Code42 INCYDR

the code42 incydr connector enables automated interactions with the incydr platform for insider threat detection and response code42 incydr is a comprehensive data risk detection and response solution that helps organizations protect against insider threats this connector enables swimlane turbine users to automate case management, session analysis, and incident response activities within the code42 incydr environment by integrating with code42 incydr, security teams can streamline their workflows, rapidly associate events with cases, add notes for context, create and update case details, and retrieve comprehensive session data, enhancing their ability to respond to insider threats efficiently prerequisites to effectively utilize the code42 incydr connector for swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters url the endpoint url for the code42 incydr api client id your unique identifier issued when registering with the code42 incydr api client secret a secret key provided by code42 incydr to authenticate your api requests capabilities the code42 incydr connector has the following capabilities add event to a case add note to a session create a case delete a case get all cases for tenant get details of a session search for sessions update a case notes for more information on code42 incydr is found at https //developer code42 com/api/ configurations code42 incydr oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add event to a case associates a specific event with a case in code42 incydr using the unique eventid and casenumber endpoint url /v1/cases/{{casenumber}}/fileevent/{{eventid}} method post input argument name type required description path parameters casenumber number required unique numeric identifier for the case path parameters eventid string required the unique identifier for the event input example {"path parameters" {"casenumber" 349535,"eventid" "abcd24s"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 204,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"message" "event added to the case "}} add note to a session adds a custom note to a session in code42 incydr using the provided session id and note content endpoint url /v1/sessions/{{id}}/add note method post input argument name type required description path parameters id string required the id of the session to add a note to notecontent string optional the content of the note to add maximum supported character length is 2000 input example {"json body" {"notecontent" "this is a new updated note for tracking "},"path parameters" {"id" "2024112128"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 204,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"message" "the note was added successfully "}} create a case initiate a new case in code42 incydr using a specified name to streamline incident tracking and response endpoint url /v1/cases method post input argument name type required description assignee string optional the user uid of the administrator assigned to investigate the case description string optional brief description providing context for a case findings string optional markdown formatted text summarizing the findings for a case name string optional the unique name given to the case subject string optional the actor id of the subject being investigated in this case input example {"json body" {"assignee" "273411254592236331","description" "sample description","findings" "sample findings","name" "sample case name","subject" "421380797518239242"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {}} delete a case permanently deletes an existing case in code42 incydr using the specified case number endpoint url /v1/cases/{{casenumber}} method delete input argument name type required description path parameters casenumber number required unique numeric identifier for the case input example {"path parameters" {"casenumber" 349535}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message success boolean whether the operation was successful output example {"status code" 204,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"message" "case deleted ","success"\ true}} get all cases for tenant retrieve all case details for a tenant in code42 incydr, including status and assignee information endpoint url /v1/cases method get input argument name type required description parameters status array optional one or more case statuses on which to filter parameters assignee string optional user uid of an assignee of a case on which to filter parameters isassigned boolean optional filter cases with an assignee (true) or without (false) parameters name string optional name of a case on which to filter; will include partial matches parameters subject string optional user uid of a subject of a case on which to filter parameters lastmodifiedby string optional user uid of the user who most recently modified the case parameters createdat string optional filter cases created between the supplied start and end times must use iso time interval, for example 2020 08 31t11 00 00z /2020 09 01t15 30 00z parameters updatedat string optional filter cases last updated between the supplied start and end times must use iso time interval, for example 2020 08 31t11 00 00z /2020 09 01t15 30 00z parameters pgsize number optional max number of results to return for a page parameters pgnum number optional page number for results, starting at 1 parameters srtkey array optional one or more values on which the response will be sorted parameters srtdir array optional the direction on which to sort the response, based on the corresponding key input example {"parameters" {"status" \["open"],"assignee" "","isassigned"\ true,"name" "","subject" "","lastmodifiedby" "","createdat" "2020 08 31t11 00 00z/2020 09 01t15 30 00z","updatedat" "2020 08 31t11 00 00z/2020 09 01t15 30 00z","pgsize" 2147483647,"pgnum" 1,"srtkey" \["number"],"srtdir" \["asc"]}} output parameter type description status code number http status code of the response reason string response reason phrase cases array output field cases totalcount number count value output example {"status code" 200,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"cases" \[{}],"totalcount" 74}} get details of a session retrieve detailed information for a specific session in code42 incydr, including alerts, using the session's unique id endpoint url /v1/sessions/{{id}} method get input argument name type required description path parameters id string required the session id input example {"path parameters" {"id" "2024112128"}} output parameter type description status code number http status code of the response reason string response reason phrase actorid string unique identifier begintime number time value contentinspectionresults