Skip to main content
Contact Support

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Code42 for IBM Resilient customization settings

  1. Last updated
  2. Save as PDF

Overview

Code42 for Resilient adds Code42-specific functions, rules, and workflows to extend the capabilities of your IBM Resilient environment. This article describes those Code42-specific functions, rules, and workflows available in Resilient's Customization Settings. 

For instructions on how to install and uninstall Code42 for Resilient, as well as common use cases, see Code42 for IBM Resilient.

Code42 rules

Code42 for Resilient includes Code42 rules, which trigger Code42 workflows.  

Rules

Code42: Add user to legal hold

The Code42: Add user to legal hold rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Add user to legal hold appears. This action menu option prompts you for the Code42: Legal Hold UID and runs the Code42: Add user to legal hold workflow

Code42: Block device

The Code42: Block device rule dictates that when you have an artifact with the type System Name, the action menu option Code42: Block device appears. This action menu option runs the Code42: Block device workflow

Code42: Block user

The Code42: Block user rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Block user appears. This action menu option runs the Code42: Block user workflow

Code42: Deactivate device

The Code42: Deactivate device rule dictates that when you have an artifact with the type System Name, the action menu option Code42: Deactivate device appears. This action menu option runs the Code42: Deactivate device workflow

Code42: Deactivate user

The Code42: Deactivate user rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Deactivate user appears. This action menu option runs the Code42: Deactivate user workflow

Code42: Deauthorize device

The Code42: Deauthorize device rule dictates that when you have an artifact with the type System Name, the action menu option Code42: Deauthorize device appears. This action menu option runs the Code42: Deauthorize device workflow

Code42: Download file from backup

The Code42: Download file from backup rule dictates that in the Code42 File Events data table, the action menu option Code42: Download file from backup appears when hostname, file name, and/or file path has a value. This action menu option runs the Code42: Download file from backup workflow.

Code42: Reactivate device

The Code42: Reactivate device rule dictates that when you have an artifact with the type System Name, the action menu option Code42: Reactivate device appears. This action menu option runs the Code42: Reactivate device workflow

Code42: Reactivate user

The Code42: Reactivate user rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Reactivate user appears. This action menu option runs the Code42: Reactivate user workflow

Code42: Search file events by MD5

The Code42: Search file events by MD5 rule dictates that when you have an artifact with the type Malware MD5 Hash, the action menu option Code42: Search file events by MD5 appears. This action menu option runs the Code42: Search file events by MD5 workflow.

Code42: Search for file exposure events 

The Code42: Search for file exposure events rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Search for file exposure events appears. This action menu option prompts you to enter an On or After Date and runs the Code42: Search for file exposure events workflow

Code42: Unblock device 

The Code42: Unblock device rule dictates that when you have an artifact with the type System Name, the action menu option Code42: Unblock device appears. This action menu option runs the Code42: Unblock device workflow

Code42: Unblock user

The Code42: Unblock user rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Unblock user appears. This action menu option runs the Code42: Unblock user workflow

Code42 workflows

Code42 for Resilient includes Code42 workflows, triggered by the Code42 rules. These workflows execute Code42 custom functions.   

Workflows

Code42: Add user to legal hold

The Code42: Add user to legal hold workflow adds a user as a custodian to a legal hold and adds a note to the incident. This workflow uses the Code42: Get user by username and Code42: Add user to legal hold functions. 

Code42: Block device

The Code42: Block device workflow blocks the device and adds a note to the incident. This workflow uses the Code42: Search devices and Code42: Block device functions. 

Code42: Block user

The Code42: Block user workflow blocks the user and adds a note to the incident. This workflow uses the Code42: Get user by username and Code42: Block user functions.

Code42: Deactivate device

The Code42: Deactivate device workflow signs the user out of the Code42 agent, stops backups, and moves the user's backup archives to cold storage. This workflow uses the Code42: Search devices and Code42: Deactivate device functions. 

Code42: Deactivate user

The Code42: Deactivate user workflow blocks the user's access to Code42, stops backups, and moves the user's backup archives to cold storage. This workflow uses the Code42: Get user by username and Code42: Deactivate user functions. 

Code42: Deauthorize device

The Code42: Deauthorize device workflow signs the user out of the Code42 agent and stops backups. This workflow uses the Code42: Search devices and Code42: Deauthorize device functions. 

