoint". |
| Code42.SecurityData.ApplicationTabURL | string | The URL associated with the application read event. |
| Code42.SecurityData.ProcessName | string | The process name for the application read event. |
| Code42.SecurityData.ProcessOwner | string | The process owner for the application read event. |
| Code42.SecurityData.WindowTitle | string | The process name for the application read event. |
| Code42.SecurityData.FileURL | string | The URL of the file on a cloud file service. |
| Code42.SecurityData.Exposure | string | The event exposure type. |
| Code42.SecurityData.SharingTypeAdded | string | The type of sharing added to the file. |
| File.Name | string | The file name. |
| File.Path | string | The file path. |
| File.Size | number | The file size (in bytes). |
| File.MD5 | string | The MD5 hash of the file. |
| File.SHA256 | string | The SHA256 hash of the file. |
| File.Hostname | string | The hostname where the file event was captured. |
Command Example#
!code42-securitydata-search hash=eef8b12d2ed0d6a69fe77699d5640c7b exposure=CloudStorage,ApplicationRead
Human Readable Output#
| EventType | FileName | FileSize | FileHostname | FileOwner | FileCategory |
|---|---|---|---|---|---|
| READ_BY_APP | ProductPhoto.jpg | 333114 | DESKTOP-001 | john.user | IMAGE |
code42-alert-get#
Retrieve alert details by alert ID
Base Command#
code42-alert-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.SecurityAlert.Username | string | The username associated with the alert. |
| Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. |
| Code42.SecurityAlert.Description | string | The description of the alert. |
| Code42.SecurityAlert.ID | string | The alert ID. |
| Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. |
| Code42.SecurityAlert.State | string | The alert state. |
| Code42.SecurityAlert.Type | string | The alert type. |
| Code42.SecurityAlert.Severity | string | The severity of the alert. |
Command Example#
!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"
Human Readable Output#
| Type | Occurred | Username | Name | Description | State | ID |
|---|---|---|---|---|---|---|
| FED_CLOUD_SHARE_PERMISSIONS | 2019-10-08T17:38:19.0801650Z | john.user@123.org | Google Drive - Public via Direct Link | Alert for public Google Drive files | OPEN | a23557a7-8ca9-4ec6-803f-6a46a2aeca62 |
code42-alert-resolve#
Resolves a Code42 Security alert.
Base Command#
code42-alert-resolve
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.SecurityAlert.ID | string | The alert ID of the resolved alert. |
Command Example#
!code42-alert-resolve id="eb272d18-bc82-4680-b570-ac5d61c6cca6"
Human Readable Output#
| ID |
|---|
| eb272d18-bc82-4680-b570-ac5d61c6cca6 |
code42-departingemployee-add#
Adds a user to the Departing Employee List.
Base Command#
code42-departingemployee-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to add to the Departing Employee List. | Required |
| departuredate | The departure date for the employee, in the format YYYY-MM-DD. | Optional |
| note | Note to attach to the Departing Employee. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
| Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
Command Example#
!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"
Human Readable Output#
| UserID | DepartureDate | Note | Username |
|---|---|---|---|
| 123 | 2020-02-28 | Leaving for competitor | john.user@example.com |
code42-departingemployee-remove#
Removes a user from the Departing Employee List.
Base Command#
code42-departingemployee-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to remove from the Departing Employee List. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Command Example#
!code42-departingemployee-remove username="john.user@example.com"
Human Readable Output#
| UserID | Username |
|---|---|
| 123 | john.user@example.com |
code42-departingemployee-get#
Retrieve departing employee details.
Base Command#
code42-departingemployee-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | Email id of the departing employee. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
| Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
Command Example#
!code42-departingemployee-get username="partner.demisto@example.com"
Context Example#
Human Readable Output#
Retrieve departing employee#
| DepartureDate | Note | UserID | Username |
|---|---|---|---|
| Risky activity | 942876157732602741 | partner.demisto@example.com |
code42-departingemployee-get-all#
Get all employees on the Departing Employee List.
