Playbook of the Week: Speed Detection and Automate Response to Insider Risk with Cortex™ XSOAR and Code42

In the 2022 Bureau of Labor Statistics report, the overall employee turnover rate is 57.3%, including both voluntary and involuntary leaves per year. Whether employees are leaving for better opportunities or are getting let go from the company, proper security protocols are critical for organizations to protect themselves from insider threats.

Data exfiltration remains the most common type of insider threat in the U.S – more than tripling privilege misuse. With the increase in remote work and centralizing documentation in the cloud, the ways that employees and contractors can take critical files have increased exponentially. From making Google Drive links public, to external Slack channels, to Salesforce and other application downloads to personal devices, that’s what makes these leaks of confidential data so tough to control.

The question for any modern insider threat program is: How do you protect critical data without stifling productivity, collaboration, and innovation? This is where Code42 Incydr™ and Cortex XSOAR can help.

Introducing the Code42 Incydr Integration

Code42 Incydr provides insider threat protection for the modern enterprise and helps detect and respond to security alerts from suspicious insider activity. Code42’s integration with Cortex XSOAR allows joint customers to surface insider risk and accelerate incident response throughout the employee lifecycle.

See which activity is trusted and which is risky. The Code42 integration allows you to:

  • Audit your exfiltration exposure across computers, cloud applications, and email with a single product
  • Detect untrusted web and cloud activity no matter where it happens, including web browser uploads, cloud sync activity, file sharing, downloads, AirDrop, and use of removable media
  • Filter out the noise of everyday, harmless activity like uploading files to a trusted domain

Code42, together with Cortex XSOAR, enables security teams to scale, standardize, and accelerate their overall incident response process for Insider Risk, so they can quickly detect and respond to data risk when employees, contractors, or temporary workers leave your organization.

What the Code42 Content Pack Does

The Code42 content pack available via the Cortex Marketplace includes the Code42 Incydr integration, which provides accelerated incident response and automated remediation to potential file exfiltration from insiders happening across endpoints, email, cloud, and SaaS applications.

Image #1: Code42 Exfiltration Playbook in Cortex XSOAR
Image #1: Code42 Exfiltration Playbook in Cortex XSOAR


One example of the capabilities found within this content pack is the Code42 exfiltration playbook in Cortex XSOAR, which investigates potential file exfiltration and provides fast access to file events and metadata across physical and cloud environments.

And that’s just the tip of the iceberg for what is possible with the Code42 integration. This powerful integration allows organizations to accelerate and standardize the escalation workflows for insider threats throughout the employee lifecycle. This includes automating the steps within the employee offboarding process by triggering a configurable lookback of an employee’s historical file movements for manager review. Another benefit includes providing a right-sized response to insider threats at scale, whether through automated action, alerting the employee’s manager for corrective conversation, or placing a user on legal hold.


The features found within the Code42 Integration include the ability to:

  • Identify potential data exfiltration and insider risk while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
  • Accelerate and standardize incident escalation workflows for insider threats throughout the employee lifecycle.
  • Remotely add employees to, or remove employees from, Code42 watchlists or to legal hold from within Cortex XSOAR.
  • Leverage hundreds of Cortex XSOAR third-party product integrations, to coordinate responses across security functions based on insights from Code42.

For more details on the Code42 Integration within Cortex XSOAR, check out the developer article here.

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.