diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Description.json b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Description.json
similarity index 88%
rename from Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Description.json
rename to Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Description.json
index b114c9bbdd23..c509509a29f0 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Description.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Description.json
@@ -8,7 +8,7 @@
   "cliName": "code42alertdescription",
   "closeForm": false,
   "columns": null,
-  "content": false,
+  "content": true,
   "defaultRows": null,
   "description": "",
   "editForm": true,
@@ -19,7 +19,7 @@
   "isReadOnly": false,
   "locked": false,
   "mergeStrategy": "",
-  "name": "Code42 Alert Description",
+  "name": "Code42 SecurityAlert Description",
   "neverSetAsRequired": false,
   "ownerOnly": false,
   "placeholder": "",
@@ -37,5 +37,6 @@
   "useAsKpi": false,
   "validatedError": "",
   "validationRegex": "",
-  "version": -1
+  "version": -1,
+  "fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_ID.json b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_ID.json
similarity index 89%
rename from Packs/Code42/IncidentFields/incidentfield-Code42_Alert_ID.json
rename to Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_ID.json
index 42678525e03e..d4f90b763f38 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_ID.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_ID.json
@@ -8,7 +8,7 @@
   "cliName": "code42alertid",
   "closeForm": false,
   "columns": null,
-  "content": false,
+  "content": true,
   "defaultRows": null,
   "description": "",
   "editForm": true,
@@ -19,7 +19,7 @@
   "isReadOnly": false,
   "locked": false,
   "mergeStrategy": "",
-  "name": "Code42 Alert ID",
+  "name": "Code42 SecurityAlert ID",
   "neverSetAsRequired": false,
   "ownerOnly": false,
   "placeholder": "",
@@ -37,5 +37,6 @@
   "useAsKpi": false,
   "validatedError": "",
   "validationRegex": "",
-  "version": -1
+  "version": -1,
+  "fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Name.json b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Name.json
similarity index 89%
rename from Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Name.json
rename to Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Name.json
index 5ef96b82c37b..cfdce3b994c8 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Name.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Name.json
@@ -8,7 +8,7 @@
   "cliName": "code42alertname",
   "closeForm": false,
   "columns": null,
-  "content": false,
+  "content": true,
   "defaultRows": null,
   "description": "",
   "editForm": true,
@@ -19,7 +19,7 @@
   "isReadOnly": false,
   "locked": false,
   "mergeStrategy": "",
-  "name": "Code42 Alert Name",
+  "name": "Code42 SecurityAlert Name",
   "neverSetAsRequired": false,
   "ownerOnly": false,
   "placeholder": "",
@@ -37,5 +37,6 @@
   "useAsKpi": false,
   "validatedError": "",
   "validationRegex": "",
-  "version": -1
+  "version": -1,
+  "fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_State.json b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_State.json
similarity index 88%
rename from Packs/Code42/IncidentFields/incidentfield-Code42_Alert_State.json
rename to Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_State.json
index 45137a284f20..cd82f6f5e238 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_State.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_State.json
@@ -8,7 +8,7 @@
 	"cliName": "code42alertstate",
 	"closeForm": false,
 	"columns": null,
-	"content": false,
+	"content": true,
 	"defaultRows": null,
 	"description": "",
 	"editForm": true,
@@ -19,7 +19,7 @@
 	"isReadOnly": false,
 	"locked": false,
 	"mergeStrategy": "",
-	"name": "Code42 Alert State",
+	"name": "Code42 SecurityAlert State",
 	"neverSetAsRequired": false,
 	"ownerOnly": false,
 	"placeholder": "",
@@ -37,5 +37,6 @@
 	"useAsKpi": false,
 	"validatedError": "",
 	"validationRegex": "",
-	"version": -1
+	"version": -1,
+	"fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Timestamp.json b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Timestamp.json
similarity index 88%
rename from Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Timestamp.json
rename to Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Timestamp.json
index 37b7f0083720..b0e5558f2162 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Timestamp.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_SecurityAlert_Timestamp.json
@@ -8,7 +8,7 @@
   "cliName": "code42alerttimestamp",
   "closeForm": false,
   "columns": null,
-  "content": false,
+  "content": true,
   "defaultRows": null,
   "description": "",
   "editForm": true,
@@ -19,7 +19,7 @@
   "isReadOnly": false,
   "locked": false,
   "mergeStrategy": "",
-  "name": "Code42 Alert Timestamp",
+  "name": "Code42 SecurityAlert Timestamp",
   "neverSetAsRequired": false,
   "ownerOnly": false,
   "placeholder": "",
@@ -37,5 +37,6 @@
   "useAsKpi": false,
   "validatedError": "",
   "validationRegex": "",
-  "version": -1
+  "version": -1,
+  "fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Severity.json b/Packs/Code42/IncidentFields/incidentfield-Code42_Severity.json
index 45eb4f6ad9c5..a964da81c299 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Severity.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_Severity.json
@@ -8,7 +8,7 @@
   "cliName": "code42severity",
   "closeForm": false,
   "columns": null,
-  "content": false,
+  "content": true,
   "defaultRows": null,
   "description": "",
   "editForm": true,
@@ -37,5 +37,6 @@
   "useAsKpi": false,
   "validatedError": "",
   "validationRegex": "",
-  "version": -1
+  "version": -1,
+  "fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json b/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json
index 3d7d05ba707f..16292af7b787 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json
@@ -6,7 +6,7 @@
  "cliName": "code42username",
  "closeForm": false,
  "columns": null,
- "content": false,
+ "content": true,
  "defaultRows": null,
  "description": "",
  "editForm": true,
@@ -35,5 +35,6 @@
  "useAsKpi": false,
  "validatedError": "",
  "validationRegex": "",
- "version": -1
+ "version": -1,
+ "fromVersion": "5.0.0"
 }
\ No newline at end of file
diff --git a/Packs/Code42/Integrations/Code42/CHANGELOG.md b/Packs/Code42/Integrations/Code42/CHANGELOG.md
index 244b5e76f237..d30648e07019 100644
--- a/Packs/Code42/Integrations/Code42/CHANGELOG.md
+++ b/Packs/Code42/Integrations/Code42/CHANGELOG.md
@@ -7,6 +7,11 @@ Added new commands:
         Optionally takes a list of risk tags and only gets employees who have those risk tags.
     - **code42-highriskemployee-add-risk-tags** that takes a username and risk tags and associates the risk tags with the user.
     - **code42-highriskemployee-remove-risk-tags** that takes a username and risk tags and disassociates the risk tags from the user.
+    - **code42-user-deactivate** that deactivates a user in Code42.
+    - **code42-user-reactivate** that reactivates a user in Code42.
+    - **code42-user-block** that blocks a user in Code42.
+    - **code42-user-unblock** that unblocks a user in Code42.
+    - **code42-user-create** that creates a user in Code42.
 Improve error messages for all Commands to include exception detail.
 
 ## [20.3.3] - 2020-03-18
diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py
index a8b7c2d1300b..23dfcbe25f12 100644
--- a/Packs/Code42/Integrations/Code42/Code42.py
+++ b/Packs/Code42/Integrations/Code42/Code42.py
@@ -136,7 +136,9 @@ def _create_alert_query(event_severity_filter, start_time):
 
 def _get_all_high_risk_employees_from_page(page, risk_tags):
     res = []
-    for employee in page["items"]:
+    # Note: page is a `Py42Response` and has no `get()` method.
+    employees = page["items"]
+    for employee in employees:
         if not risk_tags:
             res.append(employee)
             continue
@@ -178,7 +180,7 @@ def _get_sdk(self):
         return self._sdk
 
     def add_user_to_departing_employee(self, username, departure_date=None, note=None):
-        user_id = self.get_user_id(username)
+        user_id = self._get_user_id(username)
         self._get_sdk().detectionlists.departing_employee.add(
             user_id, departure_date=departure_date
         )
@@ -187,7 +189,7 @@ def add_user_to_departing_employee(self, username, departure_date=None, note=Non
         return user_id
 
     def remove_user_from_departing_employee(self, username):
-        user_id = self.get_user_id(username)
+        user_id = self._get_user_id(username)
         self._get_sdk().detectionlists.departing_employee.remove(user_id)
         return user_id
 
