Introduction to Incydr Flows

Overview

Incydr Flows connect Incydr with other applications and workflows in your environment, speeding the process for detecting, investigating, and responding to insider risks. These integrations can provide watchlist and alert automations, as well as orchestrate response controls. This article provides a brief introduction to Incydr Flows.

For information about configuring Incydr Flows connections in the Code42 console, see Configure Incydr Flows

Considerations

Incydr Flows:

  • Are a paid service.
  • Are not available in the Code42 federal environment.
  • May require assistance and setup from Code42 Professional Services. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Use cases

Incydr Flows have four main categories: Watchlist management, Alert triage, Containment (endpoint), and Containment (permissions).

  • Watchlist management Flows are automated integrations that manage user membership on Incydr watchlists based on a user's status in an external system. For example:
    • Add an employee to the Departing Employee watchlist based on their departure date in your HR system, such as BambooHR, Workday, and Jira.
    • Sync membership between Mimecast’s profile groups and Incydr watchlists to apply Mimecast email controls to members of an Incydr watchlist.
  • Alert triage Flows are automated integrations that send Incydr alerts to services like Microsoft Teams, Slack, and ServiceNow for further triage. For example, new Incydr alerts can automatically generate a message in Slack for your Security team to review. From that message, team members can choose to: open the alert in Incydr to investigate in more detail, generate a message template to send to the user, or close the alert.
  • Containment (endpoint) Flows are integrations that enable you to quarantine a user's endpoint from within Incydr via tools like SentinelOne and Crowdstrike. Containment actions are not automatic; you must take manual action to initiate a flow that quarantines a user's endpoint.
  • Containment (permissions) Flows are integrations that enable you to revoke a user's access permissions via tools like Okta and Microsoft Entra. Containment actions are not automatic; you must take manual action to initiate a flow that revokes user access.

Watchlist management and Alert triage Flows run automatically when specific criteria are met or on a set schedule. Containment Flows are run manually in the Code42 console from the Actions menu in a user's profile or an alert's details.

Next steps 

  • Once you determine what systems and workflows to integrate, collaborate with others in your organization who manage those systems. In the setup process, those stakeholders provide input and help manage access to those systems. 
  • Consider whether to use a separate test environment to test and validate your workflows first. 
  • Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team and get started. Code42 will work with you to establish the setup requirements for each Flow, including creating a Code API client.