Code42

Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.

Configure Code42 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Code42.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
console_urlCode42 Console URL for your Code42 environmentTrue
credentialsUsernameTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
alert_severityAlert severities to fetch when fetching incidentsFalse
fetch_timeFirst fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)False
fetch_limitAlerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at onceFalse
include_filesInclude the list of files in returned incidents.False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

code42-securitydata-search


Searches for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.

Base Command

code42-securitydata-search

Input

Argument NameDescriptionRequired
jsonJSON query payload using Code42 query syntax.Optional
hashMD5 or SHA256 hash of the file to search for.Optional
usernameUsername to search for.Optional
hostnameHostname to search for.Optional
exposureExposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".Optional
resultsThe number of results to return. The default is 100.Optional

Context Output

PathTypeDescription
Code42.SecurityData.EventTimestampdateTimestamp for the event.
Code42.SecurityData.FileCreateddateFile creation date.
Code42.SecurityData.EndpointIDstringCode42 device ID.
Code42.SecurityData.DeviceUsernamestringThe username that the device is associated with in Code42.
Code42.SecurityData.EmailFromstringThe sender email address for email exfiltration events.
Code42.SecurityData.EmailTostringThe recipient email address for email exfiltration events.
Code42.SecurityData.EmailSubjectstringThe email subject line for email exfiltration events.
Code42.SecurityData.EventIDstringThe Security Data event ID.
Code42.SecurityData.EventTypestringThe type of Security Data event.
Code42.SecurityData.FileCategorystringThe file type, as determined by Code42 engine.
Code42.SecurityData.FileOwnerstringThe owner of the file.
Code42.SecurityData.FileNamestringThe file name.
Code42.SecurityData.FilePathstringThe path to file.
Code42.SecurityData.FileSizenumberThe size of the file (in bytes).
Code42.SecurityData.FileModifieddateThe date the file was last modified.
Code42.SecurityData.FileMD5stringMD5 hash of the file.
Code42.SecurityData.FileHostnamestringHostname where the file event was captured.
Code42.SecurityData.DevicePrivateIPAddressstringPrivate IP addresses of the device where the event was captured.
Code42.SecurityData.DevicePublicIPAddressstringPublic IP address of the device where the event was captured.
Code42.SecurityData.RemovableMediaTypestringType of removable media.
Code42.SecurityData.RemovableMediaCapacitynumberTotal capacity of removable media (in bytes).
Code42.SecurityData.RemovableMediaMediaNamestringThe full name of the removable media.
Code42.SecurityData.RemovableMediaNamestringThe name of the removable media.
Code42.SecurityData.RemovableMediaSerialNumberstringThe serial number for the removable medial device.
Code42.SecurityData.RemovableMediaVendorstringThe vendor name for removable device.
Code42.SecurityData.FileSHA256stringThe SHA256 hash of the file.
Code42.SecurityData.FileSharedbooleanWhether the file is shared using a cloud file service.
Code42.SecurityData.FileSharedWithstringAccounts that the file is shared with on a cloud file service.
Code42.SecurityData.SourcestringThe source of the file event. Can be "Cloud" or "Endpoint".
Code42.SecurityData.ApplicationTabURLstringThe URL associated with the application read event.
Code42.SecurityData.ProcessNamestringThe process name for the application read event.
Code42.SecurityData.ProcessOwnerstringThe process owner for the application read event.
Code42.SecurityData.WindowTitlestringThe process name for the application read event.
Code42.SecurityData.FileURLstringThe URL of the file on a cloud file service.
Code42.SecurityData.ExposurestringThe event exposure type.
Code42.SecurityData.SharingTypeAddedstringThe type of sharing added to the file.
File.NamestringThe file name.
File.PathstringThe file path.
File.SizenumberThe file size (in bytes).
File.MD5stringThe MD5 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.HostnamestringThe hostname where the file event was captured.

Command Example

!code42-securitydata-search hash=eef8b12d2ed0d6a69fe77699d5640c7b exposure=CloudStorage,ApplicationRead

Human Readable Output

EventTypeFileNameFileSizeFileHostnameFileOwnerFileCategory
READ_BY_APPProductPhoto.jpg333114DESKTOP-001john.userIMAGE

code42-alert-get


Retrieve alert details by alert ID

Base Command

code42-alert-get

Input

Argument NameDescriptionRequired
idThe alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents.Required

Context Output

PathTypeDescription
Code42.SecurityAlert.UsernamestringThe username associated with the alert.
Code42.SecurityAlert.OccurreddateThe timestamp when the alert occurred.
Code42.SecurityAlert.DescriptionstringThe description of the alert.
Code42.SecurityAlert.IDstringThe alert ID.
Code42.SecurityAlert.NamestringThe alert rule name that generated the alert.
Code42.SecurityAlert.StatestringThe alert state.
Code42.SecurityAlert.TypestringThe alert type.
Code42.SecurityAlert.SeveritystringThe severity of the alert.