@@ -196,6 +198,7 @@ def get_all_departing_employees(self, results):
         results = int(results) if results else None
         pages = self._get_sdk().detectionlists.departing_employee.get_all()
         for page in pages:
+            # Note: page is a `Py42Response` and has no `get()` method.
             employees = page["items"]
             for employee in employees:
                 res.append(employee)
@@ -204,26 +207,26 @@ def get_all_departing_employees(self, results):
         return res
 
     def add_user_to_high_risk_employee(self, username, note=None):
-        user_id = self.get_user_id(username)
+        user_id = self._get_user_id(username)
         self._get_sdk().detectionlists.high_risk_employee.add(user_id)
         if note:
             self._get_sdk().detectionlists.update_user_notes(user_id, note)
         return user_id
 
     def remove_user_from_high_risk_employee(self, username):
-        user_id = self.get_user_id(username)
+        user_id = self._get_user_id(username)
         self._get_sdk().detectionlists.high_risk_employee.remove(user_id)
         return user_id
 
     def add_user_risk_tags(self, username, risk_tags):
         risk_tags = _try_convert_str_list_to_list(risk_tags)
-        user_id = self.get_user_id(username)
+        user_id = self._get_user_id(username)
         self._get_sdk().detectionlists.add_user_risk_tags(user_id, risk_tags)
         return user_id
 
     def remove_user_risk_tags(self, username, risk_tags):
         risk_tags = _try_convert_str_list_to_list(risk_tags)
-        user_id = self.get_user_id(username)
+        user_id = self._get_user_id(username)
         self._get_sdk().detectionlists.remove_user_risk_tags(user_id, risk_tags)
         return user_id
 
@@ -248,7 +251,7 @@ def fetch_alerts(self, start_time, event_severity_filter):
     def get_alert_details(self, alert_id):
         res = self._get_sdk().alerts.get_details(alert_id)["alerts"]
         if not res:
-            raise Exception("No alert found with ID {0}.".format(alert_id))
+            raise Code42AlertNotFoundError(alert_id)
         return res[0]
 
     def resolve_alert(self, id):
@@ -259,16 +262,89 @@ def get_current_user(self):
         res = self._get_sdk().users.get_current()
         return res
 
-    def get_user_id(self, username):
+    def get_user(self, username):
         res = self._get_sdk().users.get_by_username(username)["users"]
         if not res:
-            raise Exception("No user found with username {0}.".format(username))
-        return res[0]["userUid"]
+            raise Code42UserNotFoundError(username)
+        return res[0]
+
+    def create_user(self, org_name, username, email):
+        org_uid = self._get_org_id(org_name)
+        response = self._get_sdk().users.create_user(org_uid, username, email)
+        return json.loads(response.text)
+
+    def block_user(self, username):
+        user_id = self._get_legacy_user_id(username)
+        self._get_sdk().users.block(user_id)
+        return user_id
+
+    def unblock_user(self, username):
+        user_id = self._get_legacy_user_id(username)
+        self._get_sdk().users.unblock(user_id)
+        return user_id
+
+    def deactivate_user(self, username):
+        user_id = self._get_legacy_user_id(username)
+        self._get_sdk().users.deactivate(user_id)
+        return user_id
+
+    def reactivate_user(self, username):
+        user_id = self._get_legacy_user_id(username)
+        self._get_sdk().users.reactivate(user_id)
+        return user_id
+
+    def get_org(self, org_name):
+        org_pages = self._get_sdk().orgs.get_all()
+        for org_page in org_pages:
+            orgs = org_page["orgs"]
+            for org in orgs:
+                if org.get("orgName") == org_name:
+                    return org
+        raise Code42OrgNotFoundError(org_name)
 
     def search_file_events(self, payload):
         res = self._get_sdk().securitydata.search_file_events(payload)
         return res["fileEvents"]
 
+    def _get_user_id(self, username):
+        user_id = self.get_user(username).get("userUid")
+        if user_id:
+            return user_id
+        raise Code42UserNotFoundError(username)
+
+    def _get_legacy_user_id(self, username):
+        user_id = self.get_user(username).get("userId")
+        if user_id:
+            return user_id
+        raise Code42UserNotFoundError(username)
+
+    def _get_org_id(self, org_name):
+        org_uid = self.get_org(org_name).get("orgUid")
+        if org_uid:
+            return org_uid
+        raise Code42OrgNotFoundError(org_name)
+
+
+class Code42AlertNotFoundError(Exception):
+    def __init__(self, alert_id):
+        super(Code42AlertNotFoundError, self).__init__(
+            "No alert found with ID {0}.".format(alert_id)
+        )
+
+
+class Code42UserNotFoundError(Exception):
+    def __init__(self, username):
+        super(Code42UserNotFoundError, self).__init__(
+            "No user found with username {0}.".format(username)
+        )
+
+
+class Code42OrgNotFoundError(Exception):
+    def __init__(self, org_name):
+        super(Code42OrgNotFoundError, self).__init__(
+            "No organization found with name {0}.".format(org_name)
+        )
+
 
 class Code42SearchFilters(object):
     def __init__(self):
@@ -360,7 +436,7 @@ def _create_exposure_filter(exposure_arg):
 
 
 def _create_category_filter(file_type):
-    category_value = CODE42_FILE_TYPE_MAPPER.get(file_type["category"], "UNCATEGORIZED")
+    category_value = CODE42_FILE_TYPE_MAPPER.get(file_type.get("category"), "UNCATEGORIZED")
     return FileCategory.eq(category_value)
 
 
@@ -388,11 +464,11 @@ def __init__(self, observation, actor):
 
     @property
     def _observation_data(self):
-        return self._obs["data"]
+        return self._obs.get("data")
 
     @property
     def _exfiltration_type(self):
-        return self._obs["type"]
+        return self._obs.get("type")
 
     @property
     def _is_endpoint_exfiltration(self):
@@ -417,16 +493,20 @@ def map(self):
 
     def _create_search_args(self):
         filters = FileEventQueryFilters()
-        exposure_types = self._observation_data["exposureTypes"]
-        begin_time = _convert_date_arg_to_epoch(self._observation_data["firstActivityAt"])
-        end_time = _convert_date_arg_to_epoch(self._observation_data["lastActivityAt"])
-
+        exposure_types = self._observation_data.get("exposureTypes")
+        first_activity = self._observation_data.get("firstActivityAt")
+        last_activity = self._observation_data.get("lastActivityAt")
         filters.append(self._create_user_filter())
-        filters.append(EventTimestamp.on_or_after(begin_time))
-        filters.append(EventTimestamp.on_or_before(end_time))
+        if first_activity:
+            begin_time = _convert_date_arg_to_epoch(first_activity)
+            if begin_time:
+                filters.append(EventTimestamp.on_or_after(begin_time))
+        if last_activity:
+            end_time = _convert_date_arg_to_epoch(last_activity)
+            if end_time:
+                filters.append(EventTimestamp.on_or_before(end_time))
         filters.extend(self._create_exposure_filters(exposure_types))
         filters.append(self._create_file_category_filters())
-
         return filters
 
     @logger
@@ -455,10 +535,15 @@ def _create_exposure_filters(self, exposure_types):
 
     def _create_file_category_filters(self):
         """Determine if file categorization is significant"""
-        observed_file_categories = self._observation_data["fileCategories"]
-        categories = [c["category"].upper() for c in observed_file_categories if c["isSignificant"]]
-        if categories:
-            return FileCategory.is_in(categories)
+        observed_file_categories = self._observation_data.get("fileCategories")
+        if observed_file_categories:
+            categories = [
+                c.get("category").upper()
+                for c in observed_file_categories
+                if c.get("isSignificant") and c.get("category")
+            ]
+            if categories:
+                return FileCategory.is_in(categories)
 
 
 def map_observation_to_security_query(observation, actor):
@@ -477,8 +562,9 @@ def _convert_date_arg_to_epoch(date_arg):
 def map_to_code42_event_context(obj):
     code42_context = _map_obj_to_context(obj, CODE42_EVENT_CONTEXT_FIELD_MAPPER)
     # FileSharedWith is a special case and needs to be converted to a list
-    if code42_context.get("FileSharedWith"):
-        shared_list = [u["cloudUsername"] for u in code42_context["FileSharedWith"]]
+    shared_with_list = code42_context.get("FileSharedWith")
+    if shared_with_list:
+        shared_list = [u.get("cloudUsername") for u in shared_with_list if u.get("cloudUsername")]
         code42_context["FileSharedWith"] = str(shared_list)
     return code42_context
 