Code42: Download file from backup

The Code42: Download file from backup workflow downloads the most recently backed-up version of the file related to the file event in the Code42 File Events data table, then attaches the file to the incident. This workflow uses the Code42: Get user by username, Code42: Search devices, and Code42: Download file from backup functions.

Code42: Reactivate device

The Code42: Reactivate device workflow restores a user's access to Code42 and makes the user's backup archives available again. This workflow uses the Code42: Search devices and Code42: Reactivate device functions. 

Code42: Reactivate user

The Code42: Reactivate user workflow restores a user's access to Code42 and makes the user's backup archives available again. This workflow uses the Code42: Get user by username and Code42: Reactivate user functions. 

Code42: Search file events by MD5 

The Code42: Search file events by MD5 workflow searches Code42 file events for those matching the MD5 hash provided in the Malware MD5 Hash artifact and adds the results to the Code42 File Events data table, using the Code42: Search file events function. 

Code42: Search for file exposure events

The Code42: Search for file exposure events workflow searches Code42 for file exposure events from the devices of the user provided in the User Account artifact. This workflow then adds the file exposure events to the Code42 File Events data table, using the Code42: Search file events function.  

Code42: Unblock device

The Code42: Unblock device workflow unblocks the device and adds a note to the incident. This workflow uses the Code42: Search devices and Code42: Unblock device functions. 

Code42: Unblock user

The Code42: Unblock user workflow unblocks the user and adds a note to the incident. This workflow uses the Code42: Get user by username and Code42: Unblock user functions.

Code42 functions

A function in IBM Resilient is an object that performs an action. Code42 custom workflows call these functions. You can also call these functions in workflows you build yourself. Code42 functions perform actions in the Code42 environment you defined in your resilient-circuits configuration file. The available Code42 custom functions appear below, including input parameters and example outputs. Input parameters are required unless noted. 

Functions

This function adds a user as a custodian to a Code42 legal hold. The legal hold matter must already exist in Code42.

Input parameters 
  • code42_user_uid (Text): The user's unique ID. See the user_uid of the user details returned by the Get user by username function. 
  • code42_legal_hold_uid (Text): the unique identifier of the Code42 legal hold matter. Get the legal_hold_uid from the Code42 console as follows: 
    1. Sign in to the Code42 console.
    2. Choose Legal Hold > Matters from the navigation menu.
    3. From the list of all matters, click on the name of the matter. 
    4. Copy the string of numbers at the end of the web browser URL. 
      For example, the code42_legal_hold_uid for the following URL would be 645576513911664484:
https://console.us.code42.com/app/#/legal-hold/legal-matters/645576513911664484
Output
  • result (dict): Legal hold membership. See the Example Response Body in the API Documentation for output syntax.
  • error (str): If result is None, information on the cause. 
Raises

Exception if the function cannot connect to Code42

Code42: Block device

This function signs the user out of the Code42 app on that device and prevents them from being able to sign in again on that device. Backup continues. Learn more about blocking devices.

Input parameters 

  • code42_device_id (Text): Identification number for the device. See the computerId property of the device details returned by the following functions: 

Output
  • result (bool): True if the request was successful, False if otherwise.
  • error (str): Information on the failure, or None
Raises

Exception if the function cannot connect to Code42.

Code42: Block user

This function blocks a user so they cannot access Code42, but backup continues. Learn more about blocking users.

Input parameters

user_id (Text): Identification number for the user. See the userId property of the user details returned by the following functions: 

Output
  • result (bool): True if the request was successful, False if otherwise.
  • error (str): Information on the failure, or None
Raises 

Exception if the function cannot connect to Code42.

Code42: Deactivate device

With this function, the user cannot access Code42 and backup archives are moved to cold storage.  Learn more about deactivating devices.

Input parameters

code42_device_id (Text): Identification number for the device. See the computerId property of the device details returned by the following functions: 

Output
  • result  (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None
Raises 

 Exception if the function cannot connect to Code42.

Code42: Deactivate user

User cannot access Code42 and backup archives are moved to cold storage. Learn more about deactivating users.

Input parameters 

code42_user_id (Text): Identification number for the user. See the userId property of the user details returned by the following functions: 

Output
  • result  (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None
Raises 

 Exception if the function cannot connect to Code42. 

Code42: Deauthorize device

Signs the user out of the Code42 agent. The user can sign in again. Data is not removed or deleted. Learn more about deauthorizing devices.

