Code42 is a big believer in “right sized response”. We’ve put out a number of materials about how reducing insider risk doesn’t mean blocking--ultimately, insider risk is a people issue. Whether intentionally or unintentionally, people move data to places they shouldn’t. Understanding the “why” on an individual level is a big part of what the analysts here at Code42 do when using Incydr internally.
With that background, we’re making a splash with a specific automated integration use case with Slack. It was a request from our internal security team who was spending a lot of time copy/pasting things from Incydr into Slack in order to reach out to end users to investigate data movement.
First off, we send the alerts to Slack and gather some info about the user - are they on a lens? How many alerts has this user triggered in the past 30 days? We summarize this data and post it into a slack channel that the analysts have access to:
The analyst can then click into the alert in the Incydr console, go to the user’s profile page to see what else they’ve been doing, or they can take action. They can close the alert directly from Slack if they feel confident it was a false positive, or they can generate a DM template to reach out to the user. When they click that button, they get a response from the bot that they can copy/paste to the user in question and edit it as necessary:
For record-keeping and communication between members of the security team, each time you click a button to take an action, it automatically logs the action and who took it in a thread off of the alert, so you know that someone is reaching out already or has closed the alert.
It’s a very simple integration, but for our security team that communicates via Slack constantly, it’s a huge time saver.
We would love to hear some feedback from you on what would make this integration better, or better yet, what your response workflow is and how you operationalize Code42’s data.
Sr. Product Manager
Please sign in to leave a comment.