@@ -508,7 +594,7 @@ def create_command_error_message(cmd, ex):
 @logger
 def alert_get_command(client, args):
     code42_securityalert_context = []
-    alert = client.get_alert_details(args["id"])
+    alert = client.get_alert_details(args.get("id"))
     if not alert:
         return CommandResults(
             readable_output="No results found",
@@ -537,7 +623,7 @@ def alert_get_command(client, args):
 @logger
 def alert_resolve_command(client, args):
     code42_securityalert_context = []
-    alert_id = client.resolve_alert(args["id"])
+    alert_id = client.resolve_alert(args.get("id"))
     if not alert_id:
         return CommandResults(
             readable_output="No results found",
@@ -568,7 +654,7 @@ def alert_resolve_command(client, args):
 @logger
 def departingemployee_add_command(client, args):
     departing_date = args.get("departuredate")
-    username = args["username"]
+    username = args.get("username")
     note = args.get("note")
     user_id = client.add_user_to_departing_employee(username, departing_date, note)
     # CaseID included but is deprecated.
@@ -591,7 +677,7 @@ def departingemployee_add_command(client, args):
 
 @logger
 def departingemployee_remove_command(client, args):
-    username = args["username"]
+    username = args.get("username")
     user_id = client.remove_user_from_departing_employee(username)
     # CaseID included but is deprecated.
     de_context = {"CaseID": user_id, "UserID": user_id, "Username": username}
@@ -615,7 +701,7 @@ def departingemployee_get_all_command(client, args):
             outputs_prefix="Code42.DepartingEmployee",
             outputs_key_field="UserID",
             outputs={"Results": []},
-            raw_response={}
+            raw_response={},
         )
 
     employees_context = [
@@ -639,7 +725,7 @@ def departingemployee_get_all_command(client, args):
 
 @logger
 def highriskemployee_add_command(client, args):
-    username = args["username"]
+    username = args.get("username")
     note = args.get("note")
     user_id = client.add_user_to_high_risk_employee(username, note)
     hr_context = {"UserID": user_id, "Username": username}
@@ -655,7 +741,7 @@ def highriskemployee_add_command(client, args):
 
 @logger
 def highriskemployee_remove_command(client, args):
-    username = args["username"]
+    username = args.get("username")
     user_id = client.remove_user_from_high_risk_employee(username)
     hr_context = {"UserID": user_id, "Username": username}
     readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Removed", hr_context)
@@ -679,7 +765,7 @@ def highriskemployee_get_all_command(client, args):
             outputs_prefix="Code42.HighRiskEmployee",
             outputs_key_field="UserID",
             outputs={"Results": []},
-            raw_response={}
+            raw_response={},
         )
     employees_context = [
         {"UserID": e.get("userId"), "Username": e.get("userName"), "Note": e.get("notes")}
@@ -773,11 +859,87 @@ def securitydata_search_command(client, args):
         )
 
 
+def user_create_command(client, args):
+    org_name = args.get("orgname")
+    username = args.get("username")
+    email = args.get("email")
+    res = client.create_user(org_name, username, email)
+    outputs = {
+        "Username": res.get("username"),
+        "UserID": res.get("userUid"),
+        "Email": res.get("email"),
+    }
+    readable_outputs = tableToMarkdown("Code42 User Created", outputs)
+    return CommandResults(
+        outputs_prefix="Code42.User",
+        outputs_key_field="UserID",
+        outputs=outputs,
+        readable_output=readable_outputs,
+        raw_response=res,
+    )
+
+
+def user_block_command(client, args):
+    username = args.get("username")
+    user_id = client.block_user(username)
+    outputs = {"UserID": user_id}
+    readable_outputs = tableToMarkdown("Code42 User Blocked", outputs)
+    return CommandResults(
+        outputs_prefix="Code42.User",
+        outputs_key_field="UserID",
+        outputs=outputs,
+        readable_output=readable_outputs,
+        raw_response=user_id,
+    )
+
+
+def user_unblock_command(client, args):
+    username = args.get("username")
+    user_id = client.unblock_user(username)
+    outputs = {"UserID": user_id}
+    readable_outputs = tableToMarkdown("Code42 User Unblocked", outputs)
+    return CommandResults(
+        outputs_prefix="Code42.User",
+        outputs_key_field="UserID",
+        outputs=outputs,
+        readable_output=readable_outputs,
+        raw_response=user_id,
+    )
+
+
+def user_deactivate_command(client, args):
+    username = args.get("username")
+    user_id = client.deactivate_user(username)
+    outputs = {"UserID": user_id}
+    readable_outputs = tableToMarkdown("Code42 User Deactivated", outputs)
+    return CommandResults(
+        outputs_prefix="Code42.User",
+        outputs_key_field="UserID",
+        outputs=outputs,
+        readable_output=readable_outputs,
+        raw_response=user_id,
+    )
+
+
+def user_reactivate_command(client, args):
+    username = args.get("username")
+    user_id = client.reactivate_user(username)
+    outputs = {"UserID": user_id}
+    readable_outputs = tableToMarkdown("Code42 User Reactivated", outputs)
+    return CommandResults(
+        outputs_prefix="Code42.User",
+        outputs_key_field="UserID",
+        outputs=outputs,
+        readable_output=readable_outputs,
+        raw_response=user_id,
+    )
+
+
 """Fetching"""
 
 
 def _create_incident_from_alert_details(details):
-    return {"name": "Code42 - {}".format(details["name"]), "occurred": details["createdAt"]}
+    return {"name": "Code42 - {}".format(details.get("name")), "occurred": details.get("createdAt")}
 
 
 def _stringify_lists_if_needed(event):
@@ -928,6 +1090,11 @@ def get_command_map():
         "code42-highriskemployee-get-all": highriskemployee_get_all_command,
         "code42-highriskemployee-add-risk-tags": highriskemployee_add_risk_tags_command,
         "code42-highriskemployee-remove-risk-tags": highriskemployee_remove_risk_tags_command,
+        "code42-user-create": user_create_command,
+        "code42-user-block": user_block_command,
+        "code42-user-unblock": user_unblock_command,
+        "code42-user-deactivate": user_deactivate_command,
+        "code42_user-reactivate": user_reactivate_command,
     }
 
