Skip to main content

Code42 Suspicious Activity Review v2

This Playbook is part of the Code42 Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Code42 Suspicious Activity Action


  • Code42


  • ConvertTableToHTML


  • code42-file-events-search

Playbook Inputs#

NameDescriptionDefault ValueRequired
UsernameThe username of the employee.${incident.code42username}Required
ReviewerEmailThe email recipient to review potential suspicious activity related to the user, such as the user's manager.Required
LegalHoldMatterIdThe legal hold matter ID to add the user to if selecting ADD-TO-LEGAL-HOLD in the Decide Remediation Action task.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Code42 Suspicious Activity Review