Input parameters 

code42_device_id (Text): Identification number for the device. See the computerId property of the device details returned by the following functions: 

Output
  • result (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None
Raises

 Exception if the function cannot connect to Code42. 

Code42: Download file from backup

This function downloads a file stored in a backup archive and attaches it to the IBM Resilient incident.

Input parameters 
  • code42_path (Text):  File path for the file you want to download
    • Case insensitive 
    • Requires forward slashes "/" (including for Windows)
    • Enter only one path (file or directory) 
    • Windows examples: 
      • C:/Documents/Newsletters/Summer2018.pdf
      • C:/Users/cbarrett/Documents/Receipts
    • Mac examples:
      • /Users/marlena.pawlak/Documents/315Notes.docx
      • /Users/thomas.black/Desktop
  • code42_device_guid (Text): Globally unique identifier for the device from which you want to download the file
    • See the guid property of the device details returned by the Search devices function. 
    • See the deviceUid property of the device details returned by the Search file events function. 
  • incident_id (Number): Identification number of the IBM Resilient incident  
  • Optional: code42_destination_guid (Text):  Globally unique identifier of the storage destination. See the targetComputerGuid  property in the device details returned by the Search devices function. 
Output 
  • result (bool): True if the file was successfully attached to the incident, False if otherwise
  • error (str): Information on the failure, or None
​​​​​​Raises

Exception if the function cannot connect to Code42. ​

Code42: Get user by username

This function obtains the user details from a given username. 

Input parameters

code42_username  (Text): The Code42 login name for the user.

Output
  • result (dict): User details. See the Example Response Body in the API Documentation for output syntax. 
  • error (str): If result is None, information on the cause of the error.
​​​​​​Raises

Exception if the function cannot connect to Code42. ​

Code42: Reactivate device

This function activates a device that had been previously deactivated.

Input parameters

code42_device_id (Text): Identification number for the device. See the computerId property of the device details returned by the following functions: 

Output 
  • result (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None
Raises

 Exception if the function cannot connect to Code42. 

Code42: Reactivate user

This function activates a Code42 user who had been previously deactivated. The user's archives are moved out of cold storage. Learn more about reactivating users.

Input parameters

code42_user_id  (Text): Identification number for the user. See the userId property of the user details returned by the following functions: 

Output
  • result (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None
Raises

Exception if the function cannot connect to Code42.

Code42: Search devices

This function searches for a device by a given user ID and/or hostname.

Input parameters
  • code42_device_user_uid  (Optional, Text): The user's unique identifier.  See the user_uid in the user details returned by the Get user by username function. 
  • code42_hostname (Optional, Text): Either the name assigned to a device by Code42, the name of the device as reported by the operating system, or the globally unique identifier of the device. 
Output
  • result  (list): List of devices. See the Example Response Body in the API Documentation for syntax. 
  • error (str): If result is None, information on the cause of the error.
​​​​​​Raises

Exception if the function cannot connect to Code42.

Code42: Search file events

This function runs a file event query using Code42 Forensic Search, for example based on filename, file hash, and/or username. This function facilitates requests with "AND" conditions.

Input parameters
Output
  • result (dict):
    • file_events (list): File events (up to 100*) matching the query. See the Example Value in the API Documentation for syntax. 
    • total_count (int): Number of file events matching the query.  
  • error (str): If result is None, information on the cause of the error.
Raises

Exception if the function cannot connect to Code42.

*If the total count is over 100, use Code42 Forensic Search to view all the results.

Code42: Unblock device

This function re-enables access to Code42 on the device. Learn more about unblocking devices.

Input parameters 

code42_device_id (Text): Identification number for the device. See the computerId property of the device details returned by the following functions: 

Output
  • result (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None
Raises

Exception if the function cannot connect to Code42.

Code42: Unblock user

This function restores a user's access to Code42. Learn more about unblocking users.

Input parameters

code42_user_id (Text): Identification number for the user. See the userId  property of the user details returned by the following functions: 

Output
  • result (bool): True if the request was successful, False if otherwise
  • error (str): Information on the failure, or None 
Raises 

Exception if the function cannot connect to Code42.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Available in CrashPlan Cloud
    No
    Available in other/on-premises product plans
    No
    Available in Incydr Basic and Advanced
    Yes
    Available in Incydr Pro, Enterprise, and Horizon
    Yes
    Available in Instructor
    No
    Available in CrashPlan for Small Business
    No
  2. Tags
    1. IBM Resilient