 
diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml
index 78356ecedd32..1315f1bff0f0 100644
--- a/Packs/Code42/Integrations/Code42/Code42.yml
+++ b/Packs/Code42/Integrations/Code42/Code42.yml
@@ -1,70 +1,87 @@
+category: Endpoint
 commonfields:
   id: Code42
   version: -1
-name: Code42
-display: Code42
-category: Endpoint
-description: Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
 configuration:
-- display: Code42 Console URL for the pod your Code42 instance is running in
+- defaultvalue: console.us.code42.com
+  display: Code42 Console URL for the pod your Code42 instance is running in
   name: console_url
-  defaultvalue: console.us.code42.com
-  type: 0
   required: true
-- display: "Username"
+  type: 0
+- display: Username
   name: credentials
-  defaultvalue: ""
-  type: 9
   required: true
+  type: 9
 - display: Fetch incidents
   name: isFetch
-  type: 8
   required: false
+  type: 8
 - display: Incident type
   name: incidentType
-  type: 13
   required: false
+  type: 13
 - display: Alert severities to fetch when fetching incidents
   name: alert_severity
-  defaultvalue: ""
-  type: 16
-  required: false
   options:
   - High
   - Medium
   - Low
-- display: First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)
+  required: false
+  type: 16
+- defaultvalue: 24 hours
+  display: First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)
   name: fetch_time
-  defaultvalue: 24 hours
-  type: 0
   required: false
-- display: Alerts to fetch per run; note that increasing this value may result in
+  type: 0
+- defaultvalue: '10'
+  display: Alerts to fetch per run; note that increasing this value may result in
     slow performance if too many results are returned at once
   name: fetch_limit
-  defaultvalue: "10"
-  type: 0
   required: false
-- display: Include the list of files in returned incidents.
+  type: 0
+- defaultvalue: 'false'
+  display: Include the list of files in returned incidents.
   name: include_files
-  defaultvalue: "false"
-  type: 8
   required: false
+  type: 8
+description: Use the Code42 integration to identify potential data exfiltration from
+  insider threats while speeding investigation and response by providing fast access
+  to file events and metadata across physical and cloud environments.
+display: Code42
+name: Code42
 script:
-  script: ''
-  type: python
   commands:
-  - name: code42-securitydata-search
-    arguments:
-    - name: json
+  - arguments:
+    - default: false
       description: JSON query payload using Code42 query syntax.
-    - name: hash
+      isArray: false
+      name: json
+      required: false
+      secret: false
+    - default: false
       description: MD5 or SHA256 hash of the file to search for.
-    - name: username
+      isArray: false
+      name: hash
+      required: false
+      secret: false
+    - default: false
       description: Username to search for.
-    - name: hostname
+      isArray: false
+      name: username
+      required: false
+      secret: false
+    - default: false
       description: Hostname to search for.
-    - name: exposure
-      auto: PREDEFINED
+      isArray: false
+      name: hostname
+      required: false
+      secret: false
+    - auto: PREDEFINED
+      default: false
+      description: Exposure types to search for. Can be "RemovableMedia", "ApplicationRead",
+        "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".
+      isArray: true
+      name: exposure
       predefined:
       - RemovableMedia
       - ApplicationRead
@@ -72,11 +89,23 @@ script:
       - IsPublic
       - SharedViaLink
       - SharedViaDomain
-      description: Exposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".
-      isArray: true
-    - name: results
+      required: false
+      secret: false
+    - default: false
+      defaultValue: '100'
       description: The number of results to return. The default is 100.
-      defaultValue: "100"
+      isArray: false
+      name: results
+      required: false
+      secret: false
+    deprecated: false
+    description: Searches for a file in Security Data by JSON query, hash, username,
+      device hostname, exfiltration type, or a combination of parameters. At least
+      one argument must be passed in the command. If a JSON argument is passed, it
+      will be used to the exclusion of other parameters, otherwise parameters will
+      be combined with an AND clause.
+    execution: false
+    name: code42-securitydata-search
     outputs:
     - contextPath: Code42.SecurityData.EventTimestamp
       description: Timestamp for the event.
@@ -204,17 +233,18 @@ script:
     - contextPath: File.Hostname
       description: The hostname where the file event was captured.
       type: string
-    description: Searches for a file in Security Data by JSON query, hash, username,
-      device hostname, exfiltration type, or a combination of parameters. At least
-      one argument must be passed in the command. If a JSON argument is passed,
-      it will be used to the exclusion of other parameters, otherwise parameters will
-      be combined with an AND clause.
-  - name: code42-alert-get
-    arguments:
-    - name: id
+  - arguments:
+    - default: false
+      description: The alert ID to retrieve. Alert IDs are associated with alerts
+        that are fetched via fetch-incidents.
+      isArray: false
+      name: id
       required: true
-      description: The alert ID to retrieve. Alert IDs are associated with alerts that
-        are fetched via fetch-incidents.
+      secret: false
+    deprecated: false
+    description: Retrieve alert details by alert ID
+    execution: false
+    name: code42-alert-get
     outputs:
     - contextPath: Code42.SecurityAlert.Username
       description: The username associated with the alert.
@@ -240,30 +270,49 @@ script:
     - contextPath: Code42.SecurityAlert.Severity
       description: The severity of the alert.
       type: string
-    description: Retrieve alert details by alert ID
-  - name: code42-alert-resolve
-    arguments:
-    - name: id
-      required: true
+  - arguments:
+    - default: false
       description: The alert ID to resolve. Alert IDs are associated with alerts that
         are fetched via fetch-incidents.
+      isArray: false
+      name: id
+      required: true
+      secret: false
+    deprecated: false
+    description: Resolves a Code42 Security alert.
+    execution: false
+    name: code42-alert-resolve
     outputs:
     - contextPath: Code42.SecurityAlert.ID
       description: The alert ID of the resolved alert.
       type: string
-    description: Resolves a Code42 Security alert.
-  - name: code42-departingemployee-add
-    arguments:
-    - name: username
-      required: true
+  - arguments:
+    - default: false
       description: The username to add to the Departing Employee List.
-    - name: departuredate
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    - default: false
       description: The departure date for the employee, in the format YYYY-MM-DD.
-    - name: note
+      isArray: false
+      name: departuredate
+      required: false
+      secret: false
+    - default: false
       description: Note to attach to the Departing Employee.
+      isArray: false
+      name: note
+      required: false
+      secret: false
+    deprecated: false
+    description: Adds a user to the Departing Employee List.
+    execution: false
+    name: code42-departingemployee-add
     outputs:
     - contextPath: Code42.DepartingEmployee.CaseID
-      description: Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
+      description: Internal Code42 Case ID for the Departing Employee. Deprecated.
+        Use Code42.DepartingEmployee.UserID.
       type: string
     - contextPath: Code42.DepartingEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -276,15 +325,22 @@ script:
       type: string
     - contextPath: Code42.DepartingEmployee.DepartureDate
       description: The departure date for the Departing Employee.
-    description: Adds a user to the Departing Employee List.
-  - name: code42-departingemployee-remove
-    arguments:
-    - name: username
-      required: true
+      type: Unknown
+  - arguments:
+    - default: false
       description: The username to remove from the Departing Employee List.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Removes a user from the Departing Employee List.
+    execution: false
+    name: code42-departingemployee-remove
     outputs:
     - contextPath: Code42.DepartingEmployee.CaseID
-      description: Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
+      description: Internal Code42 Case ID for the Departing Employee. Deprecated.
+        Use Code42.DepartingEmployee.UserID.
       type: string
     - contextPath: Code42.DepartingEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -292,13 +348,17 @@ script:
     - contextPath: Code42.DepartingEmployee.Username
       description: The username of the Departing Employee.
       type: string
-    description: Removes a user from the Departing Employee List.
-  - name: code42-departingemployee-get-all
-    arguments:
-    - name: results
+  - arguments:
+    - default: false
       description: The number of items to return.
-      defaultvalue: "50"
-      type: number
+      isArray: false
+      name: results
+      required: false
+      secret: false
+    deprecated: false
+    description: Get all employees on the Departing Employee List.
+    execution: false
+    name: code42-departingemployee-get-all
     outputs:
     - contextPath: Code42.DepartingEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -311,14 +371,24 @@ script:
       type: string
     - contextPath: Code42.DepartingEmployee.DepartureDate
       description: The departure date for the Departing Employee.
-    description: Get all employees on the Departing Employee List.
-  - name: code42-highriskemployee-add
-    arguments:
-    - name: username
-      required: true
+      type: Unknown
+  - arguments:
+    - default: false
       description: The username to add to the High Risk Employee List.
-    - name: note
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    - default: false
       description: Note to attach to the High Risk Employee.
+      isArray: false
+      name: note
+      required: false
+      secret: false
+    deprecated: false
+    description: Adds a user from the High Risk Employee List.
+    execution: false
+    name: code42-highriskemployee-add
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the High Risk Employee.
@@ -329,26 +399,42 @@ script:
     - contextPath: Code42.HighRiskEmployee.Note
       description: Note associated with the High Risk Employee.
       type: string
-    description: Adds a user from the High Risk Employee List.
-  - name: code42-highriskemployee-remove
-    arguments:
-    - name: username
-      required: true
+  - arguments:
+    - default: false
       description: The username to remove from the High Risk Employee List.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Removes a user from the High Risk Employee List.
+    execution: false
+    name: code42-highriskemployee-remove
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the High Risk Employee.
+      type: Unknown
     - contextPath: Code42.HighRiskEmployee.Username
       description: The username of the High Risk Employee.
-    description: Removes a user from the High Risk Employee List.
-  - name: code42-highriskemployee-get-all
-    arguments:
-    - name: risktags
-      description: To filter results by employees who have these risk tags. Space delimited.
-    - name: results
+      type: Unknown
+  - arguments:
+    - default: false
+      description: To filter results by employees who have these risk tags. Space
+        delimited.
+      isArray: false
+      name: risktags
+      required: false
+      secret: false
+    - default: false
       description: The number of items to return.
-      defaultvalue: 50
-      type: number
+      isArray: false
+      name: results
+      required: false
+      secret: false
+    deprecated: false
+    description: Get all employees on the High Risk Employee List.
+    execution: false
+    name: code42-highriskemployee-get-all
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the High Risk Employee.
@@ -359,15 +445,23 @@ script:
     - contextPath: Code42.HighRiskEmployee.Note
       description: Note associated with the High Risk Employee.
       type: string
-    description: Get all employees on the High Risk Employee List.
-  - name: code42-highriskemployee-add-risk-tags
-    arguments:
-    - name: username
-      required: true
+  - arguments:
+    - default: false
       description: The username of the High Risk Employee.
-    - name: risktags
+      isArray: false
+      name: username
       required: true
+      secret: false
+    - default: false
       description: Space-delimited risk tags to associate with the High Risk Employee.
+      isArray: false
+      name: risktags
+      required: true
+      secret: false
+    deprecated: false
+    description: Associates risk tags with the employee with the given username.
+    execution: false
+    name: code42-highriskemployee-add-risk-tags
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -377,14 +471,24 @@ script:
       type: string
     - contextPath: Code42.HighRiskEmployee.RiskTags
       description: Risk tags to associate with the High Risk Employee.
-  - name: code42-highriskemployee-remove-risk-tags
-    arguments:
-    - name: username
-      required: true
+      type: Unknown
+  - arguments:
+    - default: false
       description: The username of the High Risk Employee.
-    - name: risktags
+      isArray: false
+      name: username
       required: true
+      secret: false
+    - default: false
       description: Space-delimited risk tags to disassociate from the High Risk Employee.
+      isArray: false
+      name: risktags
+      required: true
+      secret: false
+    deprecated: false
+    description: Disassociates risk tags from the user with the given username.
+    execution: false
+    name: code42-highriskemployee-remove-risk-tags
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -394,7 +498,110 @@ script:
       type: string
     - contextPath: Code42.HighRiskEmployee.RiskTags
       description: Risk tags to disassociate from the High Risk Employee.
-  dockerimage: demisto/py42:1.0.0.9242
+      type: Unknown
+  - arguments:
+    - default: false
+      description: The name of the Code42 organization from which to add the user.
+      isArray: false
+      name: orgname
+      required: true
+      secret: false
+    - default: false
+      description: The username to give to the user.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    - default: false
+      defaultValue: The email to give to the user.
+      description: The email of the employee to create.
+      isArray: false
+      name: email
+      required: true
+      secret: false
+    deprecated: false
+    description: Creates a Code42 user.
+    execution: false
+    name: code42-user-create
+    outputs:
+    - contextPath: Code42.User.Username
+      description: A username for a Code42 user.
+      type: String
+    - contextPath: Code42.User.Email
+      description: An email for a Code42 user.
+      type: String
+    - contextPath: Code42.User.UserID
+      description: An ID for a Code42 user.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to block.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Blocks a user in Code42.  A blocked user is not allowed to log in
+      or restore files. Backups will continue if the user is still active.
+    execution: false
+    name: code42-user-block
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: An ID for a Code42 user.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to deactivate.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Deactivate a user in Code42; signing them out of their devices. Backups
+      discontinue for a deactivated user, and their archives go to cold storage.
+    execution: false
+    name: code42-user-deactivate
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: The ID of a Code42 User.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to unblock.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Removes a block, if one exists, on the user with the given user ID.
+      Unblocked users are allowed to log in and restore.
+    execution: false
+    name: code42-user-unblock
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: An ID for a Code42 user.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to reactivate.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Reactivates the user with the given username.
+    execution: false
+    name: code42-user-reactivate
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: The ID of a Code42 User.
+      type: String
+  dockerimage: demisto/py42:1.0.0.9323
+  feed: false
   isfetch: true
+  longRunning: false
+  longRunningPort: false
   runonce: false
+  script: '-'
   subtype: python3
+  type: python
diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py
index 2170f3e21647..a3698087000d 100644
--- a/Packs/Code42/Integrations/Code42/Code42_test.py
+++ b/Packs/Code42/Integrations/Code42/Code42_test.py
@@ -20,8 +20,13 @@
     highriskemployee_get_all_command,
     highriskemployee_add_risk_tags_command,
     highriskemployee_remove_risk_tags_command,
-    fetch_incidents,
     securitydata_search_command,
+    user_create_command,
+    user_block_command,
+    user_unblock_command,
+    user_deactivate_command,
+    user_reactivate_command,
+    fetch_incidents,
 )
 import time
 
