Code42 Insider Threat Remediation

Use the Code42InsiderThreatRemediation Pack to detect and respond to security alerts from suspicious insider activity.

The Code42 Insider Threat Remediation content pack is an integrated offering that enables security teams to scale, standardize and automate certain insider threat incident response processes based on preset triggers within Cortex XSOAR.
A common trigger includes an email sent from a human capital management (HCM) system, indicating an employee has resigned or is leaving the organization.
The content pack provides security teams with a configurable lookback of an employee’s historic file movements, including browser uploads and cloud sync activity, and then automatically generates an alert to a recipient, such as the employee's manager, for review.
This detailed information can be used to easily determine sanctioned or unsanctioned activity, speed investigations and enable security teams to take a right-sized approach to incident response.

Try Code42 Incydr at no cost for 30 days

What does this pack do?

The playbooks included in this pack handle the following use-cases:

Investigating a departing employee for suspicious activity.
Automate generating departing employees from ticketing systems.
Automate attaching files from exposure-activity to ticketing systems.
Take actions on employees with when activity is reported as suspicious, such as blocking the user or adding them to legal hold.

Name	Description
Code42 Suspicious Activity Action	Take corrective actions against a Code42 user found to be exposing file data.
Code42 Add Departing Employee From Ticketing System	Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command `jira-get-issue` to be `zendesk-ticket-details` and use the `id` parameter for `issueId`. Change the output (what gets parsed) to be either the Subject or the Description from Zendesk.
Code42 Copy File To Ticketing System	Downloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command `jira-issue-upload-file` to be `servicenow-upload-file` and use the `id` parameter for `issueId` and `file_id` for `entryId`.
Code42 Suspicious Activity Review	Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold.

Name	Description
Code42 High Risk Employees
Code42 Departing Employees

Name	Description
Code42GetHighRiskEmployees	Gets all high risk employees.
Code42UsernameSearch	Searches exposure events for the given username.
Code42GetDepartingEmployees	Gets all departing employees.
Code42DownloadFile	Gets all departing employees and alerts for each.
Code42FileSearch	Gets all departing employees and alerts for each.

Certification	Certified	Read more
Supported By	Partner
Created	January 11, 2021
Last Release	February 24, 2021

Code42 Insider Threat Remediation

What does this pack do?

Scripts

Code42GetHighRiskEmployees

Code42DownloadFile

Code42GetDepartingEmployees

Code42UsernameSearch

Code42FileSearch

PUBLISHER

PLATFORMS

INFO

DISCLAIMER