Skip to main content

Code42

This Integration is part of the Code42 Pack.#

Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.

Configure Code42 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Code42.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Code42 Console URL for your Code42 environmentTrue
    API Client IDTrue
    PasswordTrue
    Fetch incidentsFalse
    Incident typeFalse
    Alert severities to fetch when fetching incidentsFalse
    First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)False
    Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at onceFalse
    Include the list of files in returned incidents.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

code42-securitydata-search#


Searches for file events by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.

Base Command#

code42-securitydata-search

Input#

Argument NameDescriptionRequired
jsonJSON query payload using Code42 query syntax.Optional
hashMD5 or SHA256 hash of the file to search for.Optional
usernameUsername to search for.Optional
hostnameHostname to search for.Optional
exposureExposure types to search for. Values can be "All", "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", "SharedViaDomain", or "OutsideTrustedDomains". When "All" is specified with other types, other types would be ignored and filter rule for all types would be applied. Possible values are: All, RemovableMedia, ApplicationRead, CloudStorage, IsPublic, SharedViaLink, SharedViaDomain, OutsideTrustedDomains.Optional
resultsThe number of results to return. The default is 100.Optional

Context Output#

PathTypeDescription
Code42.SecurityData.EventTimestampdateTimestamp for the event.
Code42.SecurityData.FileCreateddateFile creation date.
Code42.SecurityData.EndpointIDstringCode42 device ID.
Code42.SecurityData.DeviceUsernamestringThe username that the device is associated with in Code42.
Code42.SecurityData.EmailFromstringThe sender email address for email exfiltration events.
Code42.SecurityData.EmailTostringThe recipient email address for email exfiltration events.
Code42.SecurityData.EmailSubjectstringThe email subject line for email exfiltration events.
Code42.SecurityData.EventIDstringThe Security Data event ID.
Code42.SecurityData.EventTypestringThe type of Security Data event.
Code42.SecurityData.FileCategorystringThe file type, as determined by Code42 engine.
Code42.SecurityData.FileOwnerstringThe owner of the file.
Code42.SecurityData.FileNamestringThe file name.
Code42.SecurityData.FilePathstringThe path to file.
Code42.SecurityData.FileSizenumberThe size of the file (in bytes).
Code42.SecurityData.FileModifieddateThe date the file was last modified.
Code42.SecurityData.FileMD5stringMD5 hash of the file.
Code42.SecurityData.FileHostnamestringHostname where the file event was captured.
Code42.SecurityData.DevicePrivateIPAddressstringPrivate IP addresses of the device where the event was captured.
Code42.SecurityData.DevicePublicIPAddressstringPublic IP address of the device where the event was captured.
Code42.SecurityData.RemovableMediaTypestringType of removable media.
Code42.SecurityData.RemovableMediaCapacitynumberTotal capacity of removable media (in bytes).
Code42.SecurityData.RemovableMediaMediaNamestringThe full name of the removable media.
Code42.SecurityData.RemovableMediaNamestringThe name of the removable media.
Code42.SecurityData.RemovableMediaSerialNumberstringThe serial number for the removable medial device.
Code42.SecurityData.RemovableMediaVendorstringThe vendor name for removable device.
Code42.SecurityData.FileSHA256stringThe SHA256 hash of the file.
Code42.SecurityData.FileSharedbooleanWhether the file is shared using a cloud file service.
Code42.SecurityData.FileSharedWithstringAccounts that the file is shared with on a cloud file service.
Code42.SecurityData.SourcestringThe source of the file event. Can be "Cloud" or "Endpoint".
Code42.SecurityData.ApplicationTabURLstringThe URL associated with the application read event.
Code42.SecurityData.ProcessNamestringThe process name for the application read event.
Code42.SecurityData.ProcessOwnerstringThe process owner for the application read event.
Code42.SecurityData.WindowTitlestringThe process name for the application read event.
Code42.SecurityData.FileURLstringThe URL of the file on a cloud file service.
Code42.SecurityData.ExposurestringThe event exposure type.
Code42.SecurityData.SharingTypeAddedstringThe type of sharing added to the file.
File.NamestringThe file name.
File.PathstringThe file path.
File.SizenumberThe file size (in bytes).
File.MD5stringThe MD5 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.HostnamestringThe hostname where the file event was captured.

