Code42

Formats Code42 File Events as a markdown table for display in Code42 Alert Incidents.

Classifies fetched Code42 alerts as XSOAR Incidents.

Maps Code42 Alert fields to Incident

Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.

The default layout for alerts generated by Code42 Incydr.

Loops through open XSOAR incidents and closes incidents created from Incydr alerts that are now dismissed.

Receives usernames from a Code42 Incydr alert and queries Active Directory for employee and supervisor information, if applicable.

This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use.

Loops through Departing Employee watchlist entries from Code42 Incydr and removes employees based on specified criteria.

The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints.

Loops through stand-down tickets provided by the Departing Employee Auto-Add playbook and adds employees to the Departing Employee watchlist in Code42 Incydr.

Take corrective actions against a Code42 user found to be exposing file data.

Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold.

This playbook downloads a file via Code42 by either MD5 or SHA256 hash.

Retrieves Incydr alert details, assigns the alert to an analyst, and gathers employee and supervisor data from Active Directory, if applicable. Note: this playbook can be used as an alternate default to "Code42 Exfiltration Playbook" when the Code42 Incydr integration is set to "Fetch Incidents".

Loops through New Hire watchlist entries from Code42 Incydr and removes employees based on specified criteria.

Loops through stand-up tickets provided by the New Hire Auto-Add playbook and adds employees to the New Hire watchlist in Code42 Incydr.

Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command jira-get-issue to be zendesk-ticket-details and use the id parameter for issueId. Change the output (what gets parsed) to be either the Subject or the Description from Zendesk.

Queries the New Hire watchlist in Code42 Incydr and passes relevant employee data to the Remove Employees from New Hire Watchlist playbook.

Checks for open XSOAR incidents associated with Incydr alerts and passes them to the Check Incydr Status and Close XSOAR Incident playbook.

Queries stand-down tickets from a ticketing system and passes relevant employee data to the Add Employees to Departing Employee Watchlist playbook. Intended to be run as a scheduled job.

Downloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command jira-issue-upload-file to be servicenow-upload-file and use the id parameter for issueId and file_id for entryId.

This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.FileEvents context for use.

Queries stand-up tickets from a ticketing system and passes relevant employee data to the Add Employees to New Hire Watchlist playbook.

Queries the Departing Employee watchlist in Code42 Incydr and passes relevant employee data to the Remove Employees from Departing Employee Watchlist playbook. Intended to be run as a scheduled job.

Formats Code42 File Events as a markdown table for display in Code42 Alert Incidents.

Classifies fetched Code42 alerts as XSOAR Incidents.

Maps Code42 Alert fields to Incident

Code42 Insider Risk software solutions provide the right balance of transparency, technology and training to detect and appropriately respond to data risk. Use the Code42EventCollector integration to fetch file events and audit logs.

Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.

Take corrective actions against a Code42 user found to be exposing file data.

Checks for open XSOAR alerts associated with Incydr alerts and passes them to the Check Incydr Status and Close XSOAR Alert playbook.

Loops through New Hire watchlist entries from Code42 Incydr and removes employees based on specified criteria.

This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use.

Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command jira-get-issue to be zendesk-ticket-details and use the id parameter for issueId. Change the output (what gets parsed) to be either the Subject or the Description from Zendesk.

This playbook downloads a file via Code42 by either MD5 or SHA256 hash.

Retrieves Incydr alert details, assigns the alert to an analyst, and gathers employee and supervisor data from Active Directory, if applicable. Note: this playbook can be used as an alternate default to "Code42 Exfiltration Playbook" when the Code42 Incydr integration is set to "Fetch Alerts".

Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold.

Loops through Departing Employee watchlist entries from Code42 Incydr and removes employees based on specified criteria.

Downloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command jira-issue-upload-file to be servicenow-upload-file and use the id parameter for issueId and file_id for entryId.

Queries stand-down tickets from a ticketing system and passes relevant employee data to the Add Employees to Departing Employee Watchlist playbook. Intended to be run as a scheduled job.

Queries the New Hire watchlist in Code42 Incydr and passes relevant employee data to the Remove Employees from New Hire Watchlist playbook.

Loops through open XSOAR alerts and closes alerts created from Incydr alerts that are now dismissed.

Loops through stand-down tickets provided by the Departing Employee Auto-Add playbook and adds employees to the Departing Employee watchlist in Code42 Incydr.

Queries the Departing Employee watchlist in Code42 Incydr and passes relevant employee data to the Remove Employees from Departing Employee Watchlist playbook. Intended to be run as a scheduled job.

Receives usernames from a Code42 Incydr alert and queries Active Directory for employee and supervisor information, if applicable.

Queries stand-up tickets from a ticketing system and passes relevant employee data to the Add Employees to New Hire Watchlist playbook.

Loops through stand-up tickets provided by the New Hire Auto-Add playbook and adds employees to the New Hire watchlist in Code42 Incydr.

This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.FileEvents context for use.

The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints.