Introduction to Incydr Flows


Incydr Flows connect other systems or workflows to Code42, speeding the process for detecting, investigating, and responding to insider risks. These integrations can add contextual information about users and orchestrate response controls. This article provides a brief introduction to Incydr Flows.

For information about configuring Incydr Flows connections in the Code42 console, see Configure Incydr Flows


  • Incydr Flows can be configured to run automatically or manually:
    • Automatically: The workflow runs when specific criteria are met.
    • Manually: The workflow is available to run manually from the Code42 console. It appears as an option under Custom Actions in the Actions menu. This Actions menu is available from the User Profile and when you investigate a user's activity.  
      Actions button

Incydr Flows:

  • Are a paid service on some product plans.
  • Are not available in the Code42 federal environment.
  • Require assistance and setup from Code42 Professional Services. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Use cases

Use Incydr Flows to take custom actions to meet a variety of use cases. Work with the Code42 Professional Services team to determine what systems and workflows to integrate to meet your goals in mitigating insider risk.

Context Flows

Incydr Context Flows are a category of automated integrations in which user information is ingested into Code42 from other systems. For example:

  • Ingest user context such as departure date or employment status from human capital management (HCM) systems, such as BambooHR or Workday, or from ticket-based systems like Atlassian Jira.
  • Automatically add users to the Departing watchlist based on updates to information in your HCM system or the creation of new offboarding tickets.

Response Flows

Incydr Response Flows are a category of automated integrations used to contain or resolve a situation, or to educate a user. For example:

  • When an alert is triggered in Code42, a notification is automatically generated and sent to members of your security team in Slack or Microsoft Teams. Those team members can then review and respond to the alert by: 
    • Clicking links in the notification to the Code42 console to start investigating 
    • Generating a direct message template to send to the actor involved in the alert
    • Closing the alert in Incydr
  • When an alert is triggered in Code42, members of your security team can review the alert, access the user's profile, and then use the Actions menu to take steps to prevent data loss, such as:
    • Containing their devices to prevent them from connecting to other devices
    • Adding them to a group with restricted access and permissions
    • Disabling their elevated credentials
    • Creating an ticket in your incident management system for prioritization, investigation, and resolution

Next steps 

  • Once you determine what systems and workflows to integrate, collaborate with others in your organization who manage those systems. In the setup process, those stakeholders provide input and help manage access to those systems. 
  • Create a Code42 user service account to use to configure Incydr Flows. This account must be a local (non-SSO) user to which you assign roles that provide the necessary permissions. We recommend you assign the roles in our use case for managing a security application integrated with Code42
  • Configure your vendor systems in preparation for use with Incydr Flows.
  • Consider whether to use a separate test environment to test and validate your workflows first. 
  • Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team and get started.