Command example#

!code42-securitydata-search exposure=All results=3

Context Example#

{
"Code42": {
"SecurityData": [
{
"ApplicationTabURL": "https://drive.google.com/drive/folders/example",
"DevicePrivateIPAddress": [
"127.0.0.1"
],
"DeviceUsername": "user@example.com",
"EndpointID": "1047677644054752513",
"EventID": "0_1d71796f-example1",
"EventTimestamp": "2022-03-11T19:00:28.857Z",
"EventType": "READ_BY_APP",
"Exposure": [
"ApplicationRead"
],
"FileCategory": "SourceCode",
"FileCreated": "2021-08-24T15:53:00.925Z",
"FileHostname": "DESKTOP-H6V9R95",
"FileMD5": "764f90384e56597e6bba691c75d23875",
"FileModified": "2021-08-24T15:53:01.111Z",
"FileName": "revenue_algorithm.py",
"FileOwner": "user",
"FilePath": "C:/Users/example/Desktop/",
"FileSHA256": "5cf3d58f1af8ac32ae74bc75d35132f8151f9826b4e6d79131c68475a53106f9",
"FileSize": 1000000,
"ProcessName": "\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"ProcessOwner": "",
"Source": "Endpoint",
"WindowTitle": [
"Exfil - Google Drive - Profile 1 - Microsoft\u200b Edge"
]
},
{
"ApplicationTabURL": "https://drive.google.com/drive/folders/example"
"DevicePrivateIPAddress": [
"127.0.0.1"
],
"DeviceUsername": "user@example.com",
"EndpointID": "1047677644054752513",
"EventID": "0_1d71796f-example2",
"EventTimestamp": "2022-03-11T19:00:28.819Z",
"EventType": "READ_BY_APP",
"Exposure": [
"ApplicationRead"
],
"FileCategory": "SourceCode",
"FileCreated": "2021-08-24T15:53:01.262Z",
"FileHostname": "DESKTOP-H6V9R95",
"FileMD5": "953fd5bd78ed02af93f503af8a924fc6",
"FileModified": "2021-08-24T15:53:01.692Z",
"FileName": "core_IP.py",
"FileOwner": "user",
"FilePath": "C:/Users/example/Desktop/",
"FileSHA256": "c096682d62c7f4dc8b02dd55e8c595f8374c7b5a5e6f1c87883f6e541f859420",
"FileSize": 1000000,
"ProcessName": "\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"ProcessOwner": "user",
"Source": "Endpoint",
"WindowTitle": [
"Exfil - Google Drive - Profile 1 - Microsoft\u200b Edge"
]
}
]
},
"File": [
{
"Hostname": "DESKTOP-H6V9R95",
"MD5": "764f90384e56597e6bba691c75d23875",
"Name": "revenue_algorithm.py",
"Path": "C:/Users/example/Desktop/",
"SHA256": "5cf3d58f1af8ac32ae74bc75d35132f8151f9826b4e6d79131c68475a53106f9",
"Size": 1000000
},
{
"Hostname": "DESKTOP-H6V9R95",
"MD5": "953fd5bd78ed02af93f503af8a924fc6",
"Name": "core_IP.py",
"Path": "C:/Users/example/Desktop/",
"SHA256": "c096682d62c7f4dc8b02dd55e8c595f8374c7b5a5e6f1c87883f6e541f859420",
"Size": 1000000
}
]
}

Human Readable Output#

Results#

HostnameMD5NamePathSHA256Size
DESKTOP-H6V9R95764f90384e56597e6bba691c75d23875revenue_algorithm.pyC:/Users/example/Desktop/5cf3d58f1af8ac32ae74bc75d35132f8151f9826b4e6d79131c68475a53106f91000000
DESKTOP-H6V9R95953fd5bd78ed02af93f503af8a924fc6core_IP.pyC:/Users/example/Desktop/c096682d62c7f4dc8b02dd55e8c595f8374c7b5a5e6f1c87883f6e541f8594201000000

code42-alert-get#


Retrieve alert details by alert ID

Base Command#

code42-alert-get

Input#

Argument NameDescriptionRequired
idThe alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents.Required

