Overview
Incydr Flows facilitate quick, no-code integrations to automate workflows between Incydr and your other security and IT tools. These integrations can help speed your processes for detecting, investigating, and responding to insider risks.
This article explains how to configure Incydr Flows, but Flows do require assistance from Code42 Professional Services to set up. To get started, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.
Considerations
Steps
Work with Code42 Professional Services to complete the setup for your Incydr Flow:
- Sign in to the Code42 console.
- Go to Administration > Integrations > Incydr Flows.
- Select an Incydr Flow from the list.
The Add Flow dialog appears. - Work with Code42 Professional Services to complete the required fields (fields vary for each Flow).
- Click Submit.
- Review the Status column to verify the Flow's status. Possible statuses include:
- Not configured: The Flow is licensed, but not configured. Complete the setup steps to enable the Flow.
- Connected - Pending initial run: The Flow is configured, but has not run yet. After the first scheduled or manual run, the status will update to Connected (if successful) or display an error (if unsuccessful).
- Connected: The Flow is connected and running successfully.
- Error - Licensing expired: The Flow is configured but the license is expired. Contact Code42 to update your license. Once the license is renewed, the status will automatically return to Connected.
- Error - Flow failed to run: The Flow is configured but did not run successfully. If this error continues, review your configuration settings or contact Code42.
Available Incydr Flows
There are four categories of Incydr Flows: Watchlist management, Alert triage, Containment (endpoint), and Containment (permissions). A brief summary of each integration is listed below.
Watchlist management
Watchlist management Flows run automatically based on a schedule you define.
- Bamboo HR - Add an employee to the Departing Employee watchlist based on their departure date in BambooHR.
- CrowdStrike - Add an employee to an Incydr watchlist based on high-severity detections in CrowdStrike.
- Jira - Add an employee to the Departing Employee watchlist based on a Jira ticket with their departure date.
- Workday - Add an employee to the Departing Employee watchlist based on their departure date in Workday.
- UKG - Add an employee to the Departing Employee watchlist based on their departure date in UKG.
- Mimecast - Sync membership between an Incydr watchlist and a Mimecast profile group, to which Mimecast controls can be applied.
Alert triage
Alert triage Flows run automatically based on a schedule you define.
- Microsoft Teams - Publish Incydr alerts for triage in a Teams channel or in a direct message.
- Slack - Publish Incydr alerts for triage in a Slack channel or in a direct message.
- ServiceNow - Open a ticket and create an incident in ServiceNow from an Incydr alert.
Containment (endpoint)
Endpoint containment Flows do not run automatically; you must take manual action to initiate these Flows.
- SentinelOne - Quarantine all of a user's endpoints and isolate them from the network via SentinelOne.
- CrowdStrike (Network) - Quarantine all of a user's endpoints and isolate them from the network via CrowdStrike.
- CrowdStrike (USB) - Block access to USB ports on a user's endpoint via CrowdStrike.
Containment (permissions)
Permission containment Flows do not run automatically; you must take manual action to initiate these Flows.
- Okta - Revoke a user's access permissions within Okta.
- Microsoft Entra - Revoke a user's access permissions within Microsoft Entra.