Install and manage the Incydr app for Cortex XSOAR

Overview

This article describes how to integrate Incydr with Cortex XSOAR (previously Demisto). Cortex XSOAR is a security orchestration, automation, and response (SOAR) solution. Using the Code42 Incydr content pack for Cortrex XSOAR, you can view and search Incydr data in Cortex XSOAR, manage employees on watchlists, and accomplish other tasks from Cortex XSOAR. 

Use cases

The Code42 Incydr content pack includes a variety of commands and preset triggers to help streamline insider threat incident response processes.

Use the commands included in the Code42 Incydr content pack to: 

• Ingest alerts from Incydr
• View and manage employees on watchlists
• Search file events and metadata
• Download files from Incydr
• Manage Incydr users
  • Create users
  • Block or unblock users
  • Deactivate or reactivate users 
• Manage legal hold custodians
• Search activity and automatically send to the data owner for review
• Automate generating departing employees from ticketing systems
• Automate attaching files from exposure activity to ticketing systems
• Investigate and take actions on employees when activity is reported as suspicious, for example, block the user or add them to legal hold

For full information, see the integration documentation within Cortex XSOAR.

Considerations

• This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Technical Support Engineers.

Before you begin

In the Incydr console, create an API client to provide permissions for the Incydr app for Cortex XSOAR:

• User role: As a user with the Insider Risk Admin role, create an API client to be used solely by the Incydr app for Cortex XSOAR. 
• Permissions: Set the necessary API permissions in the API client:
  • Alerts (Read/Write)
  • Detection Lists (Read/Write)
  • Device (Read)
  • File Events (Read)
  • Users (Read/Write)

After granting account access with the API client ID and secret in the next section, test to confirm that the necessary data is accessible in the Incydr app for Cortex XSOAR.

Configure the Incydr app for Cortex XSOAR 

1. Sign in to your Cortex XSOAR environment. 
2. Select Settings. 
3. Select Integrations > Instances.
4. Search for Code42. 
   
5. From the Code42 row, click Add instance to create and configure a new integration instance.
6. In the Code42 window: 
   1. Enter a name for your instance.
   2. Select Fetches incidents.  
   3. In Code42 Console URL for your Code42 environment enter the URL of your Incydr environment without https://, for example, console.us.code42.com. 
   4. In API Client ID enter the ID of the API client created as described in Before you begin above.
   5. In API Client Secret enter the secret of the API client.
   6. (Optional) Select Alert severities to fetch when fetching incidents to limit the Incydr alerts you'd like to ingest.
   7. Enter the First fetch time range to determine how far back to go to retrieve alerts. 
   8. Enter the number of Alerts to fetch per run. 
   9. Select Include the list of files in returned incidents to include the file events associated with the alert.
   10. Enter the Incidents Fetch Interval.
   11. Check Use v2 file events to use the latest file event metadata data model.
   12. Click Test to validate the connection.  
   13. Click Save & exit. 

External resources

• Cortex XSOAR integrations
• Cortex XSOAR solution brief

Related topics

• Manage Rules reference 
• File event metadata reference
• Roles reference