Context Output#

PathTypeDescription
Code42.SecurityAlert.UsernamestringThe username associated with the alert.
Code42.SecurityAlert.OccurreddateThe timestamp when the alert occurred.
Code42.SecurityAlert.DescriptionstringThe description of the alert.
Code42.SecurityAlert.IDstringThe alert ID.
Code42.SecurityAlert.NamestringThe alert rule name that generated the alert.
Code42.SecurityAlert.StatestringThe alert state.
Code42.SecurityAlert.TypestringThe alert type.
Code42.SecurityAlert.SeveritystringThe severity of the alert.

Command example#

!code42-alert-get id="ec45e919-8dd1-4624-9cc8-98d7f8f84bbf"

Context Example#

{
"Code42": {
"SecurityAlert": {
"Description": "Example Alert",
"ID": "ec45e919-8dd1-4624-9cc8-98d7f8f84bbf",
"Name": "Example Alerts",
"Occurred": "2022-03-31T14:48:21.9643340Z",
"Severity": "HIGH",
"State": "RESOLVED",
"Type": "FED_COMPOSITE",
"Username": "user@example.com"
}
}
}

Human Readable Output#

Code42 Security Alert Results#

TypeOccurredUsernameNameDescriptionStateID
FED_COMPOSITE2022-03-31T14:48:21.9643340Zuser@example.comExample AlertsExample AlertRESOLVEDec45e919-8dd1-4624-9cc8-98d7f8f84bbf

code42-alert-resolve#


Resolves a Code42 Security alert.

Base Command#

code42-alert-resolve

Input#

Argument NameDescriptionRequired
idThe alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents.Required

Context Output#

PathTypeDescription
Code42.SecurityAlert.IDstringThe alert ID of the resolved alert.

Command example#

!code42-alert-resolve id="ec45e919-8dd1-4624-9cc8-98d7f8f84bbf"

Context Example#

{
"Code42": {
"SecurityAlert": {
"Description": "Example Alert",
"ID": "ec45e919-8dd1-4624-9cc8-98d7f8f84bbf",
"Name": "Example Alerts",
"Occurred": "2022-03-31T14:48:21.9643340Z",
"Severity": "HIGH",
"State": "RESOLVED",
"Type": "FED_COMPOSITE",
"Username": "user@example.com"
}
}
}

Human Readable Output#

Code42 Security Alert Resolved#

TypeOccurredUsernameNameDescriptionStateID
FED_COMPOSITE2022-03-31T14:48:21.9643340Zuser@example.comExample AlertsExample AlertRESOLVEDec45e919-8dd1-4624-9cc8-98d7f8f84bbf

code42-user-create#


Creates a Code42 user.

Base Command#

code42-user-create

Input#

Argument NameDescriptionRequired
orgnameThe name of the Code42 organization from which to add the user.Required
usernameThe username to give to the user.Required
emailThe email of the user to create.Required

Context Output#

PathTypeDescription
Code42.User.UsernameStringA username for a Code42 user.
Code42.User.EmailStringAn email for a Code42 user.
Code42.User.UserIDStringAn ID for a Code42 user.

Command example#

!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"

Context Example#

{
"Code42": {
"User": {
"Email": "new.user@example.com",
"UserID": "1061727696334321549",
"Username": "new.user@example.com"
}
}
}

Human Readable Output#

Code42 User Created#

EmailUserIDUsername
new.user@example.com1061727696334321549new.user@example.com

code42-user-block#


Blocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.

Base Command#

code42-user-block

Input#

Argument NameDescriptionRequired
usernameThe username of the user to block.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringAn ID for a Code42 user.

Command example#

!code42-user-block username="user_a@example.com"

Context Example#

{
"Code42": {
"User": {
"UserID": 210019
}
}
}

Human Readable Output#

Code42 User Blocked#

UserID
210019

code42-user-deactivate#


Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.

Base Command#

code42-user-deactivate

Input#

Argument NameDescriptionRequired
usernameThe username of the user to deactivate.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringThe ID of a Code42 User.

