Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

API access


This article explains the differences between base access and full access to the Code42 API. Your access depends on your Incydr product plan

  Base access Full access
Incydr Basic  Checkmark  
Incydr Advanced   Checkmark 
Incydr Gov F1   Checkmark
Incydr Professional Checkmark  
Incydr Enterprise   Checkmark
Incydr Gov F2   Checkmark
Incydr Horizon   Checkmark

For more information about the level of Code42 API access provided by product plans, see "Integrations" in the following articles:


  • Not sure which level of API access is right for you? Contact your Customer Success Manager (CSM) to engage a Code42 Systems Engineer.
  • See the Code42 Developer Portal for complete documentation of the Code42 APIs.

Base access

Base access to the Code42 API provides you with metadata that’s included in an Incydr alert. Base access is ideal to perform workflow automation and alert triage. It provides what is needed to close an alert or prompt further investigation within Incydr. With base access you receive metadata for the first 10 files involved in an exposure event. You do not have access to download the content of exposed files.

Following are examples of metadata collected:

  • Username
  • Time range of events
  • Number of files
  • Filenames of first 10 exposed files
  • File paths for first 10 exposed
  • Total file size
  • File categories involved
  • Exposure type
  • IP address

For complete details on the alert metadata collected, see Alert details.

Full access

Full access to the Code42 API provides you with all metadata collected by Incydr, whether it’s associated with an alert or not. This includes metadata for create, modify, delete, and exposure events as well as the content of exposed files. Full access is ideal when you need to conduct API-based investigation workflows or want to use Incydr file metadata to correlate and corroborate alerts triggered by other security technologies, such as in compromised user scenarios.

Following are examples of metadata collected:

  • All metadata available with the base API
  • File metadata for all files involved in an alert
  • MD5/SHA256 file hash
  • File created and modified dates
  • File owner
  • Process user
  • Device hostname
  • Fully qualified domain name (FQDN)
  • Removable Media: Bus type, capacity, vendor name, partition ID, serial number

For complete details on all the metadata collected, see File event metadata reference.

Example use cases

Base or full API access

Automate workflows

  • Ingest employment end dates from a human capital management (HCM) application to automatically add users to the Departing watchlist.

  • Ingest employment information from an identity and access management (IAM) solution to automatically add contract employees to the Contractor watchlist.

  • Send Incydr alerts to Slack to support right-sized response workflows.

Triage alerts

  • Send Incydr alerts for routing and triage into a ticketing tool, a security information and event management (SIEM) application, or a security orchestration, automation, and response (SOAR) solution.

Full API access

Investigate file movement

  • Query Incydr with your SOAR solution to correlate if any files were exfiltrated when an an identity and access management (IAM) solution detects a user has logged on from another country’s IP address.

  • Query Incydr with your SOAR solution to correlate if any files left an endpoint when an endpoint detection and response (EDR) application determined a system was compromised.

Investigate high volume events

  • Get full access to the metadata of all the files during an investigation if an employee moves hundreds of files onto a flash drive.

Integrate with a user and entity behavior analytic (UEBA) system

  • Send full file metadata collected by Incydr to your UEBA system to perform deep analysis of user behavior
  • Was this article helpful?