Command Example

!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"

Human Readable Output

TypeOccurredUsernameNameDescriptionStateID
FED_CLOUD_SHARE_PERMISSIONS2019-10-08T17:38:19.0801650Zjohn.user@123.orgGoogle Drive - Public via Direct LinkAlert for public Google Drive filesOPENa23557a7-8ca9-4ec6-803f-6a46a2aeca62

code42-alert-resolve


Resolves a Code42 Security alert.

Base Command

code42-alert-resolve

Input

Argument NameDescriptionRequired
idThe alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents.Required

Context Output

PathTypeDescription
Code42.SecurityAlert.IDstringThe alert ID of the resolved alert.

Command Example

!code42-alert-resolve id="eb272d18-bc82-4680-b570-ac5d61c6cca6"

Human Readable Output

ID
eb272d18-bc82-4680-b570-ac5d61c6cca6

code42-departingemployee-add


Adds a user to the Departing Employee List.

Base Command

code42-departingemployee-add

Input

Argument NameDescriptionRequired
usernameThe username to add to the Departing Employee List.Required
departuredateThe departure date for the employee, in the format YYYY-MM-DD.Optional
noteNote to attach to the Departing Employee.Optional

Context Output

PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

Command Example

!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"

Human Readable Output

UserIDDepartureDateNoteUsername
1232020-02-28Leaving for competitorjohn.user@example.com

code42-departingemployee-remove


Removes a user from the Departing Employee List.

Base Command

code42-departingemployee-remove

Input

Argument NameDescriptionRequired
usernameThe username to remove from the Departing Employee List.Required

Context Output

PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.

Command Example

!code42-departingemployee-remove username="john.user@example.com"

Human Readable Output

UserIDUsername
123john.user@example.com

code42-departingemployee-get


Retrieve departing employee details.

Base Command

code42-departingemployee-get

Input

Argument NameDescriptionRequired
usernameEmail id of the departing employee.Required

Context Output

PathTypeDescription
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

Command Example

!code42-departingemployee-get username="partner.demisto@example.com"

Context Example

{
"Code42": {
"DepartingEmployee": {
"DepartureDate": null,
"Note": "Risky activity",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output

Retrieve departing employee

DepartureDateNoteUserIDUsername
Risky activity942876157732602741partner.demisto@example.com

code42-departingemployee-get-all


Get all employees on the Departing Employee List.

Base Command

code42-departingemployee-get-all

Input

Argument NameDescriptionRequired
resultsThe number of items to return.Optional

Context Output

PathTypeDescription
Code42.DepartingEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.DepartingEmployee.UsernamestringThe username of the Departing Employee.
Code42.DepartingEmployee.NotestringNote associated with the Departing Employee.
Code42.DepartingEmployee.DepartureDateUnknownThe departure date for the Departing Employee.

Command Example

!code42-departingemployee-get-all

Context Example

{
"Code42": {
"DepartingEmployee": [
{
"DepartureDate": null,
"Note": "test",
"UserID": "921333907298179098",
"Username": "user1@example.com"
},
{
"DepartureDate": "2020-07-20",
"Note": "This is added using csv file to test bulk adding of users to high risk employee list",
"UserID": "948333588694228306",
"Username": "user2@example.com"
},
{
"DepartureDate": null,
"Note": "",
"UserID": "912211111144144039",
"Username": "user3@example.com"
}
]
}
}

Human Readable Output

All Departing Employees

DepartureDateNoteUserIDUsername
test921286907298179098user1@example.com
2020-07-20This is added using csv file to test bulk adding of users to high risk employee list948938588694228306user1@example.com
912249223544144039unicode@example.com
894165832411107815testuser@example.com
L3 security risk949093399968329042user2@example.com
tests and more tests942897397520286581user3@example.com
906619740182876328user4@example.com
906619632003387560user5@example.com
912338501981077099user6@example.com
leaving for competition951984198921509692user7@example.com.com
Leaving for competitor895005723650937319user8@example.com

code42-highriskemployee-add


Adds a user from the High Risk Employee List.

Base Command

code42-highriskemployee-add

Input

Argument NameDescriptionRequired
usernameThe username to add to the High Risk Employee List.Required
noteNote to attach to the High Risk Employee.Optional

Context Output

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

Command Example

!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"

Context Example

{
"Code42": {
"HighRiskEmployee": {
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output

Code42 High Risk Employee List User Added

UserIDUsername
942876157732602741partner.demisto@example.com

code42-highriskemployee-remove


Removes a user from the High Risk Employee List.