@@ -857,6 +862,57 @@
     ]
 }"""
 
+
+MOCK_GET_ALL_ORGS_RESPONSE = """
+{
+    "totalCount": 1,
+    "orgs":
+    [
+        {
+            "orgId": 9999,
+            "orgUid": "890854247383109999",
+            "orgName": "TestCortexOrg",
+            "orgExtRef": null,
+            "notes": null,
+            "status": "Active",
+            "active": true,
+            "blocked": false,
+            "parentOrgId": 2686,
+            "parentOrgUid": "00007871952600000",
+            "type": "ENTERPRISE",
+            "classification": "BASIC",
+            "externalId": "000054247383100000",
+            "hierarchyCounts": {},
+            "configInheritanceCounts": {},
+            "creationDate": "2019-03-04T22:21:49.749Z",
+            "modificationDate": "2020-02-26T19:21:57.684Z",
+            "deactivationDate": null,
+            "registrationKey": "0000-H74U-0000-8MMM",
+            "reporting":
+            {
+                "orgManagers": []
+            },
+            "customConfig": true,
+            "settings":
+            {
+                "maxSeats": null,
+                "maxBytes": null
+            },
+            "settingsInherited":
+            {
+                "maxSeats": "",
+                "maxBytes": ""
+            },
+            "settingsSummary":
+            {
+                "maxSeats": "",
+                "maxBytes": ""
+            }
+        }
+    ]
+}"""
+
+
 MOCK_GET_ALL_DEPARTING_EMPLOYEES_RESPONSE = """
 {
     "items": [
@@ -905,6 +961,7 @@
 }
 """
 
+
 MOCK_GET_ALL_HIGH_RISK_EMPLOYEES_RESPONSE = """
 {
   "type$": "HIGH_RISK_SEARCH_RESPONSE_V2",
@@ -988,15 +1045,50 @@
 """
 
 
+MOCK_CREATE_USER_RESPONSE = """
+{
+    "userId": 291999,
+    "userUid": "960849588659999999",
+    "status": "Active",
+    "username": "new.user@example.com",
+    "email": "new.user@example.com",
+    "firstName": null,
+    "lastName": null,
+    "quotaInBytes": -1,
+    "orgId": 2689,
+    "orgUid": "890854247383106706",
+    "orgName": "New Users Org",
+    "userExtRef": null,
+    "notes": null,
+    "active": true,
+    "blocked": false,
+    "emailPromo": true,
+    "invited": true,
+    "orgType": "ENTERPRISE",
+    "usernameIsAnEmail": null,
+    "creationDate": "2020-06-29T19:23:04.285Z",
+    "modificationDate": "2020-06-29T19:23:04.306Z",
+    "passwordReset": false,
+    "localAuthenticationOnly": false,
+    "licenses": []
+}
+"""
+
+
 _TEST_USER_ID = "123412341234123412"  # value found in GET_USER_RESPONSE
 _TEST_USERNAME = "user1@example.com"
+_TEST_ORG_NAME = "TestCortexOrg"
 
 
 @pytest.fixture
 def code42_sdk_mock(mocker):
     code42_mock = mocker.MagicMock(spec=SDKClient)
     get_user_response = create_mock_code42_sdk_response(mocker, MOCK_GET_USER_RESPONSE)
+    get_org_response = create_mock_code42_sdk_response_generator(
+        mocker, [MOCK_GET_ALL_ORGS_RESPONSE]
+    )
     code42_mock.users.get_by_username.return_value = get_user_response
+    code42_mock.orgs.get_all.return_value = get_org_response
     return code42_mock
 
 
@@ -1017,6 +1109,13 @@ def code42_fetch_incidents_mock(code42_sdk_mock, mocker):
     return code42_mock
 
