Code42¶
About¶
Incydr is a SaaS data risk detection and response product that allows security teams to effectively mitigate data exposure and exfiltration risks without disrupting legitimate collaboration.
Product Details¶
Vendor URL: Code42
Product Type: SaaS data risk detection and response
Product Tier: Tier II
Integration Method: Custom
Integration URL: Code42 - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: CODE42_INCYDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
actor | principal.user.userid |
actorId | principal.user.product_object_id |
"Code42" | metadata.vendor_name |
description | security_result.description |
"GENERIC_EVENT" | metadata.event_type |
id | metadata.product_log_id |
"Incydr" | metadata.product_name |
name | security_result.summary |
riskSeverity | security_result.severity |
ruleId | security_result.rule_id |
ruleSource | security_result.rule_type |
severity | security_result.severity_details |
state | security_result.action_details |
tenantId | metadata.product_deployment_id |
type | metadata.description |
type$ | metadata.product_event_type |
Product Event Types¶
Product Event | Description | UDM Event |
---|---|---|
All | All events | GENERIC_EVENT |
Log Sample¶
{"actor":"user.name@company.com","actorId":"1234","createdAt":"2021-12-20T23:54:46.6929430Z","description":"This default rule alerts you when high risk employees move data from an endpoint.","id":"ID_NUMBER","name":"Exposure on an endpoint","riskSeverity":"MODERATE","ruleId":"RULE-id","ruleSource":"High Risk Employee","severity":"MEDIUM","state":"OPEN","target":"N/A","tenantId":"Tenant_ID","type":"FED_COMPOSITE","type$":"ALERT_SUMMARY"}
Sample Parsing¶
metadata.product_log_id = "ID_NUMBER"
metadata.product_deployment_id = "Tenant_ID
metadata.description = "FED_COMPOSITE"
metadata.event_timestamp = "2021-12-20T23:54:46.6929430Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Code42"
metadata.product_name = "Incydr"
metadata.product_event_type = "ALERT_SUMMARY"
metadata.ingested_timestamp = "2021-12-20T23:54:46.6929430Z"
principal.user.user_id = "user.name@company.com"
principal.user.product_object_id = "1234"
security_result.action_details = "OPEN"
security_result.description = "This default rule alerts you when high risk employees move data from an endpoint."
security_result.rule_id = "RULE-id"
security_result.rule_type = "High Risk Employee"
security_result.severity = "MODERATE"
security_result.severity_details = "MEDIUM"
security_result.summary = "Exposure on an endpoint"
Parser Alerting¶
This product currently does not have any Parser-based Alerting