Base Command

code42-highriskemployee-remove

Input

Argument NameDescriptionRequired
usernameThe username to remove from the High Risk Employee List.Required

Context Output

PathTypeDescription
Code42.HighRiskEmployee.UserIDUnknownInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernameUnknownThe username of the High Risk Employee.

Command Example

!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"

Context Example

{
"Code42": {
"HighRiskEmployee": {
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output

Code42 High Risk Employee List User Removed

UserIDUsername
942876157732602741partner.demisto@example.com

code42-highriskemployee-get


Retrieve high risk employee details.

Base Command

code42-highriskemployee-get

Input

Argument NameDescriptionRequired
usernameEmail id of the user.Required

Context Output

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

Command Example

!code42-highriskemployee-get username="partner.demisto@example.com"

Context Example

{
"Code42": {
"HighRiskEmployee": {
"Note": "Risky activity",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output

Retrieve high risk employee

NoteUserIDUsername
Risky activity942876157732602741partner.demisto@example.com

code42-highriskemployee-get-all


Get all employees on the High Risk Employee List.

Base Command

code42-highriskemployee-get-all

Input

Argument NameDescriptionRequired
risktagsTo filter results by employees who have these risk tags. Space delimited.Optional
resultsThe number of items to return.Optional

Context Output

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the High Risk Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.NotestringNote associated with the High Risk Employee.

Command Example

!code42-highriskemployee-get-all

Context Example

{
"Code42": {
"HighRiskEmployee": [
{
"Note": "tests and more tests",
"UserID": "111117397520286581",
"Username": "user1@example.com"
},
{
"Note": "Leaving for competitor",
"UserID": "822222723650937319",
"Username": "user2@example.com"
},
{
"Note": "Test user addition from XSOAR",
"UserID": "913333363086307495",
"Username": "user3@example.com"
}
]
}
}

Human Readable Output

Retrieved All High Risk Employees

NoteUserIDUsername
tests and more tests942897397520286581user1@example.com
Leaving for competitor895005723650937319user2@example.com
Test user addition from XSOAR912098363086307495user3@example.com
test921286907298179098user4@example.com
Risky activity942876157732602741user5@example.com

code42-highriskemployee-add-risk-tags


Base Command

code42-highriskemployee-add-risk-tags

Input

Argument NameDescriptionRequired
usernameThe username of the High Risk Employee.Required
risktagsSpace-delimited risk tags to associate with the High Risk Employee.Required

Context Output

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.RiskTagsUnknownRisk tags to associate with the High Risk Employee.

Command Example

!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"

Human Readable Output

Code42 Risk Tags Added

RiskTagsUserIDUsername
PERFORMANCE_CONCERNS1234567890partners.demisto@example.com

code42-highriskemployee-remove-risk-tags


Base Command

code42-highriskemployee-remove-risk-tags

Input

Argument NameDescriptionRequired
usernameThe username of the High Risk Employee.Required
risktagsSpace-delimited risk tags to disassociate from the High Risk Employee.Required

Context Output

PathTypeDescription
Code42.HighRiskEmployee.UserIDstringInternal Code42 User ID for the Departing Employee.
Code42.HighRiskEmployee.UsernamestringThe username of the High Risk Employee.
Code42.HighRiskEmployee.RiskTagsUnknownRisk tags to disassociate from the High Risk Employee.

Command Example

!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"

Context Example

{
"Code42": {
"HighRiskEmployee": [
{
"RiskTags": "PERFORMANCE_CONCERNS",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
]
}
}

Human Readable Output

Code42 Risk Tags Removed

RiskTagsUserIDUsername
PERFORMANCE_CONCERNS942876157732602741partner.demisto@example.com

code42-user-create


Creates a Code42 user.

Base Command

code42-user-create

Input

Argument NameDescriptionRequired
orgnameThe name of the Code42 organization from which to add the user.Required
usernameThe username to give to the user.Required
emailRequired

Context Output

PathTypeDescription
Code42.User.UsernameStringA username for a Code42 user.
Code42.User.EmailStringAn email for a Code42 user.
Code42.User.UserIDStringAn ID for a Code42 user.

Command Example

!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"

Human Readable Output

Code42 User Created

EmailUserIDUsername
created.in.cortex.xsoar@example.com1111158111459014270created.in.cortex.xsoar@example.com

code42-user-block


Blocks a user in Code42. A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.

Base Command

code42-user-block

Input

Argument NameDescriptionRequired
usernameThe username of the user to block.Required

Context Output

PathTypeDescription
Code42.User.UserIDStringAn ID for a Code42 user.

Command Example

!code42-user-block username="partner.demisto@example.com"

Human Readable Output

Code42 User Blocked

UserID
C2345

code42-user-unblock


Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.

