Code42
This Integration is part of the Code42 Pack.#
Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
Configure Code42 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Code42.
Click Add instance to create and configure a new integration instance.
Parameter Required Code42 Console URL for your Code42 environment True API Client ID True API Client Secret True Fetch incidents False Incident type False Alert severities to fetch when fetching incidents False First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes) False Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once False Include the list of files in returned incidents. False Incidents Fetch Interval False Use v2 file events False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
code42-file-events-search#
Search for Code42 Incydr File Events
Base Command#
code42-file-events-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| add-to-context | Add results to context at 'Code42.FileEvents'. If 'false', the search will only display results as a markdown table. | Optional |
| json | Raw JSON file event query to be used for search. | Optional |
| results | The number of file events to return. Defaults to 50. Default is 50. | Optional |
| min_risk_score | Filter results by minimum risk score. Default is 1. | Optional |
| hash | MD5 or SHA256 hash of the file to search for. | Optional |
| username | Username to search for. | Optional |
| hostname | Hostname to search for. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.FileEvents.timestamp | date | The timestamp when the event occurred. |
| Code42.FileEvents.event | unknown | Summary information about the event, including date observed, event type, and event source. |
| Code42.FileEvents.user | unknown | Details about the user associated with the event (if any). |
| Code42.FileEvents.destination | unknown | Details about the destination target of the event (if any). |
| Code42.FileEvents.process | unknown | Details about the CPU process involved in the event (if any). |
| Code42.FileEvents.risk | unknown | Details overall risk severity for the event and lists all associated risk indicators. |
| Code42.FileEvents.git | unknown | Details about git repository involved in event (if any). |
| Code42.FileEvents.report | unknown | Details about Salesforce reports involved in the event (if any). |
| Code42.FileEvents.file | unknown | Details about file metadata for file involved in the event (if any). |
| Code42.FileEvents.source | unknown | Info about the origin of a file involved in the event (if any). |
code42-alert-get#
Retrieve alert details by alert ID
Base Command#
code42-alert-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.SecurityAlert.Username | string | The username associated with the alert. |
| Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. |
| Code42.SecurityAlert.Description | string | The description of the alert. |
| Code42.SecurityAlert.ID | string | The alert ID. |
| Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. |
| Code42.SecurityAlert.State | string | The alert state. |
| Code42.SecurityAlert.Type | string | The alert type. |
| Code42.SecurityAlert.Severity | string | The severity of the alert. |
code42-alert-resolve#
Resolves a Code42 Security alert.
Base Command#
code42-alert-resolve
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.SecurityAlert.ID | string | The alert ID of the resolved alert. |
code42-departingemployee-add#
Adds a user to the Departing Employee List.
Base Command#
code42-departingemployee-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to add to the Departing Employee List. | Required |
| departuredate | The departure date for the employee, in the format YYYY-MM-DD. | Optional |
| note | Note to attach to the Departing Employee. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
| Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
code42-departingemployee-remove#
Removes a user from the Departing Employee List.
Base Command#
code42-departingemployee-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to remove from the Departing Employee List. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
code42-departingemployee-get-all#
Get all employees on the Departing Employee List.
Base Command#
code42-departingemployee-get-all
Input#
| Argument Name | Description | Required |
|---|---|---|
| results | The number of items to return. | Optional |
| filtertype | Filters the results based on specific filters. Possible values are: EXFILTRATION_30_DAYS, EXFILTRATION_24_HOURS, OPEN, LEAVING_TODAY. Default is OPEN. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
| Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
code42-highriskemployee-add#
Adds a user to the High Risk Employee List.
Base Command#
code42-highriskemployee-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to add to the High Risk Employee List. | Required |
| note | Note to attach to the High Risk Employee. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
code42-highriskemployee-remove#
Removes a user from the High Risk Employee List.
Base Command#
code42-highriskemployee-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username to remove from the High Risk Employee List. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | Unknown | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | Unknown | The username of the High Risk Employee. |
code42-highriskemployee-get-all#
Get all employees on the High Risk Employee List.
Base Command#
code42-highriskemployee-get-all
Input#
| Argument Name | Description | Required |
|---|---|---|
| risktags | To filter results by employees who have these risk tags. Comma delimited. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE. | Optional |
| results | The number of items to return. | Optional |
| filtertype | Filters the results based on specific filters. Possible values are: EXFILTRATION_30_DAYS, EXFILTRATION_24_HOURS, OPEN. Default is OPEN. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
code42-highriskemployee-add-risk-tags#
Associates risk tags with the employee with the given username.
Base Command#
code42-highriskemployee-add-risk-tags
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the High Risk Employee. | Required |
| risktags | Comma-delimited risk tags to associate with the High Risk Employee. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to associate with the High Risk Employee. |
code42-highriskemployee-remove-risk-tags#
Disassociates risk tags from the user with the given username.
Base Command#
code42-highriskemployee-remove-risk-tags
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the High Risk Employee. | Required |
| risktags | Comma-delimited risk tags to disassociate from the High Risk Employee. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to disassociate from the High Risk Employee. |
code42-user-create#
Creates a Code42 user.
Base Command#
code42-user-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| orgname | The name of the Code42 organization from which to add the user. | Required |
| username | The username to give to the user. | Required |
| The email of the user to create. Default is The email to give to the user.. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.Username | String | A username for a Code42 user. |
| Code42.User.Email | String | An email for a Code42 user. |
| Code42.User.UserID | String | An ID for a Code42 user. |
code42-user-block#
Blocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
Base Command#
code42-user-block
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to block. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | An ID for a Code42 user. |
code42-user-deactivate#
Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
Base Command#
code42-user-deactivate
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to deactivate. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | The ID of a Code42 User. |
code42-user-unblock#
Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
Base Command#
code42-user-unblock
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to unblock. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | An ID for a Code42 user. |
code42-user-reactivate#
Reactivates the user with the given username.
