Code42
Code42 Pack.#
This Integration is part of theUse the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
#
Configure Code42 in CortexParameter | Required |
---|---|
Code42 Console URL for your Code42 environment | True |
API Client ID | True |
API Client Secret | True |
Fetch incidents | False |
Incident type | False |
Alert severities to fetch when fetching incidents | False |
First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes) | False |
Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once | False |
Include the list of files in returned incidents. | False |
Incidents Fetch Interval | False |
Use v2 file events | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
code42-file-events-searchSearch for Code42 Incydr File Events
#
Base Commandcode42-file-events-search
#
InputArgument Name | Description | Required |
---|---|---|
add-to-context | Add results to context at 'Code42.FileEvents'. If 'false', the search will only display results as a markdown table. | Optional |
json | Raw JSON file event query to be used for search. | Optional |
results | The number of file events to return. Defaults to 50. Default is 50. | Optional |
min_risk_score | Filter results by minimum risk score. Default is 1. | Optional |
hash | MD5 or SHA256 hash of the file to search for. | Optional |
username | Username to search for. | Optional |
hostname | Hostname to search for. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.FileEvents.timestamp | date | The timestamp when the event occurred. |
Code42.FileEvents.event | unknown | Summary information about the event, including date observed, event type, and event source. |
Code42.FileEvents.user | unknown | Details about the user associated with the event (if any). |
Code42.FileEvents.destination | unknown | Details about the destination target of the event (if any). |
Code42.FileEvents.process | unknown | Details about the CPU process involved in the event (if any). |
Code42.FileEvents.risk | unknown | Details overall risk severity for the event and lists all associated risk indicators. |
Code42.FileEvents.git | unknown | Details about git repository involved in event (if any). |
Code42.FileEvents.report | unknown | Details about Salesforce reports involved in the event (if any). |
Code42.FileEvents.file | unknown | Details about file metadata for file involved in the event (if any). |
Code42.FileEvents.source | unknown | Info about the origin of a file involved in the event (if any). |
#
code42-alert-getRetrieve alert details by alert ID
#
Base Commandcode42-alert-get
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityAlert.Username | string | The username associated with the alert. |
Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. |
Code42.SecurityAlert.Description | string | The description of the alert. |
Code42.SecurityAlert.ID | string | The alert ID. |
Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. |
Code42.SecurityAlert.State | string | The alert state. |
Code42.SecurityAlert.Type | string | The alert type. |
Code42.SecurityAlert.Severity | string | The severity of the alert. |
#
code42-alert-resolveResolves a Code42 Security alert.
#
Base Commandcode42-alert-resolve
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.SecurityAlert.ID | string | The alert ID of the resolved alert. |
#
code42-departingemployee-addAdds a user to the Departing Employee List.
#
Base Commandcode42-departingemployee-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to add to the Departing Employee List. | Required |
departuredate | The departure date for the employee, in the format YYYY-MM-DD. | Optional |
note | Note to attach to the Departing Employee. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
code42-departingemployee-removeRemoves a user from the Departing Employee List.
#
Base Commandcode42-departingemployee-remove
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to remove from the Departing Employee List. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. |
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
#
code42-departingemployee-get-allGet all employees on the Departing Employee List.
#
Base Commandcode42-departingemployee-get-all
#
InputArgument Name | Description | Required |
---|---|---|
results | The number of items to return. | Optional |
filtertype | Filters the results based on specific filters. Possible values are: EXFILTRATION_30_DAYS, EXFILTRATION_24_HOURS, OPEN, LEAVING_TODAY. Default is OPEN. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
code42-highriskemployee-addAdds a user to the High Risk Employee List.
#
Base Commandcode42-highriskemployee-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to add to the High Risk Employee List. | Required |
note | Note to attach to the High Risk Employee. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
code42-highriskemployee-removeRemoves a user from the High Risk Employee List.
#
Base Commandcode42-highriskemployee-remove
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to remove from the High Risk Employee List. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | Unknown | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | Unknown | The username of the High Risk Employee. |
#
code42-highriskemployee-get-allGet all employees on the High Risk Employee List.
