Code42 + Palo Alto Networks Cortex XSOAR

Simple, fast detection and response to insider threat


Most existing security stacks are built to address external threats and regulatory compliance, making it difficult to detect when proprietary data is put at risk from the inside. Code42's integration with Palo Alto Networks Cortex XSOARTM (previously Demisto) provides accelerated incident response and automated remediation to potential file exfiltration across endpoints, email, cloud, and SaaS applications — on or off the corporate network. Code42 together with Cortex XSOAR enables security teams to scale, standardize and accelerate their overall incident response process for insider threats.


  • Streamline alerts and significantly reduce the time it takes to detect and respond to common insider threats including departing employees or remote users.
  • Search and investigate risky file movements across endpoints, email, cloud and SaaS apps – without leaving Cortex XSOAR.
  • Get complete context by understanding the user, file, exposure type, and data source associated with the alert
  • Close incident tickets faster by automating response and remediation via Cortex XSOAR.

How the Integration Works:

  • Automate insider threat workflows by ingesting Code42 data into Cortex XSOAR to generate alerts and trigger automated playbooks tied to those alerts.
  • View complete incident context about exfiltrated files, including user, file and exposure type, file size, and data source.
  • Easily add or remove employees from Code42 risk detection lenses from within Cortex XSOAR.
  • For additional context, quickly search for files of interest in Code42 Forensic File Search by file name, size, path, hash, and more.
  • Leverage hundreds of Cortex XSOAR third-party product integrations to coordinate response across security functions based on insights from Code42.
  • Close incident tickets within Cortex XSOAR once an investigation is complete.

Next Steps?

Together Code42 and Palo Alto Networks allow security teams to automate insider threat workflows and speed time to respond.