Base Command#
code42-departingemployee-get-all
Input#
| Argument Name | Description | Required |
|---|---|---|
| results | The number of items to return. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
| Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
Command Example#
!code42-departingemployee-get-all
Context Example#
Human Readable Output#
All Departing Employees#
| DepartureDate | Note | UserID | Username |
|---|---|---|---|
| 2020-07-19 | User added from XSOAR | 921286907298179098 | user1@example.com |
| 2020-07-20 | User added from Jira ticket | 948938588694228306 | user1@example.com |
| 2020-07-20 | No note. | 912249223544144039 | unicode@example.com |
| 2020-07-20 | Lots of suspicious activity | 894165832411107815 | testuser@example.com |
| 2020-07-20 | L3 security risk | 949093399968329042 | user2@example.com |
| 2020-07-21 | Problems with performance | 942897397520286581 | user3@example.com |
| 2020-07-21 | Problems with performance | 906619740182876328 | user4@example.com |
| 2020-07-21 | Was a contract employee | 906619632003387560 | user5@example.com |
| 2020-07-21 | Was a contract employee | 912338501981077099 | user6@example.com |
| 2020-07-25 | Leaving for competitor | 951984198921509692 | user7@example.com.com |
| 2020-07-25 | Leaving for competitor | 895005723650937319 | user8@example.com |
code42-highriskemployee-add#
Adds a user from the High Risk Employee List.
Base Command#
code42-highriskemployee-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to add to the High Risk Employee List. | Required |
| note | Note to attach to the High Risk Employee. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
Command Example#
!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"
Context Example#
Human Readable Output#
Code42 High Risk Employee List User Added#
| UserID | Username |
|---|---|
| 942876157732602741 | partner.demisto@example.com |
code42-highriskemployee-remove#
Removes a user from the High Risk Employee List.
Base Command#
code42-highriskemployee-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to remove from the High Risk Employee List. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | Unknown | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | Unknown | The username of the High Risk Employee. |
Command Example#
!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"
Context Example#
Human Readable Output#
Code42 High Risk Employee List User Removed#
| UserID | Username |
|---|---|
| 942876157732602741 | partner.demisto@example.com |
code42-highriskemployee-get#
Retrieve high risk employee details.
Base Command#
code42-highriskemployee-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | Email id of the user. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
Command Example#
!code42-highriskemployee-get username="partner.demisto@example.com"
Context Example#
Human Readable Output#
Retrieve high risk employee#
| Note | UserID | Username |
|---|---|---|
| Risky activity | 942876157732602741 | partner.demisto@example.com |
code42-highriskemployee-get-all#
Get all employees on the High Risk Employee List.
Base Command#
code42-highriskemployee-get-all
Input#
| Argument Name | Description | Required |
|---|---|---|
| risktags | To filter results by employees who have these risk tags. Space delimited. | Optional |
| results | The number of items to return. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
Command Example#
!code42-highriskemployee-get-all
Context Example#
Human Readable Output#
Retrieved All High Risk Employees#
| Note | UserID | Username |
|---|---|---|
| Clicked Phishing link | 942897397520286581 | user1@example.com |
| Lots of non-work-related activity | 895005723650937319 | user2@example.com |
| User added using XSOAR | 912098363086307495 | user3@example.com |
| User has performance concerns | 921286907298179098 | user4@example.com |
| Highly demanded employee | 942876157732602741 | user5@example.com |
code42-highriskemployee-add-risk-tags#
Base Command#
code42-highriskemployee-add-risk-tags
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the High Risk Employee. | Required |
| risktags | Space-delimited risk tags to associate with the High Risk Employee. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to associate with the High Risk Employee. |
Command Example#
!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"
Human Readable Output#
Code42 Risk Tags Added#
| RiskTags | UserID | Username |
|---|---|---|
| PERFORMANCE_CONCERNS | 1234567890 | partners.demisto@example.com |
code42-highriskemployee-remove-risk-tags#
Base Command#
code42-highriskemployee-remove-risk-tags
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the High Risk Employee. | Required |
| risktags | Space-delimited risk tags to disassociate from the High Risk Employee. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to disassociate from the High Risk Employee. |
Command Example#
!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"
Context Example#
Human Readable Output#
Code42 Risk Tags Removed#
| RiskTags | UserID | Username |
|---|---|---|
| PERFORMANCE_CONCERNS | 942876157732602741 | partner.demisto@example.com |
code42-user-create#
Creates a Code42 user.
Base Command#
code42-user-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| orgname | The name of the Code42 organization from which to add the user. | Required |
| username | The username to give to the user. | Required |
| The email of the user to create. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.Username | String | A username for a Code42 user. |
| Code42.User.Email | String | An email for a Code42 user. |
| Code42.User.UserID | String | An ID for a Code42 user. |
Command Example#
!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"
Human Readable Output#
Code42 User Created#
| UserID | Username | |
|---|---|---|
| created.in.cortex.xsoar@example.com | 1111158111459014270 | created.in.cortex.xsoar@example.com |
code42-user-block#
Blocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
Base Command#
code42-user-block
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to block. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | An ID for a Code42 user. |
Command Example#
!code42-user-block username="partner.demisto@example.com"
Human Readable Output#
Code42 User Blocked#
| UserID |
|---|
| C2345 |
code42-user-unblock#
Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
Base Command#
code42-user-unblock
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to unblock. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | An ID for a Code42 user. |
Command Example#
!code42-user-unblock username="partner.demisto@example.com"
Human Readable Output#
Code42 User Blocked#
| UserID |
|---|
| C2345 |
code42-user-deactivate#
Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
Base Command#
code42-user-deactivate
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to deactivate. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | The ID of a Code42 User. |
Command Example#
!code42-user-deactivate username="partner.demisto@example.com"
Human Readable Output#
Code42 User Deactivated#
| UserID |
|---|
| 123456790 |
code42-user-reactivate#
Reactivates the user with the given username.
Base Command#
code42-user-reactivate
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to reactivate. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | The ID of a Code42 User. |
Command Example#
!code42-user-reactivate username="partner.demisto@example.com"
Human Readable Output#
Code42 User Reactivated#
| UserID |
|---|
| 123456790 |
code42-legalhold-add-user#
Adds a Code42 user to a legal hold matter.
Base Command#
code42-legalhold-add-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to add to the given legal hold matter. | Required |
| mattername | The name of the legal hold matter to which the user will be added. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
| Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
| Code42.LegalHold.Username | String | A username for a Code42 user. |
| Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
Command Example#
!code42-legalhold-add-user username="partner.demisto@example.com" mattername="test"
Context Example#
Human Readable Output#
Code42 User Added to Legal Hold Matter#
| MatterID | MatterName | UserID | Username |
|---|---|---|---|
| 932880202064992021 | test | 942876157732602741 | partner.demisto@example.com |
code42-legalhold-remove-user#
Removes a Code42 user from a legal hold matter.
Base Command#
code42-legalhold-remove-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to release from the given legal hold matter. | Required |
| mattername | The name of the legal hold matter from which the user will be released. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
| Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
| Code42.LegalHold.Username | String | A username for a Code42 user. |
| Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
Command Example#
!code42-legalhold-remove-user username="partner.demisto@example.com" mattername="test"
Context Example#
Human Readable Output#
Code42 User Removed from Legal Hold Matter#
| MatterID | MatterName | UserID | Username |
|---|---|---|---|
| 932880202064992021 | test | 942876157732602741 | partner.demisto@example.com |
code42-download-file#
Downloads a file from Code42.
Base Command#
code42-download-file
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash | Either the SHA256 or MD5 hash of the file. | Required |
Command Example#
!code42-download-file hash="bf6b326107d4d85eb485eed84b28133a"
Human Readable Output#
Code42 User Deactivated#
| Type | Size | Info | MD5 | SHA1 | SHA256 | SHA512 | SSDeep |
|---|---|---|---|---|---|---|---|
| application/vnd.ms-excel | 41,472 bytes | Composite Document File V2 Document, Little Endian, Os: MacOS, Version 14.10, Code page: 10000, Last Saved By: John Doe, Name of Creating Application: Microsoft Macintosh Excel, Create Time/Date: Fri Feb 21 17:35:19 2020, Last Saved Time/Date: Mon Apr 13 11:54:08 2020, Security: 0 | 2e45562437ec4f41387f2e14c3850dd6 | 59e552e637bfe5254b163bb4e426a2322d10f50d | d3f8566d04df5dc34bf2607ac803a585ac81e06f28afe81f35cc2e5fe63d2ab5 | 776bd9626761cd567a4b498bafe4f5f896c3f4bc9f3c60513ccacd14251a2568fa3ba44060000affa8b57fb768c417cf271500086e4e49272f26b26a90627abb | 768:pudkQzl3ZpWh+QO3uMdS9dSttRJwyE/KtxA1almvy6mhk+GlESOwWoqSY7bTKCUv:siQzl3ZpWh+QO3uMdS9dSttRJwyE/KtF |