Code42 INCYDR

the code42 incydr connector enables automated interactions with the incydr platform for insider threat detection and response code42 incydr is a comprehensive data risk detection and response solution that helps organizations protect against insider threats this connector enables swimlane turbine users to automate case management, session analysis, and incident response activities within the code42 incydr environment by integrating with code42 incydr, security teams can streamline their workflows, rapidly associate events with cases, add notes for context, create and update case details, and retrieve comprehensive session data, enhancing their ability to respond to insider threats efficiently prerequisites to effectively utilize the code42 incydr connector for swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters url the endpoint url for the code42 incydr api client id your unique identifier issued when registering with the code42 incydr api client secret a secret key provided by code42 incydr to authenticate your api requests capabilities the code42 incydr connector has the following capabilities add event to a case add note to a session create a case delete a case get all cases for tenant get details of a session search for sessions update a case configurations code42 incydr oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add event to a case associates a specific event with a case in code42 incydr using the unique eventid and casenumber endpoint url /v1/cases/{{casenumber}}/fileevent/{{eventid}} method post input argument name type required description casenumber number required unique numeric identifier for the case eventid string required the unique identifier for the event output parameter type description status code number http status code of the response reason string response reason phrase message string response message example \[ { "status code" 204, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "message" "event added to the case " } } ] add note to a session adds a custom note to a session in code42 incydr using the provided session id and note content endpoint url /v1/sessions/{{id}}/add note method post input argument name type required description id string required the id of the session to add a note to notecontent string required the content of the note to add maximum supported character length is 2000 output parameter type description status code number http status code of the response reason string response reason phrase message string response message example \[ { "status code" 204, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "message" "the note was added successfully " } } ] create a case initiate a new case in code42 incydr using a specified name to streamline incident tracking and response endpoint url /v1/cases method post input argument name type required description assignee string optional the user uid of the administrator assigned to investigate the case description string optional brief description providing context for a case findings string optional markdown formatted text summarizing the findings for a case name string required the unique name given to the case subject string optional the actor id of the subject being investigated in this case output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" {} } ] delete a case permanently deletes an existing case in code42 incydr using the specified case number endpoint url /v1/cases/{{casenumber}} method delete input argument name type required description casenumber number required unique numeric identifier for the case output parameter type description status code number http status code of the response reason string response reason phrase message string response message success boolean whether the operation was successful example \[ { "status code" 204, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "message" "case deleted ", "success" true } } ] get all cases for tenant retrieve all case details for a tenant in code42 incydr, including status and assignee information endpoint url /v1/cases method get input argument name type required description status array optional one or more case statuses on which to filter assignee string optional user uid of an assignee of a case on which to filter isassigned boolean optional filter cases with an assignee (true) or without (false) name string optional name of a case on which to filter; will include partial matches subject string optional user uid of a subject of a case on which to filter lastmodifiedby string optional user uid of the user who most recently modified the case createdat string optional filter cases created between the supplied start and end times must use iso time interval, for example 2020 08 31t11 00 00z /2020 09 01t15 30 00z updatedat string optional filter cases last updated between the supplied start and end times must use iso time interval, for example 2020 08 31t11 00 00z /2020 09 01t15 30 00z pgsize number optional max number of results to return for a page pgnum number optional page number for results, starting at 1 srtkey array optional one or more values on which the response will be sorted srtdir array optional the direction on which to sort the response, based on the corresponding key output parameter type description status code number http status code of the response reason string response reason phrase cases array output field cases totalcount number count value example \[ { "status code" 200, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "cases" \[], "totalcount" 74 } } ] get details of a session retrieve detailed information for a specific session in code42 incydr, including alerts, using the session's unique id endpoint url /v1/sessions/{{id}} method get input argument name type required description id string required the session id output parameter type description status code number http status code of the response reason string response reason phrase actorid string unique identifier