 
+@pytest.fixture
+def code42_users_mock(code42_sdk_mock, mocker):
+    create_user_response = create_mock_code42_sdk_response(mocker, MOCK_CREATE_USER_RESPONSE)
+    code42_sdk_mock.users.create_user.return_value = create_user_response
+    return code42_sdk_mock
+
+
 def create_alerts_mock(c42_sdk_mock, mocker):
     alert_details_response = create_mock_code42_sdk_response(mocker, MOCK_ALERT_DETAILS_RESPONSE)
     c42_sdk_mock.alerts.get_details.return_value = alert_details_response
@@ -1066,7 +1165,7 @@ def create_mock_code42_sdk_response_generator(mocker, response_pages):
 
 
 def create_client(sdk):
-    return Code42Client(sdk=sdk, base_url=MOCK_URL, auth=MOCK_AUTH, verify=False, proxy=None)
+    return Code42Client(sdk=sdk, base_url=MOCK_URL, auth=MOCK_AUTH, verify=False, proxy=False)
 
 
 def get_empty_detectionlist_response(mocker, base_text):
@@ -1097,11 +1196,11 @@ def test_client_lazily_inits_sdk(mocker):
     mocker.patch("py42.sdk.from_local_account")
 
     # test that sdk does not init during ctor
-    client = Code42Client(sdk=None, base_url=MOCK_URL, auth=MOCK_AUTH, verify=False, proxy=None)
+    client = Code42Client(sdk=None, base_url=MOCK_URL, auth=MOCK_AUTH, verify=False, proxy=False)
     assert client._sdk is None
 
     # test that sdk init from first method call
-    client.get_user_id("Test")
+    client.get_user("Test")
     assert client._sdk is not None
 
 
@@ -1118,7 +1217,7 @@ def test_client_when_no_user_found_raises_exception(code42_sdk_mock):
     code42_sdk_mock.users.get_by_username.return_value = """{'totalCount': 0, 'users': []}"""
     client = create_client(code42_sdk_mock)
     with pytest.raises(Exception):
-        client.get_user_id("test@example.com")
+        client.get_user("test@example.com")
 
 
 def test_build_query_payload():
@@ -1292,8 +1391,8 @@ def test_departingemployee_get_all_command_when_no_employees(
     )
     assert cmd_res.outputs_prefix == "Code42.DepartingEmployee"
     assert cmd_res.outputs_key_field == "UserID"
-    assert cmd_res.raw_response == []
-    assert cmd_res.outputs == []
+    assert cmd_res.raw_response == {}
+    assert cmd_res.outputs == {"Results": []}
     assert code42_departing_employee_mock.detectionlists.departing_employee.get_all.call_count == 1
 
 
@@ -1407,8 +1506,8 @@ def test_highriskemployee_get_all_command_when_no_employees(code42_high_risk_emp
     )
     assert cmd_res.outputs_prefix == "Code42.HighRiskEmployee"
     assert cmd_res.outputs_key_field == "UserID"
-    assert cmd_res.outputs == []
-    assert cmd_res.raw_response == []
+    assert cmd_res.outputs == {"Results": []}
+    assert cmd_res.raw_response == {}
     assert code42_high_risk_employee_mock.detectionlists.high_risk_employee.get_all.call_count == 1
 
 
@@ -1445,6 +1544,60 @@ def test_highriskemployee_remove_risk_tags_command(code42_sdk_mock):
     )
 
 
+def test_user_create_command(code42_users_mock):
+    client = create_client(code42_users_mock)
+    cmd_res = user_create_command(
+        client,
+        {
+            "orgname": _TEST_ORG_NAME,
+            "username": "new.user@example.com",
+            "email": "new.user@example.com",
+        },
+    )
+    assert cmd_res.outputs_prefix == "Code42.User"
+    assert cmd_res.outputs_key_field == "UserID"
+    assert cmd_res.raw_response == json.loads(MOCK_CREATE_USER_RESPONSE)
+    assert cmd_res.outputs["UserID"] == "960849588659999999"
+    assert cmd_res.outputs["Username"] == "new.user@example.com"
+    assert cmd_res.outputs["Email"] == "new.user@example.com"
+
+
+def test_user_block_command(code42_users_mock):
+    client = create_client(code42_users_mock)
+    cmd_res = user_block_command(client, {"username": "new.user@example.com"})
+    assert cmd_res.raw_response == 123456
+    assert cmd_res.outputs["UserID"] == 123456
+    assert cmd_res.outputs_prefix == "Code42.User"
+    code42_users_mock.users.block.assert_called_once_with(123456)
+
+
+def test_user_unblock_command(code42_users_mock):
+    client = create_client(code42_users_mock)
+    cmd_res = user_unblock_command(client, {"username": "new.user@example.com"})
+    assert cmd_res.raw_response == 123456
+    assert cmd_res.outputs["UserID"] == 123456
+    assert cmd_res.outputs_prefix == "Code42.User"
+    code42_users_mock.users.unblock.assert_called_once_with(123456)
+
+
+def test_user_deactivate_command(code42_users_mock):
+    client = create_client(code42_users_mock)
+    cmd_res = user_deactivate_command(client, {"username": "new.user@example.com"})
+    assert cmd_res.raw_response == 123456
+    assert cmd_res.outputs["UserID"] == 123456
+    assert cmd_res.outputs_prefix == "Code42.User"
+    code42_users_mock.users.deactivate.assert_called_once_with(123456)
+
+
+def test_user_reactivate_command(code42_users_mock):
+    client = create_client(code42_users_mock)
+    cmd_res = user_reactivate_command(client, {"username": "new.user@example.com"})
+    assert cmd_res.raw_response == 123456
+    assert cmd_res.outputs["UserID"] == 123456
+    assert cmd_res.outputs_prefix == "Code42.User"
+    code42_users_mock.users.reactivate.assert_called_once_with(123456)
+
+
 def test_security_data_search_command(code42_file_events_mock):
     client = create_client(code42_file_events_mock)
     cmd_res = securitydata_search_command(client, MOCK_SECURITY_DATA_SEARCH_QUERY)
diff --git a/Packs/Code42/Integrations/Code42/README.md b/Packs/Code42/Integrations/Code42/README.md
index f14c1c322cf5..5ad1a1e2e4ca 100644
--- a/Packs/Code42/Integrations/Code42/README.md
+++ b/Packs/Code42/Integrations/Code42/README.md
@@ -1,23 +1,5 @@
-## Overview
----
-
-Code42 provides simple, fast detection and response to everyday data loss from insider threats by focusing on customer data on endpoints and the cloud to answer questions like:
-
-* Where is my data?
-* Where has my data been?
-* When did my data leave?
-* What data exactly left my organization?
-
-This integration was integrated and tested with the fully-hosted SaaS implementation of Code42 and requires a Platinum level subscription.
-
-## Use Cases
----
-
-* Ingesting File Exfiltration alerts from Code42
-* Management of Departing Employees within Code42
-* General file event and metadata search
-
-
+Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
+This integration was integrated and tested with version xx of Code42
 ## Configure Code42 on Cortex XSOAR
 
 1. Navigate to **Settings** > **Integrations** > **Servers & Services**.
@@ -27,7 +9,7 @@ This integration was integrated and tested with the fully-hosted SaaS implementa
 | **Parameter** | **Description** | **Required** |
 | --- | --- | --- |
 | console_url | Code42 Console URL for the pod your Code42 instance is running in | True |
-| credentials |  | True |
+| credentials | Username | True |
 | isFetch | Fetch incidents | False |
 | incidentType | Incident type | False |
 | alert_severity | Alert severities to fetch when fetching incidents | False |
@@ -209,10 +191,11 @@ Adds a user to the Departing Employee List.
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
+| Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. | 
 | Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. | 
 | Code42.DepartingEmployee.Username | string | The username of the Departing Employee. | 
 | Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. | 
-| Code42.DepartingEmployee.DepartureDate | unknown | The departure date for the Departing Employee. | 
+| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. | 
 
 
 #### Command Example
@@ -220,9 +203,9 @@ Adds a user to the Departing Employee List.
 
 #### Human Readable Output
 
-| **UserID** | **DepartureDate** | **Note** | **Username** |
+| **UserID** | **DepartureDate** | **Note** | **Username** | **CaseID** |
 | --- | --- | --- | --- |
-| 123 | 2020-02-28 | Leaving for competitor | john.user@example.com |
+| 123 | 2020-02-28 | Leaving for competitor | john.user@example.com | 123 |
 
 
 ### code42-departingemployee-remove
@@ -244,6 +227,7 @@ Removes a user from the Departing Employee List.
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
+| Code42.DepartingEmployee.CaseID | string | Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID. | 
 | Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. | 
 | Code42.DepartingEmployee.Username | string | The username of the Departing Employee. | 
 