Command example#

!code42-user-deactivate username="user_a@example.com"

Context Example#

{
"Code42": {
"User": {
"UserID": 210019
}
}
}

Human Readable Output#

Code42 User Deactivated#

UserID
210019

code42-user-unblock#


Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.

Base Command#

code42-user-unblock

Input#

Argument NameDescriptionRequired
usernameThe username of the user to unblock.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringAn ID for a Code42 user.

Command example#

!code42-user-unblock username="user_a@example.com"

Context Example#

{
"Code42": {
"User": {
"UserID": 210019
}
}
}

Human Readable Output#

Code42 User Unblocked#

UserID
210019

code42-user-reactivate#


Reactivates the user with the given username.

Base Command#

code42-user-reactivate

Input#

Argument NameDescriptionRequired
usernameThe username of the user to reactivate.Required

Context Output#

PathTypeDescription
Code42.User.UserIDStringThe ID of a Code42 User.

Command example#

!code42-user-reactivate username="user_a@example.com"

Context Example#

{
"Code42": {
"User": {
"UserID": 210019
}
}
}

Human Readable Output#

Code42 User Reactivated#

UserID
210019

code42-user-update-risk-profile#


Updates a User's risk profile.

Base Command#

code42-user-update-risk-profile

Input#

Argument NameDescriptionRequired
usernameThe username to give to the user.Required
start_dateThe user's start date (used in the New Hire watchlist).Optional
end_dateThe user's end date (used in the Departing Employee watchlist).Optional
notesNotes about the user.Optional

Context Output#

PathTypeDescription
Code42.UpdatedUserRiskProfiles.UsernameStringA username for a Code42 user.
Code42.UpdatedUserRiskProfiles.StartDateObjectThe updated start_date for the user.
Code42.UpdatedUserRiskProfiles.EndDateObjectThe updated end_date for the user.
Code42.UpdatedUserRiskProfiles.NotesStringThe updated notes for the user.

Command example#

!code42-user-update-risk-profile username="user@example.com" start_date="2022-10-10", end_date="2023-10-10", notes="test note."

Context Example#

{
"Code42": {
"UpdatedUserRiskProfile": {
"Username": "user@example.com",
"StartDate": {"year": 2022, "month": 10, "day": 10},
"EndDate": {"year": 2023, "month": 10, "day": 10},
"Notes": "test note."
}
}
}

Human Readable Output#

Code42 User Risk Profile Updated#

UsernameStartDateEndDateNotes
user@example.comyear: 2022\nmonth: 10\nday10year: 2023\nmonth: 10\nday10"test note."

code42-legalhold-add-user#


Adds a Code42 user to a legal hold matter.

Base Command#

code42-legalhold-add-user

Input#

Argument NameDescriptionRequired
usernameThe username of the user to add to the given legal hold matter.Required
matternameThe name of the legal hold matter to which the user will be added.Required

Context Output#

PathTypeDescription
Code42.LegalHold.UserIDUnknownThe ID of a Code42 user.
Code42.LegalHold.MatterIDStringThe ID of a Code42 legal hold matter.
Code42.LegalHold.UsernameStringA username for a Code42 user.
Code42.LegalHold.MatterNameStringA name for a Code42 legal hold matter.

Command example#

!code42-legalhold-add-user username="user_a@example.com" mattername="test"

Context Example#

{
"Code42": {
"LegalHold": {
"MatterID": "1034958750641143371",
"MatterName": "Example Matter",
"UserID": "942876157732602741",
"Username": "user_a@example.com"
}
}
}

Human Readable Output#

Code42 User Added to Legal Hold Matter#

MatterIDMatterNameUserIDUsername
1034958750641143371Example Matter942876157732602741user_a@example.com

code42-legalhold-remove-user#


Removes a Code42 user from a legal hold matter.