begintime number time value contentinspectionresults object response content eventresults array result of the operation eventid string unique identifier piitype array type of the resource status string status value status string status value contextsummary string output field contextsummary criticalevents number output field criticalevents endtime number time value exfiltrationsummary string output field exfiltrationsummary firstobserved number output field firstobserved highevents number output field highevents lastupdated number output field lastupdated lowevents number output field lowevents moderateevents number output field moderateevents noriskevents number output field noriskevents notes array output field notes content string response content id string unique identifier sourcetimestamp number output field sourcetimestamp userid string unique identifier example \[ { "status code" 200, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "actorid" "string", "begintime" 0, "contentinspectionresults" {}, "contextsummary" "string", "criticalevents" 0, "endtime" 0, "exfiltrationsummary" "string", "firstobserved" 0, "highevents" 0, "lastupdated" 0, "lowevents" 0, "moderateevents" 0, "noriskevents" 0, "notes" \[], "riskindicators" \[] } } ] search for sessions performs a comprehensive search for session related information and alerts within code42 incydr endpoint url /v1/sessions method get input argument name type required description actor id string optional the id of the actor to limit the search to on or after number optional only include sessions beginning on or after this instant before number optional only include sessions beginning before this instant has alerts boolean optional only include sessions that have a matching alert status defaults to 'true' order by string optional which way to order the results if not provided, results are ordered by end time risk indicators array optional list of risk indicators that must be present on the sessions before they are returned sort direction string optional which way to order the results either 'asc' or 'desc' if not provided, results are sorted descending state array optional only include sessions that have a matching state severity array optional only include sessions that have a matching severity value 0 indicates no risk, 1 = low, 2 = moderate, 3 = high, 4 = critical rule id array optional optional list of rule ids to filter upon watchlist id array optional optional list of watchlist ids to filter upon page number number optional the page number to return, starting with 0 if not provided, 0 is assumed page size number optional the number of results to return in a page max of '50' content inspection status string optional the content inspection status to limit the search to output parameter type description status code number http status code of the response reason string response reason phrase items array output field items actorid string unique identifier begintime number time value contentinspectionresults object response content eventresults array result of the operation eventid string unique identifier piitype array type of the resource status string status value status string status value contextsummary string output field contextsummary criticalevents number output field criticalevents endtime number time value exfiltrationsummary string output field exfiltrationsummary firstobserved number output field firstobserved highevents number output field highevents lastupdated number output field lastupdated lowevents number output field lowevents moderateevents number output field moderateevents noriskevents number output field noriskevents notes array output field notes content string response content id string unique identifier sourcetimestamp number output field sourcetimestamp example \[ { "status code" 200, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "items" \[], "totalcount" 0 } } ] update a case updates an existing case in code42 incydr with a specified case number by changing its name and status endpoint url /v1/cases/{{casenumber}} method put input argument name type required description casenumber number required unique numeric identifier for the case assignee string optional the user uid of the administrator assigned to investigate the case description string optional brief description providing context for a case findings string optional markdown formatted text summarizing the findings for a case name string required the unique name given to the case status string required indicates the status of the case open the case is active and all aspects of the case are editable closed the case is resolved closed cases cannot be re opened or modified case data for closed cases is retained indefinitely archived the case is no longer active file events and file contents are permanently deleted and no longer accessible archived cases cannot be un archived or modified subject string optional the actor id of the subject being investigated in this case output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 07 aug 2024 11 21 28 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1468", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" {} } ] response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate connection http response header connection close content encoding http response header content encoding gzip content length the length of the response body in bytes 1468 content type the media type of the resource text/html;charset=utf 8 date the date and time at which the message was originated wed, 07 aug 2024 11 21 28 gmt expires the date/time after which the response is considered stale thu, 19 nov 1981 08 52 00 gmt pragma http response header pragma no cache server information about the software used by the origin server apache/2 4 41 (ubuntu) x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin notes for more information on code42 incydr is found at code42 incydr api documentation https //developer code42 com/api/