@@ -268,7 +252,10 @@ Get all employees on the Departing Employee List.
 `code42-departingemployee-get-all`
 #### Input
 
-There are no input arguments for this command.
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| results | The number of items to return. | Optional | 
+
 
 #### Context Output
 
@@ -277,22 +264,60 @@ There are no input arguments for this command.
 | Code42.DepartingEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. | 
 | Code42.DepartingEmployee.Username | string | The username of the Departing Employee. | 
 | Code42.DepartingEmployee.Note | string | Note associated with the Departing Employee. | 
-| Code42.DepartingEmployee.DepartureDate | unknown | The departure date for the Departing Employee. | 
+| Code42.DepartingEmployee.DepartureDate | Unknown | The departure date for the Departing Employee. | 
 
 
 #### Command Example
 ```!code42-departingemployee-get-all```
 
-#### Human Readable Output
+#### Context Example
+```
+{
+    "Code42": {
+        "DepartingEmployee": [
+            {
+                "DepartureDate": null,
+                "Note": "test",
+                "UserID": "921333907298179098",
+                "Username": "user1@example.com"
+            },
+            {
+                "DepartureDate": "2020-07-20",
+                "Note": "This is added using csv file to test bulk adding of users to high risk employee list",
+                "UserID": "948333588694228306",
+                "Username": "user2@example.com"
+            },
+            {
+                "DepartureDate": null,
+                "Note": "",
+                "UserID": "912211111144144039",
+                "Username": "user3@example.com"
+            }
+        ]
+    }
+}
+```
 
-| **UserID** | **DepartureDate** | **Note** | **Username** |
-| --- | --- | --- | --- |
-| 123 | 2020-02-28 | Leaving for competitor | john.user@example.com |
+#### Human Readable Output
+### All Departing Employees
+|DepartureDate|Note|UserID|Username|
+|---|---|---|---|
+|  | test | 921286907298179098 | user1@example.com |
+| 2020-07-20 | This is added using csv file to test bulk adding of users to high risk employee list | 948938588694228306 | user1@example.com |
+|  |  | 912249223544144039 | unicode@example.com |
+|  |  | 894165832411107815 | testuser@example.com |
+|  | L3 security risk | 949093399968329042 | user2@example.com |
+|  | tests and more tests | 942897397520286581 | user3@example.com |
+|  |  | 906619740182876328 | user4@example.com |
+|  |  | 906619632003387560 | user5@example.com |
+|  |  | 912338501981077099 | user6@example.com |
+|  | leaving for competition | 951984198921509692 | user7@example.com.com |
+|  | Leaving for competitor | 895005723650937319 | user8@example.com |
 
 
 ### code42-highriskemployee-add
 ***
-Removes a user from the High Risk Employee List.
+Adds a user from the High Risk Employee List.
 
 
 #### Base Command
@@ -316,13 +341,25 @@ Removes a user from the High Risk Employee List.
 
 
 #### Command Example
-```!code42-highriskemployee-add username="john.user@123.org" note="Risky activity"```
+```!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"```
+
+#### Context Example
+```
+{
+    "Code42": {
+        "HighRiskEmployee": {
+            "UserID": "942876157732602741",
+            "Username": "partner.demisto@example.com"
+        }
+    }
+}
+```
 
 #### Human Readable Output
-
-| **UserID** | **Note** | **Username** |
-| --- | --- | --- |
-| 123 | Leaving for competitor | john.user@example.com |
+### Code42 High Risk Employee List User Added
+|UserID|Username|
+|---|---|
+| 942876157732602741 | partner.demisto@example.com |
 
 
 ### code42-highriskemployee-remove
@@ -344,18 +381,31 @@ Removes a user from the High Risk Employee List.
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Code42.HighRiskEmployee.UserID | unknown | Internal Code42 User ID for the High Risk Employee. | 
-| Code42.HighRiskEmployee.Username | unknown | The username of the High Risk Employee. | 
+| Code42.HighRiskEmployee.UserID | Unknown | Internal Code42 User ID for the High Risk Employee. | 
+| Code42.HighRiskEmployee.Username | Unknown | The username of the High Risk Employee. | 
 
 
 #### Command Example
-```!code42-highriskemployee-remove username="john.user@example.com"```
+```!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"```
+
+#### Context Example
+```
+{
+    "Code42": {
+        "HighRiskEmployee": {
+            "UserID": "942876157732602741",
+            "Username": "partner.demisto@example.com"
+        }
+    }
+}
+```
 
 #### Human Readable Output
+### Code42 High Risk Employee List User Removed
+|UserID|Username|
+|---|---|
+| 942876157732602741 | partner.demisto@example.com |
 
-| **UserID** | **Username** |
-| --- | --- |
-| 123 | john.user@example.com |
 
 
 ### code42-highriskemployee-get-all
@@ -370,7 +420,8 @@ Get all employees on the High Risk Employee List.
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| risktags | To filter results by employees who have these risk tags. | Optional | 
+| risktags | To filter results by employees who have these risk tags. Space delimited. | Optional | 
+| results | The number of items to return. | Optional | 
 
 
 #### Context Output
@@ -383,19 +434,49 @@ Get all employees on the High Risk Employee List.
 
 
 #### Command Example
-```!code42-highriskemployee-get-all risktags="PERFORMANCE_CONCERNS"```
+```!code42-highriskemployee-get-all```
+
+#### Context Example
+```
+{
+    "Code42": {
+        "HighRiskEmployee": [
+            {
+                "Note": "tests and more tests",
+                "UserID": "111117397520286581",
+                "Username": "user1@example.com"
+            },
+            {
+                "Note": "Leaving for competitor",
+                "UserID": "822222723650937319",
+                "Username": "user2@example.com"
+            },
+            {
+                "Note": "Test user addition from XSOAR",
+                "UserID": "913333363086307495",
+                "Username": "user3@example.com"
+            }
+        ]
+    }
+}
+```
 
 #### Human Readable Output
-
-| **UserID** | **Note** | **Username** |
-| --- | --- | --- |
-| 123 | Leaving for competitor | john.user@example.com |
+### Retrieved All High Risk Employees
+|Note|UserID|Username|
+|---|---|---|
+| tests and more tests | 942897397520286581 | user1@example.com |
+| Leaving for competitor | 895005723650937319 | user2@example.com |
+| Test user addition from XSOAR | 912098363086307495 | user3@example.com |
+| test | 921286907298179098 | user4@example.com |
+| Risky activity | 942876157732602741 | user5@example.com |
 
 
 ### code42-highriskemployee-add-risk-tags
 ***
  
 
+
 #### Base Command
 
 `code42-highriskemployee-add-risk-tags`
@@ -404,7 +485,7 @@ Get all employees on the High Risk Employee List.
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
 | username | The username of the High Risk Employee. | Required | 
-| risktags | Risk tags to associate with the High Risk Employee. | Required | 
+| risktags | Space-delimited risk tags to associate with the High Risk Employee. | Required | 
 
 
 #### Context Output
@@ -413,22 +494,22 @@ Get all employees on the High Risk Employee List.
 | --- | --- | --- |
 | Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. | 
 | Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. | 
-| Code42.HighRiskEmployee.RiskTags | unknown | Risk tags to associate with the High Risk Employee. | 
+| Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to associate with the High Risk Employee. | 
 
 
 #### Command Example
-```!code42-highriskemployee-add-risk-tags username="john.user@example.com" risktags="PERFORMANCE_CONCERNS"```
+```!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"```
 
 #### Human Readable Output
-
-| **UserID** | **RiskTags** | **Username** |
-| --- | --- | --- |
-| 123 | FLIGHT_RISK | john.user@example.com |
+### Code42 Risk Tags Added
+| RiskTags | UserID | Username |
+| -------- | ------ | -------- |
+| PERFORMANCE_CONCERNS | 1234567890 | partners.demisto@example.com |
 
 
 ### code42-highriskemployee-remove-risk-tags
 ***
-
+ 
 
 
 #### Base Command
@@ -439,7 +520,7 @@ Get all employees on the High Risk Employee List.
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
 | username | The username of the High Risk Employee. | Required | 
-| risktags | Risk tags to disassociate from the High Risk Employee. | Required | 
+| risktags | Space-delimited risk tags to disassociate from the High Risk Employee. | Required | 
 
 
 #### Context Output
@@ -448,14 +529,191 @@ Get all employees on the High Risk Employee List.