Base Command#

code42-legalhold-remove-user

Input#

Argument NameDescriptionRequired
usernameThe username of the user to release from the given legal hold matter.Required
matternameThe name of the legal hold matter from which the user will be released.Required

Context Output#

PathTypeDescription
Code42.LegalHold.UserIDUnknownThe ID of a Code42 user.
Code42.LegalHold.MatterIDStringThe ID of a Code42 legal hold matter.
Code42.LegalHold.UsernameStringA username for a Code42 user.
Code42.LegalHold.MatterNameStringA name for a Code42 legal hold matter.

Command example#

!code42-legalhold-remove-user username="user_a@example.com" mattername="test"

Context Example#

{
"Code42": {
"LegalHold": {
"MatterID": "1034958750641143371",
"MatterName": "Example Matter",
"UserID": "942876157732602741",
"Username": "user_a@example.com"
}
}
}

Human Readable Output#

Code42 User Removed from Legal Hold Matter#

MatterIDMatterNameUserIDUsername
1034958750641143371Example Matter942876157732602741user_a@example.com

code42-download-file#


Downloads a file from Code42.

Base Command#

code42-download-file

Input#

Argument NameDescriptionRequired
hashEither the SHA256 or MD5 hash of the file.Required
filenameThe filename to save the file as.Optional

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!code42-download-file hash=764f90384e56597e6bba691c75d23875

Context Example#

{
"File": {
"EntryID": "1804@6aa7c36e-287b-4b27-840b-7d8d67a9b26b",
"Info": "text/plain",
"MD5": "764f90384e56597e6bba691c75d23875",
"Name": "764f90384e56597e6bba691c75d23875",
"SHA1": "feadedfc92e7680890f4233432c5eef66ced0584",
"SHA256": "5cf3d58f1af8ac32ae74bc75d35132f8151f9826b4e6d79131c68475a53106f9",
"SHA512": "3d2acf4e529b72f6a52aff7dfd067b86044d9df8f7d30b6617f252cc9610828481205628607884d77f67e86b5ce2e80e349e8e048604f6239fb085917ebb75f1",
"SSDeep": "24576:f1eShVeMNVW13kNkedlsero1lwha2HKiVxIAXo:t9omLlsKKy+",
"Size": 1000000,
"Type": "ASCII text"
}
}

Human Readable Output#

code42-watchlists-list#


List all existing watchlists in your environment.

Base Command#

code42-watchlists-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Code42.Watchlists.ListTypestringThe Type of Watchlist.
Code42.Watchlists.IdstringThe ID of the Watchlist.
Code42.Watchlists.IncludedUserCountintegerThe count of included users on the Watchlist.

Command example#

!code42-watchlists-list

Context Example#

{
"Code42": {
"Watchlists": [
{
"IncludedUserCount": 3,
"WatchlistID": "b55978d5-2d50-494d-bec9-678867f3830c",
"WatchlistType": "DEPARTING_EMPLOYEE"
},
{
"IncludedUserCount": 11,
"WatchlistID": "2870bd73-ce1f-4704-a7f7-a8d11b19908e",
"WatchlistType": "SUSPICIOUS_SYSTEM_ACTIVITY"
},
{
"IncludedUserCount": 4,
"WatchlistID": "d2abb9f2-8c27-4f95-b7e2-252f191a4a1d",
"WatchlistType": "FLIGHT_RISK"
},
{
"IncludedUserCount": 3,
"WatchlistID": "a21b2bbb-ed16-42eb-9983-32076ba417c0",
"WatchlistType": "PERFORMANCE_CONCERNS"
},
{
"IncludedUserCount": 2,
"WatchlistID": "c9557acf-4141-4162-b767-c129d3e668d4",
"WatchlistType": "CONTRACT_EMPLOYEE"
},
{
"IncludedUserCount": 4,
"WatchlistID": "313c388e-4c63-4071-a6fc-d6270e04c350",
"WatchlistType": "HIGH_IMPACT_EMPLOYEE"
},
{
"IncludedUserCount": 3,
"WatchlistID": "b49c938f-8f13-45e4-be17-fa88eca616ec",
"WatchlistType": "ELEVATED_ACCESS_PRIVILEGES"
},
{
"IncludedUserCount": 2,
"WatchlistID": "534fa6a4-4b4c-4712-9b37-2f81c652c140",
"WatchlistType": "POOR_SECURITY_PRACTICES"
},
{
"IncludedUserCount": 0,
"WatchlistID": "5a39abda-c672-418a-82a0-54485bd59b7b",
"WatchlistType": "NEW_EMPLOYEE"
}
]
}
}