object response content contentinspectionresults eventresults array response content contentinspectionresults eventresults eventid string unique identifier contentinspectionresults eventresults piitype array type of the resource contentinspectionresults eventresults status string status value contentinspectionresults status string status value contextsummary string output field contextsummary criticalevents number output field criticalevents endtime number time value exfiltrationsummary string output field exfiltrationsummary firstobserved number output field firstobserved highevents number output field highevents lastupdated number output field lastupdated lowevents number output field lowevents moderateevents number output field moderateevents noriskevents number output field noriskevents notes array output field notes notes content string response content notes id string unique identifier notes sourcetimestamp number output field notes sourcetimestamp notes userid string unique identifier output example {"status code" 200,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"actorid" "string","begintime" 0,"contentinspectionresults" {"even search for sessions performs a comprehensive search for session related information and alerts within code42 incydr endpoint url /v1/sessions method get input argument name type required description parameters actor id string optional the id of the actor to limit the search to parameters on or after number optional only include sessions beginning on or after this instant parameters before number optional only include sessions beginning before this instant parameters has alerts boolean optional only include sessions that have a matching alert status defaults to 'true' parameters order by string optional which way to order the results if not provided, results are ordered by end time parameters risk indicators array optional list of risk indicators that must be present on the sessions before they are returned parameters sort direction string optional which way to order the results either 'asc' or 'desc' if not provided, results are sorted descending parameters state array optional only include sessions that have a matching state parameters severity array optional only include sessions that have a matching severity value 0 indicates no risk, 1 = low, 2 = moderate, 3 = high, 4 = critical parameters rule id array optional optional list of rule ids to filter upon parameters watchlist id array optional optional list of watchlist ids to filter upon parameters page number number optional the page number to return, starting with 0 if not provided, 0 is assumed parameters page size number optional the number of results to return in a page max of '50' parameters content inspection status string optional the content inspection status to limit the search to input example {"parameters" {"actor id" "48924","on or after" 10,"before" 10,"has alerts"\ true,"order by" "end time","risk indicators" \["process"],"sort direction" "asc","state" \["open"],"severity" \[1,4],"rule id" \["101","104"],"watchlist id" \[""],"page number" 0,"page size" 10,"content inspection status" "pending"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items actorid string unique identifier items begintime number time value items contentinspectionresults object response content items contentinspectionresults eventresults array response content items contentinspectionresults eventresults eventid string unique identifier items contentinspectionresults eventresults piitype array type of the resource items contentinspectionresults eventresults status string status value items contentinspectionresults status string status value items contextsummary string output field items contextsummary items criticalevents number output field items criticalevents items endtime number time value items exfiltrationsummary string output field items exfiltrationsummary items firstobserved number output field items firstobserved items highevents number output field items highevents items lastupdated number output field items lastupdated items lowevents number output field items lowevents items moderateevents number output field items moderateevents items noriskevents number output field items noriskevents items notes array output field items notes items notes content string response content items notes id string unique identifier items notes sourcetimestamp number output field items notes sourcetimestamp output example {"status code" 200,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"items" \[{}],"totalcount" 0}} update a case updates an existing case in code42 incydr with a specified case number by changing its name and status endpoint url /v1/cases/{{casenumber}} method put input argument name type required description path parameters casenumber number required unique numeric identifier for the case assignee string optional the user uid of the administrator assigned to investigate the case description string optional brief description providing context for a case findings string optional markdown formatted text summarizing the findings for a case name string optional the unique name given to the case status string optional indicates the status of the case open the case is active and all aspects of the case are editable closed the case is resolved closed cases cannot be re opened or modified case data for closed cases is retained indefinitely archived the case is no longer active file events and file contents are permanently deleted and no longer accessible archived cases cannot be un archived or modified subject string optional the actor id of the subject being investigated in this case input example {"json body" {"assignee" "273411254592236331","description" "sample description","findings" "sample findings","name" "sample case name","status" "open","subject" "421380797518239242"},"path parameters" {"casenumber" 349535}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 07 aug 2024 11 21 28 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1468","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {}} response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate connection http response header connection close content encoding http response header content encoding gzip content length the length of the response body in bytes 1468 content type the media type of the resource text/html;charset=utf 8 date the date and time at which the message was originated wed, 07 aug 2024 11 21 28 gmt expires the date/time after which the response is considered stale thu, 19 nov 1981 08 52 00 gmt pragma http response header pragma no cache server information about the software used by the origin server apache/2 4 41 (ubuntu) x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin