The deprecations listed below remain in a functional, yet deprecated state for one year from the announcement date. If you have API scripts that use the deprecated items, update the scripts before the deprecation period ends. After one year has passed, there is no guarantee that deprecated APIs will remain functional. If you need help, please contact our Technical Support Engineers.
Incydr Developer Portal
See the
Developer Portal for
more API documentation and resources. The portal provides:
Use the Developer Portal for your API needs as much as possible. APIs
in the portal are the preferred way to integrate with Incydr. If you
use APIs that do not appear on the Developer Portal, contact our Technical Support Engineers
for guidance on the best way to integrate with Incydr.
April 2026
Instructor lesson API integration
April 27, 2026
Instructor lesson details can now be retrieved via the Incydr API, enabling you to deliver lessons through your preferred method (for example, via integration with your SIEM, SOAR, ticket platform, chatbot, or other tools). This expands lesson delivery options beyond Incydr's built-in message services.
To deliver Instructor lessons via API integration:
In the Incydr console, configure one or more Instructor lessons to be sent via API integration instead of email, Slack, or Teams. You can choose to send a lesson via API integration from both alert rule settings and watchlist settings. When you select API integration, activity that warrants sending a lesson creates a record that can be queried via the API, but does not send the lesson to the user.
Via the Incydr API, query /v1/instructor/notification to fetch new lesson notifications.
For each new notification, query /v1/instructor/lesson/{lessonId} to fetch the lesson content.
Use the lesson data returned by the Incydr API to send the lessons via your preferred delivery mechanism.
The v2/actor-risk-profiles APIs are deprecated and being replaced by v1/actors APIs.
April 2024
Enhancements and updates
New sessions API supports grouped events in a single alert
April 3, 2024
The v1/alerts APIs are being replaced by v1/sessions APIs. The v1/sessions APIs use the newer alerts framework to group related activity into a single alert. This matches how alerts are displayed in the Code42 console. Grouping events reduces the number of alerts to be triaged, and makes it easier to identify the activity that poses the greatest risk to your organization.
The v1/alerts APIs use the legacy alert framework, which does not group related events into a single alert.
The new v1/sessions APIs use the newer alerting framework, which consolidates related events into a single alert. Sessions may include file events, alerts, Instructor lessons, and more. A single session can contain one or more alerts.
While the v1/alerts APIs returned most metadata directly in the response, the v1/sessions APIs may require additional lookups to return all the same data.
For example, the v1/alerts/query-alerts response contained both actor and actorId. The new v1/sessions equivalent only includes the actorId in the response, which can then be used to look up the actor value.
Deprecations
April 3, 2024
The v1/alerts APIs are deprecated and being replaced by v1/sessions APIs.
March 2024
Enhancements and updates
March 13, 2024
Added a new version (v2) of the Watchlists and Risk Profiles APIs and deprecated the previous version (v1). The new versions use actor_id in place of the previous user_id. For complete documentation of the new v2 APIs, see the Code42 Developer Portal:
The previous version (v1) of the following Watchlists and Risk Profiles APIs are deprecated and replaced by a new version (v2).
/v1/user-risk-profiles
/v1/watchlists
September 2023
Enhancements and updates
September 29, 2023
Added new Actor APIs in the Code42 Developer Portal. In the path examples below, replace <actorId> with the actor’s ID, replace <name> with the actor’s username, and replace <childActorId> with the actor ID for a child in an actor’s family:
The FileCategoryByBytes and FileCategoryByExtension fields on the v2/file-events and v1/file-events API were consolidated into a single FileCategory field. FileCategoryByBytes and FileCategoryByExtension are no longer being populated with data. If you use either of these fields in your scripts or integrations, use FileCategory instead.
April 2023
Deprecations
April 19, 2023
Deprecated Computer and Devices APIs, and replaced them with new Agents APIs. Following are the deprecated Computer and Devices APIs, with the corresponding new APIs to use in scripting.
Added a new version (v2) of Rules APIs and deprecated the previous version (v1). For complete documentation of the following v2 Rules APIs, see the Code42 Developer Portal:
GET /v2/alert-rules/<ID>
GET /v2/alert-rules
POST /v2/alert-rules/<ID>/enable
POST /v2/alert-rules/enable
POST /v2/alert-rules/<ID>/disable
POST /v2/alert-rules/disable
DELETE /v2/alert-rules/<ID>/users
GET /v2/alert-rules/<ID>/users
Deprecations
v1 Rules APIs
October 6, 2022
The previous version (v1) of the following Rules APIs in the Code42 Developer Portal are deprecated and replaced by a new version (v2).
The following Users APIs are added to the Code42 Developer Portal. In the path examples, replace <userId> with the user's unique ID:
Get the roles associated with a user: GET /v1/users/<userId>/roles
Update the roles associated with a user: PUT /v1/users/<userId>/roles
Activate a user: POST /v1/users/<userId>/activate
Deactivate a user: POST /v1/users/<userId>/deactivate
Move a user to a specified organization: POST /v1/users/<userId>/move
Deprecations
Deprecated Legal Hold APIs that do not support pagination
September 22, 2022
Deprecated Legal Hold APIs that do not support pagination, and replaced them with APIs that support pagination and include totalSize in the response. Following are the deprecated Legal Hold APIs, with the corresponding new APIs to use in scripting.