Human Readable Output#

Watchlists#

IncludedUserCountWatchlistIDWatchlistType
3b55978d5-2d50-494d-bec9-678867f3830cDEPARTING_EMPLOYEE
112870bd73-ce1f-4704-a7f7-a8d11b19908eSUSPICIOUS_SYSTEM_ACTIVITY
4d2abb9f2-8c27-4f95-b7e2-252f191a4a1dFLIGHT_RISK
3a21b2bbb-ed16-42eb-9983-32076ba417c0PERFORMANCE_CONCERNS
2c9557acf-4141-4162-b767-c129d3e668d4CONTRACT_EMPLOYEE
4313c388e-4c63-4071-a6fc-d6270e04c350HIGH_IMPACT_EMPLOYEE
3b49c938f-8f13-45e4-be17-fa88eca616ecELEVATED_ACCESS_PRIVILEGES
2534fa6a4-4b4c-4712-9b37-2f81c652c140POOR_SECURITY_PRACTICES
05a39abda-c672-418a-82a0-54485bd59b7bNEW_EMPLOYEE

code42-watchlists-add-user#


Add a user to a watchlist.

Base Command#

code42-watchlists-add-user

Input#

Argument NameDescriptionRequired
usernameEmail id of the user to add to Watchlist.Required
watchlistWatchlistID or WatchlistType to add user to.Required

Context Output#

PathTypeDescription
Code42.UsersAddedToWatchlists.WatchliststringThe ID/Type of the watchlist user was added to.
Code42.UsersAddedToWatchlists.UsernamestringThe username added to watchlist.
Code42.UsersAddedToWatchlists.SuccessbooleanIf the user was added successfully.

Command example#

!code42-watchlists-add-user username="user_a@example.com" watchlist="b55978d5-2d50-494d-bec9-678867f3830c"

Context Example#

{
"Code42": {
"UsersAddedToWatchlists": {
"Success": true,
"Username": "user_a@example.com",
"Watchlist": "b55978d5-2d50-494d-bec9-678867f3830c"
}
}
}

Human Readable Output#

Results#

SuccessUsernameWatchlist
trueuser_a@example.comb55978d5-2d50-494d-bec9-678867f3830c

code42-watchlists-remove-user#


Remove a user from a watchlist.

Base Command#

code42-watchlists-remove-user

Input#

Argument NameDescriptionRequired
usernameEmail id of the user to add to Watchlist.Required
watchlistWatchlistID or WatchlistType to remove user from.Required

Context Output#

PathTypeDescription
Code42.UsersRemovedFromWatchlists.WatchliststringThe ID/Type of the watchlist user was removed from.
Code42.UsersRemovedFromWatchlists.UsernamestringThe username removed from watchlist.
Code42.UsersRemovedFromWatchlists.SuccessbooleanIf the user was removed successfully.

Command example#

!code42-watchlists-remove-user username="user_a@example.com" watchlist="b55978d5-2d50-494d-bec9-678867f3830c"

Context Example#

{
"Code42": {
"UsersRemovedFromWatchlists": {
"Success": true,
"Username": "user_a@example.com",
"Watchlist": "b55978d5-2d50-494d-bec9-678867f3830c"
}
}
}

Human Readable Output#

Results#

SuccessUsernameWatchlist
trueuser_a@example.comb55978d5-2d50-494d-bec9-678867f3830c

code42-watchlists-list-included-users#


List all users who have been explicitly added to a given watchlist.

Base Command#

code42-watchlists-list-included-users

Input#

Argument NameDescriptionRequired
watchlistThe WatchlistID or WatchlistType to get a list of included users for.Required

Context Output#

PathTypeDescription
Code42.WatchlistUsers.WatchlistIDstringThe ID of the Watchlist.
Code42.WatchlistUsers.UsernamestringThe username on the watchlist.
Code42.WatchlistUsers.AddedTimedatetimeThe datetime the user was added to the watchlist.