#
Base Commandcode42-highriskemployee-get-all
#
InputArgument Name | Description | Required |
---|---|---|
risktags | To filter results by employees who have these risk tags. Comma delimited. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE. | Optional |
results | The number of items to return. | Optional |
filtertype | Filters the results based on specific filters. Possible values are: EXFILTRATION_30_DAYS, EXFILTRATION_24_HOURS, OPEN. Default is OPEN. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
code42-highriskemployee-add-risk-tagsAssociates risk tags with the employee with the given username.
#
Base Commandcode42-highriskemployee-add-risk-tags
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the High Risk Employee. | Required |
risktags | Comma-delimited risk tags to associate with the High Risk Employee. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to associate with the High Risk Employee. |
#
code42-highriskemployee-remove-risk-tagsDisassociates risk tags from the user with the given username.
#
Base Commandcode42-highriskemployee-remove-risk-tags
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the High Risk Employee. | Required |
risktags | Comma-delimited risk tags to disassociate from the High Risk Employee. Possible values are: PERFORMANCE_CONCERNS, PERFORMANCE_CONCERNS, POOR_SECURITY_PRACTICES, HIGH_IMPACT_EMPLOYEE, ELEVATED_ACCESS_PRIVILEGES, FLIGHT_RISK, CONTRACT_EMPLOYEE. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to disassociate from the High Risk Employee. |
#
code42-user-createCreates a Code42 user.
#
Base Commandcode42-user-create
#
InputArgument Name | Description | Required |
---|---|---|
orgname | The name of the Code42 organization from which to add the user. | Required |
username | The username to give to the user. | Required |
The email of the user to create. Default is The email to give to the user.. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.Username | String | A username for a Code42 user. |
Code42.User.Email | String | An email for a Code42 user. |
Code42.User.UserID | String | An ID for a Code42 user. |
#
code42-user-blockBlocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
#
Base Commandcode42-user-block
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to block. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | An ID for a Code42 user. |
#
code42-user-deactivateDeactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
#
Base Commandcode42-user-deactivate
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to deactivate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | The ID of a Code42 User. |
#
code42-user-unblockRemoves a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
#
Base Commandcode42-user-unblock
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to unblock. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | An ID for a Code42 user. |
#
code42-user-reactivateReactivates the user with the given username.
#
Base Commandcode42-user-reactivate
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to reactivate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.User.UserID | String | The ID of a Code42 User. |
#
code42-legalhold-add-userAdds a Code42 user to a legal hold matter.
#
Base Commandcode42-legalhold-add-user
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to add to the given legal hold matter. | Required |
mattername | The name of the legal hold matter to which the user will be added. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
Code42.LegalHold.Username | String | A username for a Code42 user. |
Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
#
code42-legalhold-remove-userRemoves a Code42 user from a legal hold matter.
#
Base Commandcode42-legalhold-remove-user
#
InputArgument Name | Description | Required |
---|---|---|
username | The username of the user to release from the given legal hold matter. | Required |
mattername | The name of the legal hold matter from which the user will be released. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.LegalHold.UserID | Unknown | The ID of a Code42 user. |
Code42.LegalHold.MatterID | String | The ID of a Code42 legal hold matter. |
Code42.LegalHold.Username | String | A username for a Code42 user. |
Code42.LegalHold.MatterName | String | A name for a Code42 legal hold matter. |
#
code42-download-fileDownloads a file from Code42.
#
Base Commandcode42-download-file
#
InputArgument Name | Description | Required |
---|---|---|
hash | Either the SHA256 or MD5 hash of the file. | Required |
filename | The filename to save the file as. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.EntryID | String | The entry ID of the file. |
File.Info | String | File information. |
File.Type | String | The file type. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The file extension. |
#
code42-highriskemployee-getRetrieve high risk employee details.
#
Base Commandcode42-highriskemployee-get
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the High Risk Employee. |
Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. |
Code42.HighRiskEmployee.Note | string | Note associated with the High Risk Employee. |
#
code42-departingemployee-getRetrieve departing employee details.
