Skip to content

Code42

Code42

About

Incydr is a SaaS data risk detection and response product that allows security teams to effectively mitigate data exposure and exfiltration risks without disrupting legitimate collaboration.

Product Details

Vendor URL: Code42

Product Type: SaaS data risk detection and response

Product Tier: Tier II

Integration Method: Custom

Integration URL: Code42 - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: CODE42_INCYDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
actor principal.user.userid
actorId principal.user.product_object_id
"Code42" metadata.vendor_name
description security_result.description
"GENERIC_EVENT" metadata.event_type
id metadata.product_log_id
"Incydr" metadata.product_name
name security_result.summary
riskSeverity security_result.severity
ruleId security_result.rule_id
ruleSource security_result.rule_type
severity security_result.severity_details
state security_result.action_details
tenantId metadata.product_deployment_id
type metadata.description
type$ metadata.product_event_type

Product Event Types

Product Event Description UDM Event
All All events GENERIC_EVENT

Log Sample

{"actor":"user.name@company.com","actorId":"1234","createdAt":"2021-12-20T23:54:46.6929430Z","description":"This default rule alerts you when high risk employees move data from an endpoint.","id":"ID_NUMBER","name":"Exposure on an endpoint","riskSeverity":"MODERATE","ruleId":"RULE-id","ruleSource":"High Risk Employee","severity":"MEDIUM","state":"OPEN","target":"N/A","tenantId":"Tenant_ID","type":"FED_COMPOSITE","type$":"ALERT_SUMMARY"}

Sample Parsing

metadata.product_log_id = "ID_NUMBER"
metadata.product_deployment_id = "Tenant_ID
metadata.description = "FED_COMPOSITE"
metadata.event_timestamp = "2021-12-20T23:54:46.6929430Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Code42"
metadata.product_name = "Incydr"
metadata.product_event_type = "ALERT_SUMMARY"
metadata.ingested_timestamp = "2021-12-20T23:54:46.6929430Z"
principal.user.user_id = "user.name@company.com"
principal.user.product_object_id = "1234"
security_result.action_details = "OPEN"
security_result.description = "This default rule alerts you when high risk employees move data from an endpoint."
security_result.rule_id = "RULE-id"
security_result.rule_type = "High Risk Employee"
security_result.severity = "MODERATE"
security_result.severity_details = "MEDIUM"
security_result.summary = "Exposure on an endpoint"

Parser Alerting

This product currently does not have any Parser-based Alerting