Command example#

!code42-watchlists-list-included-users watchlist="DEPARTING_EMPLOYEE"

Context Example#

{
"Code42": {
"WatchlistUsers": [
{
"AddedTime": "2022-02-26T18:41:45.766005",
"Username": "user_a@example.com",
"WatchlistID": "b55978d5-2d50-494d-bec9-678867f3830c"
},
{
"AddedTime": "2022-03-31T20:41:47.2985",
"Username": "user_b@example.com",
"WatchlistID": "b55978d5-2d50-494d-bec9-678867f3830c"
},
{
"AddedTime": "2022-03-31T14:43:48.059325",
"Username": "user_c@example.com",
"WatchlistID": "b55978d5-2d50-494d-bec9-678867f3830c"
}
]
}
}

Human Readable Output#

Watchlists#

AddedTimeUsernameWatchlistID
2022-02-26T18:41:45.766005user_a@example.comb55978d5-2d50-494d-bec9-678867f3830c
2022-03-31T20:41:47.2985user_b@example.comb55978d5-2d50-494d-bec9-678867f3830c
2022-03-31T14:43:48.059325user_c@example.comb55978d5-2d50-494d-bec9-678867f3830c

code42-departingemployee-add#


Adds a user to the Departing Employee List.

Base Command#

code42-departingemployee-add

Input#

Argument NameDescriptionRequired
usernameThe username to add to the Departing Employee List.Required
departuredateThe departure date for the employee, in the format YYYY-MM-DD.Optional
noteNote to attach to the Departing Employee.Optional

Context Output#

PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

Command Example#

!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"

Human Readable Output#

UserIDDepartureDateNoteUsername
1232020-02-28Leaving for competitorjohn.user@example.com

code42-departingemployee-remove#


Removes a user from the Departing Employee List.

Base Command#

code42-departingemployee-remove

Input#

Argument NameDescriptionRequired
usernameThe username to remove from the Departing Employee List.Required

Context Output#

PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.

Command Example#

!code42-departingemployee-remove username="john.user@example.com"

Human Readable Output#

UserIDUsername
123john.user@example.com

code42-departingemployee-get#


Retrieve departing employee details.

Base Command#

code42-departingemployee-get

Input#

Argument NameDescriptionRequired
usernameEmail id of the departing employee.Required

Context Output#

PathTypeDescription
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

Command Example#

!code42-departingemployee-get username="partner.demisto@example.com"

Context Example#

{
"Code42": {
"DepartingEmployee": {
"DepartureDate": null,
"Note": "Risky activity",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output#

Retrieve departing employee#

DepartureDateNoteUserIDUsername
Risky activity942876157732602741partner.demisto@example.com

code42-departingemployee-get-all#


Get all employees on the Departing Employee List.

Base Command#

code42-departingemployee-get-all

Input#

Argument NameDescriptionRequired
resultsThe number of items to return.Optional

Context Output#

PathTypeDescription
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

Command Example#

!code42-departingemployee-get-all

Context Example#

{
"Code42": {
"DepartingEmployee": [
{
"DepartureDate": null,
"Note": "test",
"UserID": "921333907298179098",
"Username": "user1@example.com"
},
{
"DepartureDate": "2020-07-20",
"Note": "This is added using csv file to test bulk adding of users to high risk employee list",
"UserID": "948333588694228306",
"Username": "user2@example.com"
},
{
"DepartureDate": null,
"Note": "",
"UserID": "912211111144144039",
"Username": "user3@example.com"
}
]
}
}

Human Readable Output#

All Departing Employees#

DepartureDateNoteUserIDUsername
2020-07-19User added from XSOAR921286907298179098user1@example.com
2020-07-20User added from Jira ticket948938588694228306user1@example.com
2020-07-20No note.912249223544144039unicode@example.com
2020-07-20Lots of suspicious activity894165832411107815testuser@example.com
2020-07-20L3 security risk949093399968329042user2@example.com
2020-07-21Problems with performance942897397520286581user3@example.com
2020-07-21Problems with performance906619740182876328user4@example.com
2020-07-21Was a contract employee906619632003387560user5@example.com
2020-07-21Was a contract employee912338501981077099user6@example.com
2020-07-25Leaving for competitor951984198921509692user7@example.com.com
2020-07-25Leaving for competitor895005723650937319user8@example.com

code42-highriskemployee-add#


Adds a user from the High Risk Employee List.