#
Base Commandcode42-departingemployee-get
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the departing employee. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. |
Code42.DepartingEmployee.Username | string | The username of the Departing Employee. |
Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. |
Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. |
#
code42-watchlists-listList all existing watchlists in your environment.
#
Base Commandcode42-watchlists-list
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Code42.Watchlists.ListType | string | The Type of Watchlist. |
Code42.Watchlists.Id | string | The ID of the Watchlist. |
Code42.Watchlists.IncludedUserCount | integer | The count of included users on the Watchlist. |
#
code42-watchlists-add-userAdd a user to a watchlist.
#
Base Commandcode42-watchlists-add-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user to add to Watchlist. | Required |
watchlist | WatchlistID or WatchlistType to add user to. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UsersAddedToWatchlists.Watchlist | string | The ID/Type of the watchlist user was added to. |
Code42.UsersAddedToWatchlists.Username | string | The username added to watchlist. |
Code42.UsersAddedToWatchlists.Success | boolean | If the user was added successfully. |
#
code42-watchlists-remove-userRemove a user from a watchlist.
#
Base Commandcode42-watchlists-remove-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Email id of the user to add to Watchlist. | Required |
watchlist | WatchlistID or WatchlistType to remove user from. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UsersRemovedFromWatchlists.Watchlist | string | The ID/Type of the watchlist user was removed from. |
Code42.UsersRemovedFromWatchlists.Username | string | The username removed from watchlist. |
Code42.UsersRemovedFromWatchlists.Success | boolean | If the user was removed successfully. |
#
code42-watchlists-list-included-usersList all users who have been explicitly added to a given watchlist.
#
Base Commandcode42-watchlists-list-included-users
#
InputArgument Name | Description | Required |
---|---|---|
watchlist | The WatchlistID or WatchlistType to get a list of included users for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.WatchlistUsers.WatchlistID | string | The ID of the Watchlist. |
Code42.WatchlistUsers.Username | string | The username on the watchlist. |
Code42.WatchlistUsers.AddedTime | datetime | The datetime the user was added to the watchlist. |
#
code42-get-user-risk-profileGet the risk profile details for a given user.
#
Base Commandcode42-user-get-risk-profile
#
InputArgument Name | Description | Required |
---|---|---|
username | The user to get risk profile for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UserRiskProfiles.Username | string | The username. |
Code42.UserRiskProfiles.StartDate | date | The startDate value of the UserRiskProfile. |
Code42.UserRiskProfiles.EndDate | date | The startDate value of the UserRiskProfile. |
Code42.UserRiskProfiles.Notes | string | The notes value of the UserRiskProfile. |
#
code42-user-update-risk-profileUpdate a user's risk profile.
#
Base Commandcode42-user-update-risk-profile
#
InputArgument Name | Description | Required |
---|---|---|
username | The user to update. | Required |
start_date | The user's start date (useful for New Employee Watchlist). | Optional |
end_date | The user's end date (useful for Departing Employee Watchlist). | Optional |
notes | Risk profile notes. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Code42.UpdatedUserRiskProfiles.Username | string | The user that was updated. |
Code42.UpdatedUserRiskProfiles.StartDate | date | The startDate value of the UserRiskProfile after the update. |
Code42.UpdatedUserRiskProfiles.EndDate | date | The startDate value of the UserRiskProfile after the update. |
Code42.UpdatedUserRiskProfiles.Notes | string | The notes value of the UserRiskProfile after the update. |
Code42.UpdatedUserRiskProfiles.Success | boolean | If the risk profile update was successful. |
#
code42-file-events-tableRender Code42 file events from the context as a markdown table
#
Base Commandcode42-file-events-table
#
InputArgument Name | Description | Required |
---|---|---|
include | Select which events to include in the table. - 'incident' only displays the events that originally triggered the Code42 Alert. - 'searches' only displays events that have been added to the context from 'code42-file-events-search' commands. - 'all' will include all events in the table. . Possible values are: all, incident, searches. Default is all. | Optional |
#
Context OutputThere is no context output for this command.