Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Install and manage the Code42 app for Cortex XSOAR

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This article describes how to integrate Code42 with Cortex XSOAR (previously Demisto). Cortex XSOAR is a security orchestration, automation, and response (SOAR) solution. Using the Code42 content packs for Cortrex XSOAR, you can view and search Code42 data in Cortex XSOAR, manage employees on the Departing Employees list or High Risk Employees list, and accomplish other tasks from Cortex XSOAR. 

Use cases

Depending on your use case, the free Code42 content pack may meet your needs. The Code42 Insider Threat Remediation paid content pack offers additional preset triggers to help streamline certain insider threat incident response processes.

Code42 

Use the commands included in the free Code42 content pack to: 

  • Ingest security alerts from Code42
  • View and manage employees on the Departing Employees list or High Risk Employees list
  • Search file events and metadata
  • Download files from Code42 
  • Manage Code42 legal hold custodians
  • Manage Code42 users
    • Create users
    • Block or unblock users
    • Deactivate or reactivate users 

For full information, see the Code42 integration documentation within Cortex XSOAR.

Code42 Insider Threat Remediation 

Use the Code42 Insider Threat Remediation paid content pack to to scale, standardize and automate certain insider threat incident response processes based on preset triggers within Cortex XSOAR: 

  • Search activity and automatically send to the data owner for review
  • Automate generating departing employees from ticketing systems
  • Automate attaching files from exposure-activity to ticketing systems
  • Take actions on employees when activity is reported as suspicious, for example, block the user or add them to legal hold

The Code42 free content pack is required to use this paid content pack. 

Considerations

  • To use the Code42 app for Cortex XSOAR, you must enable endpoint monitoring in the Code42 console.
  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

Create a user in Code42

Prepare a user account in your Code42 environment for configuring the Code42 app for Cortex XSOAR. This user account is used to authenticate and access data in your Code42 environment.

  • Permissions: The Code42 app for Cortex XSOAR returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. We recommend you assign the roles in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data.   
  • Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure the Code42 app for Cortex XSOAR. Users without a Code42 app archive do not consume a license. 
  • Authentication: Your Code42 credentials must rely on local authentication. SSO or authentication through any third-party provider do not work.

Configure the Code42 app for Cortex XSOAR 

  1. Sign in to your Cortex XSOAR environment. 
  2. Select Settings
  3. Select Integrations > Servers & Services.
  4. Search for Code42. 
    Demisto app
  5. From the Code42 row, click Add instance to create and configure a new integration instance. In the Code42 window: 
    1. Enter a name for your integration instance.
    2. Select Fetches incidents.  
    3. Enter the URL of your Code42 environment
    4. Enter the credentials for the user you created.
    5. Select the Incident type to which you'd like to map Code42 alerts. 
      (Optional) Select the Code42 Security Alert incident type. 
    6. (Optional) Select one or more alert severity levels to limit the Code42 alerts you'd like to ingest.
    7. Enter the First fetch time range to determine how far back to go to retrieve alerts. 
    8. Enter the number of alerts to fetch and process per run. 
    9. Check Include the list of files in returned incidents to include the file events associated with the alert.
    10. Select Test to validate the connection.  
    11. Click Done
  • Was this article helpful?