Base Command#

code42-highriskemployee-add

Input#

Argument NameDescriptionRequired
usernameThe username to add to the High Risk Employee List.Required
noteNote to attach to the High Risk Employee.Optional

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

Command Example#

!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"

Context Example#

{
"Code42": {
"HighRiskEmployee": {
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output#

Code42 High Risk Employee List User Added#

UserIDUsername
942876157732602741partner.demisto@example.com

code42-highriskemployee-remove#


Removes a user from the High Risk Employee List.

Base Command#

code42-highriskemployee-remove

Input#

Argument NameDescriptionRequired
usernameThe username to remove from the High Risk Employee List.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDUnknownInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernameUnknownThe username of the High Risk Employee.

Command Example#

!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"

Context Example#

{
"Code42": {
"HighRiskEmployee": {
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output#

Code42 High Risk Employee List User Removed#

UserIDUsername
942876157732602741partner.demisto@example.com

code42-highriskemployee-get#


Retrieve high risk employee details.

Base Command#

code42-highriskemployee-get

Input#

Argument NameDescriptionRequired
usernameEmail id of the user.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

Command Example#

!code42-highriskemployee-get username="partner.demisto@example.com"

Context Example#

{
"Code42": {
"HighRiskEmployee": {
"Note": "Risky activity",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output#

Retrieve high risk employee#

NoteUserIDUsername
Risky activity942876157732602741partner.demisto@example.com

code42-highriskemployee-get-all#


Get all employees on the High Risk Employee List.

Base Command#

code42-highriskemployee-get-all

Input#

Argument NameDescriptionRequired
risktagsTo filter results by employees who have these risk tags. Space delimited.Optional
resultsThe number of items to return.Optional

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

Command Example#

!code42-highriskemployee-get-all

Context Example#

{
"Code42": {
"HighRiskEmployee": [
{
"Note": "tests and more tests",
"UserID": "111117397520286581",
"Username": "user1@example.com"
},
{
"Note": "Leaving for competitor",
"UserID": "822222723650937319",
"Username": "user2@example.com"
},
{
"Note": "Test user addition from XSOAR",
"UserID": "913333363086307495",
"Username": "user3@example.com"
}
]
}
}

Human Readable Output#

Retrieved All High Risk Employees#

NoteUserIDUsername
Clicked Phishing link942897397520286581user1@example.com
Lots of non-work-related activity895005723650937319user2@example.com
User added using XSOAR912098363086307495user3@example.com
User has performance concerns921286907298179098user4@example.com
Highly demanded employee942876157732602741user5@example.com

code42-highriskemployee-add-risk-tags#


Base Command#

code42-highriskemployee-add-risk-tags

Input#

Argument NameDescriptionRequired
usernameThe username of the High Risk Employee.Required
risktagsSpace-delimited risk tags to associate with the High Risk Employee.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.RiskTagsUnknownRisk tags to associate with the High Risk Employee.

Command Example#

!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"

Human Readable Output#

Code42 Risk Tags Added#

RiskTagsUserIDUsername
PERFORMANCE_CONCERNS1234567890partners.demisto@example.com

code42-highriskemployee-remove-risk-tags#


Base Command#

code42-highriskemployee-remove-risk-tags

Input#

Argument NameDescriptionRequired
usernameThe username of the High Risk Employee.Required
risktagsSpace-delimited risk tags to disassociate from the High Risk Employee.Required

Context Output#

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.RiskTagsUnknownRisk tags to disassociate from the High Risk Employee.

Command Example#

!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"

Context Example#

{
"Code42": {
"HighRiskEmployee": [
{
"RiskTags": "PERFORMANCE_CONCERNS",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
]
}
}

Human Readable Output#

Code42 Risk Tags Removed#

RiskTagsUserIDUsername
PERFORMANCE_CONCERNS942876157732602741partner.demisto@example.com