API access
Overview
This article explains the differences between base access and full access to the Code42 API. Your access depends on your Incydr product plan:
| Base access | Full access | |
|---|---|---|
| Incydr Basic |  |
|
| Incydr Advanced | |
|
| Incydr Gov F1 | |
|
| Incydr Professional | |
|
| Incydr Enterprise | |
|
| Incydr Gov F2 | |
|
| Incydr Horizon | |
For more information about the level of Code42 API access provided by product plans, see "Integrations" in the following articles:
Considerations
- Not sure which level of API access is right for you? Contact your Customer Success Manager (CSM) to engage a Code42 Systems Engineer.
- See the Code42 Developer Portal for complete documentation of the Code42 APIs.
Base access
Base access to the Code42 API provides you with metadata that’s included in an Incydr alert. Base access is ideal to perform workflow automation and alert triage. It provides what is needed to close an alert or prompt further investigation within Incydr. With base access you receive metadata for the first 10 files involved in an exposure event. You do not have access to download the content of exposed files.
Following are examples of metadata collected:
- Username
- Time range of events
- Number of files
- Filenames of first 10 exposed files
- File paths for first 10 exposed
- Total file size
- File categories involved
- Exposure type
- IP address
For complete details on the alert metadata collected, see Alert details.
Full access
Full access to the Code42 API provides you with all metadata collected by Incydr, whether it’s associated with an alert or not. This includes metadata for create, modify, delete, and exposure events as well as the content of exposed files. Full access is ideal when you need to conduct API-based investigation workflows or want to use Incydr file metadata to correlate and corroborate alerts triggered by other security technologies, such as in compromised user scenarios.
Following are examples of metadata collected:
- All metadata available with the base API
- File metadata for all files involved in an alert
- MD5/SHA256 file hash
- File created and modified dates
- File owner
- Process user
- Device hostname
- Fully qualified domain name (FQDN)
- Removable Media: Bus type, capacity, vendor name, partition ID, serial number
For complete details on all the metadata collected, see File event metadata reference.
Example use cases
Base or full API access
Automate workflows
-
Ingest employment end dates from a human capital management (HCM) application to automatically add users to the Departing watchlist.
-
Ingest employment information from an identity and access management (IAM) solution to automatically add contract employees to the Contractor watchlist.
-
Send Incydr alerts to Slack to support right-sized response workflows.
Triage alerts
- Send Incydr alerts for routing and triage into a ticketing tool, a security information and event management (SIEM) application, or a security orchestration, automation, and response (SOAR) solution.
Full API access
Investigate file movement
-
Query Incydr with your SOAR solution to correlate if any files were exfiltrated when an an identity and access management (IAM) solution detects a user has logged on from another country’s IP address.
-
Query Incydr with your SOAR solution to correlate if any files left an endpoint when an endpoint detection and response (EDR) application determined a system was compromised.
Investigate high volume events
- Get full access to the metadata of all the files during an investigation if an employee moves hundreds of files onto a flash drive.
Integrate with a user and entity behavior analytic (UEBA) system
- Send full file metadata collected by Incydr to your UEBA system to perform deep analysis of user behavior