Base Command

code42-user-unblock

Input

Argument NameDescriptionRequired
usernameThe username of the user to unblock.Required

Context Output

PathTypeDescription
Code42.User.UserIDStringAn ID for a Code42 user.

Command Example

!code42-user-unblock username="partner.demisto@example.com"

Human Readable Output

Code42 User Blocked

UserID
C2345

code42-user-deactivate


Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.

Base Command

code42-user-deactivate

Input

Argument NameDescriptionRequired
usernameThe username of the user to deactivate.Optional

Context Output

PathTypeDescription
Code42.User.UserIDStringThe ID of a Code42 User.

Command Example

!code42-user-deactivate username="partner.demisto@example.com"

Human Readable Output

Code42 User Deactivated

UserID
123456790

code42-user-reactivate


Reactivates the user with the given username.

Base Command

code42-user-reactivate

Input

Argument NameDescriptionRequired
usernameThe username of the user to reactivate.Optional

Context Output

PathTypeDescription
Code42.User.UserIDStringThe ID of a Code42 User.

Command Example

!code42-user-reactivate username="partner.demisto@example.com"

Human Readable Output

Code42 User Reactivated

UserID
123456790

code42-legalhold-add-user


Adds a Code42 user to a legal hold matter.

Base Command

code42-legalhold-add-user

Input

Argument NameDescriptionRequired
usernameThe username of the user to add to the given legal hold matter.Required
matternameThe name of the legal hold matter to which the user will be added.Required

Context Output

PathTypeDescription
Code42.LegalHold.UserIDUnknownThe ID of a Code42 user.
Code42.LegalHold.MatterIDStringThe ID of a Code42 legal hold matter.
Code42.LegalHold.UsernameStringA username for a Code42 user.
Code42.LegalHold.MatterNameStringA name for a Code42 legal hold matter.

Command Example

!code42-legalhold-add-user username="partner.demisto@example.com" mattername="test"

Context Example

{
"Code42": {
"LegalHold": {
"MatterID": "932880202064992021",
"MatterName": "test",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output

Code42 User Added to Legal Hold Matter

MatterIDMatterNameUserIDUsername
932880202064992021test942876157732602741partner.demisto@example.com

code42-legalhold-remove-user


Removes a Code42 user from a legal hold matter.

Base Command

code42-legalhold-remove-user

Input

Argument NameDescriptionRequired
usernameThe username of the user to release from the given legal hold matter.Required
matternameThe name of the legal hold matter from which the user will be released.Required

Context Output

PathTypeDescription
Code42.LegalHold.UserIDUnknownThe ID of a Code42 user.
Code42.LegalHold.MatterIDStringThe ID of a Code42 legal hold matter.
Code42.LegalHold.UsernameStringA username for a Code42 user.
Code42.LegalHold.MatterNameStringA name for a Code42 legal hold matter.

Command Example

!code42-legalhold-remove-user username="partner.demisto@example.com" mattername="test"

Context Example

{
"Code42": {
"LegalHold": {
"MatterID": "932880202064992021",
"MatterName": "test",
"UserID": "942876157732602741",
"Username": "partner.demisto@example.com"
}
}
}

Human Readable Output

Code42 User Removed from Legal Hold Matter

MatterIDMatterNameUserIDUsername
932880202064992021test942876157732602741partner.demisto@example.com

code42-download-file


Downloads a file from Code42.

Base Command

code42-download-file

Input

Argument NameDescriptionRequired
hashEither the SHA256 or MD5 hash of the file.Required

Command Example

!code42-download-file hash="bf6b326107d4d85eb485eed84b28133a"

Human Readable Output

Code42 User Deactivated

TypeSizeInfoMD5SHA1SHA256SHA512SSDeep
application/vnd.ms-excel41,472 bytesComposite Document File V2 Document, Little Endian, Os: MacOS, Version 14.10, Code page: 10000, Last Saved By: John Doe, Name of Creating Application: Microsoft Macintosh Excel, Create Time/Date: Fri Feb 21 17:35:19 2020, Last Saved Time/Date: Mon Apr 13 11:54:08 2020, Security: 02e45562437ec4f41387f2e14c3850dd659e552e637bfe5254b163bb4e426a2322d10f50dd3f8566d04df5dc34bf2607ac803a585ac81e06f28afe81f35cc2e5fe63d2ab5776bd9626761cd567a4b498bafe4f5f896c3f4bc9f3c60513ccacd14251a2568fa3ba44060000affa8b57fb768c417cf271500086e4e49272f26b26a90627abb768:pudkQzl3ZpWh+QO3uMdS9dSttRJwyE/KtxA1almvy6mhk+GlESOwWoqSY7bTKCUv:siQzl3ZpWh+QO3uMdS9dSttRJwyE/KtF