API access


This article explains the differences between base access and full access to the Code42 API. Your access depends on your Incydr product plan

  Base access Full access
Incydr Basic  Checkmark  
Incydr Advanced   Checkmark 
Incydr Gov F1   Checkmark
Incydr Professional Checkmark  
Incydr Enterprise   Checkmark
Incydr Gov F2   Checkmark
Incydr Horizon   Checkmark


  • Not sure which level of API access is right for you? Contact your Customer Success Manager (CSM) to engage a Code42 Systems Engineer.
  • See the Code42 Developer Portal for complete documentation of the Code42 APIs.

Base access

Base access to the Code42 API provides you with metadata that’s included in an Incydr alert. Base access is ideal to perform workflow automation and alert triage. It provides what is needed to close an alert or prompt further investigation within Incydr. You do not have access to download the content of exposed files.

Following are examples of metadata collected:

  • Username
  • Time range of events
  • Number of files
  • Filenames
  • File paths
  • Total file size
  • File categories involved
  • Exposure type
  • IP address

For complete details on the alert metadata collected, see Alert details.

Full access

Full access to the Code42 API provides you with all metadata collected by Incydr, whether it’s associated with an alert or not. This includes metadata for create, modify, delete, and exposure events as well as the content of exposed files. Full access is ideal when you need to conduct API-based investigation workflows or want to use Incydr file metadata to correlate and corroborate alerts triggered by other security technologies, such as in compromised user scenarios.

Following are examples of metadata collected:

  • All metadata available with the base API
  • File metadata for all files involved in an alert
  • MD5/SHA256 file hash
  • File created and modified dates
  • File owner
  • Process user
  • Device hostname
  • Fully qualified domain name (FQDN)
  • Removable Media: Bus type, capacity, vendor name, partition ID, serial number

For complete details on all the metadata collected, see File event metadata reference.

Key differences between base and full access

Base access only allows you to query events associated with an alert, while full access allows you to query all events. Specifically:

  • Base access allows you to use the v1/sessions/{id}/events endpoint to request file event metadata for events included in an alert. Base access does not allow requests to the v2/file-events endpoint for events not included in an alert.
  • Full access allows you to use both: 1) the v1/sessions/{id}/events endpoint to request file event metadata for events included in an alert, and 2) the v2/file-events endpoint to request file event metadata for all events, including those not included in an alert.

Example use cases

Base or full API access

Automate workflows

  • Ingest employment end dates from a human capital management (HCM) application to automatically add users to the Departing watchlist.

  • Ingest employment information from an identity and access management (IAM) solution to automatically add contract employees to the Contractor watchlist.

  • Send Incydr alerts to Slack to support right-sized response workflows.

Triage alerts

  • Send Incydr alerts for routing and triage into a ticketing tool, a security information and event management (SIEM) application, or a security orchestration, automation, and response (SOAR) solution.

Full API access

Investigate file movement

  • Query Incydr with your SOAR solution to correlate if any files were exfiltrated when an an identity and access management (IAM) solution detects a user has logged on from another country’s IP address.

  • Query Incydr with your SOAR solution to correlate if any files left an endpoint when an endpoint detection and response (EDR) application determined a system was compromised.

Investigate high volume events

  • Get full access to the metadata of all the files during an investigation if an employee moves hundreds of files onto a flash drive.

Integrate with a user and entity behavior analytic (UEBA) system

  • Send full file metadata collected by Incydr to your UEBA system to perform deep analysis of user behavior