Base Command#
code42-user-reactivate
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to reactivate. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.User.UserID | String | The ID of a Code42 User. |
code42-legalhold-add-user#
Adds a Code42 user to a legal hold matter.
Base Command#
code42-legalhold-add-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to add to the given legal hold matter. | Required |
| mattername | The name of the legal hold matter to which the user will be added. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
| Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
| Code42.LegalHold.Username | String | A username for a Code42 user. |
| Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
code42-legalhold-remove-user#
Removes a Code42 user from a legal hold matter.
Base Command#
code42-legalhold-remove-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The username of the user to release from the given legal hold matter. | Required |
| mattername | The name of the legal hold matter from which the user will be released. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
| Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
| Code42.LegalHold.Username | String | A username for a Code42 user. |
| Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
code42-download-file#
Downloads a file from Code42.
Base Command#
code42-download-file
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash | Either the SHA256 or MD5 hash of the file. | Required |
| filename | The filename to save the file as. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.Size | Number | The size of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.Name | String | The name of the file. |
| File.SSDeep | String | The SSDeep hash of the file. |
| File.EntryID | String | The entry ID of the file. |
| File.Info | String | File information. |
| File.Type | String | The file type. |
| File.MD5 | String | The MD5 hash of the file. |
| File.Extension | String | The file extension. |
code42-highriskemployee-get#
Retrieve high risk employee details.
Base Command#
code42-highriskemployee-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | Email id of the user. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
| Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
| Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
code42-departingemployee-get#
Retrieve departing employee details.
Base Command#
code42-departingemployee-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | Email id of the departing employee. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
| Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
| Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
code42-watchlists-list#
List all existing watchlists in your environment.
Base Command#
code42-watchlists-list
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.Watchlists.ListType | string | The Type of Watchlist. |
| Code42.Watchlists.Id | string | The ID of the Watchlist. |
| Code42.Watchlists.IncludedUserCount | integer | The count of included users on the Watchlist. |
code42-watchlists-add-user#
Add a user to a watchlist.
Base Command#
code42-watchlists-add-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | Email id of the user to add to Watchlist. | Required |
| watchlist | WatchlistID or WatchlistType to add user to. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.UsersAddedToWatchlists.Watchlist | string | The ID/Type of the watchlist user was added to. |
| Code42.UsersAddedToWatchlists.Username | string | The username added to watchlist. |
| Code42.UsersAddedToWatchlists.Success | boolean | If the user was added successfully. |
code42-watchlists-remove-user#
Remove a user from a watchlist.
Base Command#
code42-watchlists-remove-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | Email id of the user to add to Watchlist. | Required |
| watchlist | WatchlistID or WatchlistType to remove user from. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.UsersRemovedFromWatchlists.Watchlist | string | The ID/Type of the watchlist user was removed from. |
| Code42.UsersRemovedFromWatchlists.Username | string | The username removed from watchlist. |
| Code42.UsersRemovedFromWatchlists.Success | boolean | If the user was removed successfully. |
code42-watchlists-list-included-users#
List all users who have been explicitly added to a given watchlist.
Base Command#
code42-watchlists-list-included-users
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist | The WatchlistID or WatchlistType to get a list of included users for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.WatchlistUsers.WatchlistID | string | The ID of the Watchlist. |
| Code42.WatchlistUsers.Username | string | The username on the watchlist. |
| Code42.WatchlistUsers.AddedTime | datetime | The datetime the user was added to the watchlist. |
code42-get-user-risk-profile#
Get the risk profile details for a given user.
Base Command#
code42-user-get-risk-profile
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The user to get risk profile for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.UserRiskProfiles.Username | string | The username. |
| Code42.UserRiskProfiles.StartDate | date | The startDate value of the UserRiskProfile. |
| Code42.UserRiskProfiles.EndDate | date | The startDate value of the UserRiskProfile. |
| Code42.UserRiskProfiles.Notes | string | The notes value of the UserRiskProfile. |
code42-user-update-risk-profile#
Update a user's risk profile.
Base Command#
code42-user-update-risk-profile
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The user to update. | Required |
| start_date | The user's start date (useful for New Employee Watchlist). | Optional |
| end_date | The user's end date (useful for Departing Employee Watchlist). | Optional |
| notes | Risk profile notes. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Code42.UpdatedUserRiskProfiles.Username | string | The user that was updated. |
| Code42.UpdatedUserRiskProfiles.StartDate | date | The startDate value of the UserRiskProfile after the update. |
| Code42.UpdatedUserRiskProfiles.EndDate | date | The startDate value of the UserRiskProfile after the update. |
| Code42.UpdatedUserRiskProfiles.Notes | string | The notes value of the UserRiskProfile after the update. |
| Code42.UpdatedUserRiskProfiles.Success | boolean | If the risk profile update was successful. |
code42-file-events-table#
Render Code42 file events from the context as a markdown table
Base Command#
code42-file-events-table
Input#
| Argument Name | Description | Required |
|---|---|---|
| include | Select which events to include in the table. - 'incident' only displays the events that originally triggered the Code42 Alert. - 'searches' only displays events that have been added to the context from 'code42-file-events-search' commands. - 'all' will include all events in the table. . Possible values are: all, incident, searches. Default is all. | Optional |
Context Output#
There is no context output for this command.