Removed the /api/AuthToken/ API for use in cloud storage. Because this API is called only in limited cloud storage scenarios, you are affected only if you use py42 version 1.25.1 or earlier to automate file restores. Upgrade your py42 instance to version 1.26 or higher.
August 2022
Enhancements and updates
August 1, 2022
Added the following case API to the Code42 Developer Portal. In the path example, replace <caseNumber> with the case's unique ID:
Removed support for the v3_user_token scheme originally deprecated in January 2022. The v3_user_token scheme is replaced by the Bearer scheme, which is the standard scheme for bearer tokens.
Use this header to pass the token: Authorization: Bearer <token>
July 2022
Enhancements and updates
July 21, 2022
Added the following organization APIs to the Code42 Developer Portal. In the path examples, replace <orgGuid> with the organization's globally unique ID:
event.inserted: Indicates the date and time the event was received for indexing by Code42. This may differ slightly from the existing @timestamp field, which indicates the date and time the event was initially observed.
destination.domains: The domain section of the URLs reported in destination.tabs.url.
source.domains: The domain section of the URLs reported in source.tabs.url. (Note: Although similar in name, this field has no relation to source.domain, which reports the FQDN or IP address of the user’s device.)
May 2022
Enhancements and updates
May 20, 2022
Added a new version (v2) of File Events APIs and deprecated the previous version (v1). The data model for the APIs is improved with new groupings of data model elements in the response. For complete documentation of the following v2 File Event APIs, see the Code42 Developer Portal:
The previous version (v1) of the following File Events APIs in the Code42 Developer Portal are deprecated and replaced by a new version (v2).
/v1/file-events
/v1/file-events/export
/v1/file-events/grouping
May 18, 2022
Deprecated User APIs
Following are the deprecated User APIs, with the corresponding new APIs to use in scripting. For additional User APIs, see User APIs in the Code42 Developer Portal.
The www-authenticate header is removed from the Code42 API. As a result, making an API call with basic authentication is no longer supported in a web browser (for example to download a CSV file). To make API calls, use programming, or tools like Postman or cURL. Also as a result of this change, basic authentication of Code42 APIs is no longer supported in PowerShell unless you set a request header for authentication.
Deprecations
Basic authentication
January 26, 2022
Basic authentication is deprecated for APIs in the Code42 Developer Portal and is replaced by API clients. Basic authentication will continue to be supported for APIs not in the Code42 Developer Portal. This change is being made to align with security best practices for least privilege integrations.
Following are examples of basic authentication API calls that are now deprecated:
Basic authentication to obtain an authentication token:
curl -X GET -u "<username>:<password>" <RequestURL>/v1/auth
This also includes using basic authentication to obtain an authentication token when a second factor (TOTP) token is required. For example:
curl -X -H "totp-auth: <totp_token" GET -u "<username>:<password>" <RequestURL>/v1/auth
In the path examples, replace <RequestURL> with the URL path for your Code42 cloud. For more information, see Code42 API authentication methods.
Inconsistent API URL paths
January 26, 2022
Code42 is deprecating inconsistent Code42 API URL paths and is replacing them with unified URL paths across all APIs. This change only affects Code42 customers who use the older Code42 API paths in scripting. This change does not affect you if you use invocations from the Code42 Developer Portal.
Following are the deprecated paths, with the corresponding new paths to use in scripting.
Deprecated URL paths
New URL paths
<RequestURL>/<resource>
<RequestURL>/api/v1/<Resource>
<RequestURL>/api/<resource>
<RequestURL>/api/v1/<Resource>
<RequestURL>/<webapp>/api/<resource>
<RequestURL>/api/v1/<Resource>
<RequestURL>/<webapp>/api/v1/<resource>
<RequestURL>/api/v1/<Resource>
<RequestURL>/<webapp>/api/v2/<resource>
<RequestURL>/api/v2/<Resource>
<RequestURL>/c42api/v3/<resource>
<RequestURL>/api/v3/<resource>
Note the following:
In the path examples, replace <RequestURL> with the URL path for your Code42 cloud. For example:
Those instances where the initial character of v1 and v2 resources were lowercase, they must now begin with an uppercase character. The capitalization of resources in v3 and higher APIs is unchanged.
In the examples, <webapp> is one of the following: account, app, business, client-management, console, consumer, enterprise, enterprise-store, legal-hold, login, partner, reporting, search, security, or subscriptions.
v3_user_token scheme
January 26, 2022
The v3_user_token scheme is deprecated and is replaced by the Bearer scheme, which is the standard scheme for bearer tokens.
Following is the deprecated header used to pass a user token to an API: Authorization: v3_user_token <token>
Going forward, use this header instead to pass the token: Authorization: Bearer <token>
Auth/jwt API endpoint
January 26, 2022
The /c42api/v3/auth/jwt endpoint is now deprecated as a method for obtaining an OAuth token and is replaced by API clients.
APIs that do not support API clients
January 26, 2022
The following APIs are deprecated because they do not support API clients.
If you perform all your API integrations using APIs in the Code42 Developer Portal, the following API deprecations do not affect you since APIs in the Code42 Developer Portal support API clients.
Deprecated Legal Hold APIs
Following are the deprecated Legal Hold APIs, with the corresponding new APIs to use in scripting.
Comments
Please sign in to leave a comment.