 | --- | --- | --- |
 | Code42.HighRiskEmployee.UserID | string | Internal Code42 User ID for the Departing Employee. | 
 | Code42.HighRiskEmployee.Username | string | The username of the High Risk Employee. | 
-| Code42.HighRiskEmployee.RiskTags | unknown | Risk tags to disassociate from the High Risk Employee. | 
+| Code42.HighRiskEmployee.RiskTags | Unknown | Risk tags to disassociate from the High Risk Employee. | 
 
 
 #### Command Example
-```!code42-highriskemployee-remove-risk-tags username="john.user@example.com" risktags="PERFORMANCE_CONCERNS"```
+```!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"```
+
+#### Context Example
+```
+{
+    "Code42": {
+        "HighRiskEmployee": [
+            {
+                "RiskTags": "PERFORMANCE_CONCERNS",
+                "UserID": "942876157732602741",
+                "Username": "partner.demisto@example.com"
+            }
+        ]
+    }
+}
+```
 
 #### Human Readable Output
+### Code42 Risk Tags Removed
+|RiskTags|UserID|Username|
+|---|---|---|
+| PERFORMANCE_CONCERNS | 942876157732602741 | partner.demisto@example.com |
+
 
-| **UserID** | **RiskTags** | **Username** |
+### code42-user-create
+***
+Creates a Code42 user.
+
+
+#### Base Command
+
+`code42-user-create`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| 123 | FLIGHT_RISK | john.user@example.com |
+| orgname | The name of the Code42 organization from which to add the user. | Required | 
+| username | The username to give to the user. | Required | 
+| email |  | Required | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Code42.User.Username | String | A username for a Code42 user. | 
+| Code42.User.Email | String | An email for a Code42 user. | 
+| Code42.User.UserID | String | An ID for a Code42 user. | 
+
+
+#### Command Example
+```!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"```
+
+#### Human Readable Output
+### Code42 User Created
+| Email | UserID | Username |
+| ----- | ------ | -------- |
+| created.in.cortex.xsoar@example.com | 1111158111459014270 | created.in.cortex.xsoar@example.com |
+ 
+
+### code42-user-block
+***
+Blocks a user in Code42.  A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
+
+
+#### Base Command
+
+`code42-user-block`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| username | The username of the user to block. | Required | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Code42.User.UserID | String | An ID for a Code42 user. | 
+
+
+#### Command Example
+```!code42-user-block username="partner.demisto@example.com"```
+
+#### Human Readable Output
+### Code42 User Blocked
+|UserID|
+| --- |
+| C2345 |
+
+
+### code42-user-unblock
+***
+Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
+
+#### Base Command
+
+`code42-user-unblock`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| username | The username of the user to unblock. | Required | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Code42.User.UserID | String | An ID for a Code42 user. | 
+
+
+#### Command Example
+```!code42-user-unblock username="partner.demisto@example.com"```
+
+#### Human Readable Output
+### Code42 User Blocked
+|UserID|
+| --- |
+| C2345 |
+
+
+### code42-user-deactivate
+***
+Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
+
+
+#### Base Command
+
+`code42-user-deactivate`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| username | The username of the user to deactivate. | Optional | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Code42.User.UserID | String | The ID of a Code42 User. | 
+
+
+#### Command Example
+```!code42-user-deactivate username="partner.demisto@example.com"```
+
+#### Human Readable Output
+### Code42 User Deactivated
+| UserID |
+| ------ |
+| 123456790 |
+
+
+### code42-user-reactivate
+***
+Reactivates the user with the given username.
+
+#### Base Command
+
+`code42-user-reactivate`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| username | The username of the user to reactivate. | Optional | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Code42.User.UserID | String | The ID of a Code42 User. | 
+
+
+#### Command Example
+```!code42-user-reactivate username="partner.demisto@example.com"```
+
+#### Human Readable Output
+### Code42 User Deactivated
+| UserID |
+| ------ |
+| 123456790 |
diff --git a/Packs/Code42/Integrations/Code42/command_examples.txt b/Packs/Code42/Integrations/Code42/command_examples.txt
new file mode 100644
index 000000000000..d7bb4697e6ae
--- /dev/null
+++ b/Packs/Code42/Integrations/Code42/command_examples.txt
@@ -0,0 +1,15 @@
+!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"
+!code42-alert-resolve id="eb272d18-bc82-4680-b570-ac5d61c6cca6"
+!code42-departingemployee-add username="partner.demisto@example.com" departuredate="2020-010-28" note="Leaving for competitor"
+!code42-departingemployee-remove username="partner.demisto@example.com"
+!code42-departingemployee-get-all
+!code42-highriskemployee-add username="partner.demisto@example.com" note="Risky activity"
+!code42-highriskemployee-remove username="partner.demisto@example.com" note="Risky activity"
+!code42-highriskemployee-get-all
+!code42-highriskemployee-add-risk-tags username="partner.demisto@example.com" note="PERFORMANCE_CONCERN"
+!code42-highriskemployee-remove-risk-tags username="partner.demisto@example.com" risktags="PERFORMANCE_CONCERNS"
+!code42-user-create orgname="TestOrg" username="new.user@example.com" email="new.user@example.com"
+!code42-user-block username="partner.demisto@example.com"
+!code42-user-unblock username="partner.demisto@example.com"
+!code42-user-deactivate username="partner.demisto@example.com"
+!code42-user-reactivate username="partner.demisto@example.com"
\ No newline at end of file
diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml
index 702ad3f5db7b..80c39d1cad62 100644
--- a/Packs/Code42/Integrations/Code42/integration-Code42.yml
+++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml
@@ -1,1106 +1,83 @@
+category: Endpoint
 commonfields:
   id: Code42
   version: -1
-name: Code42
-display: Code42 (Partner Contribution)
-category: Endpoint
-description: Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
 configuration:
-- display: Code42 Console URL for the pod your Code42 instance is running in
+- defaultvalue: console.us.code42.com
+  display: Code42 Console URL for the pod your Code42 instance is running in
   name: console_url
-  defaultvalue: console.us.code42.com
-  type: 0
   required: true
-- display: "Username"
+  type: 0
+- display: Username
   name: credentials
-  defaultvalue: ""
-  type: 9
   required: true
+  type: 9
 - display: Fetch incidents
   name: isFetch
-  type: 8
   required: false
+  type: 8
 - display: Incident type
   name: incidentType
-  type: 13
   required: false
+  type: 13
 - display: Alert severities to fetch when fetching incidents
   name: alert_severity
-  defaultvalue: ""
-  type: 16
-  required: false
   options:
   - High
   - Medium
   - Low
-- display: First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)
+  required: false
+  type: 16
+- defaultvalue: 24 hours
+  display: First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)
   name: fetch_time
-  defaultvalue: 24 hours
-  type: 0
   required: false
-- display: Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once
-  name: fetch_limit
-  defaultvalue: "10"
   type: 0
+- defaultvalue: '10'
+  display: Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once
+  name: fetch_limit
   required: false
-- display: Include the list of files in returned incidents.
+  type: 0
+- defaultvalue: 'false'
+  display: Include the list of files in returned incidents.
   name: include_files
-  defaultvalue: "false"
-  type: 8
   required: false
+  type: 8
+description: Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
+display: Code42 (Partner Contribution)
+name: Code42
 script:
-  script: >2
-
-
-
-    """ IMPORTS """
-
-    import json
-
-    import requests
-
-    import py42.sdk
-
-    import py42.settings
-
-    from datetime import datetime
-
-    from py42.sdk.queries.fileevents.file_event_query import FileEventQuery
-
-    from py42.sdk.queries.fileevents.filters import (
-        MD5,
-        SHA256,
-        Actor,
-        EventTimestamp,
-        OSHostname,
-        DeviceUsername,
-        ExposureType,
-        EventType,
-        FileCategory,
-    )
-
-    from py42.sdk.queries.alerts.alert_query import AlertQuery
-
-    from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState
-
-
-    # Disable insecure warnings
-
-    requests.packages.urllib3.disable_warnings()
-
-
-    """ CONSTANTS """
-
-    CODE42_EVENT_CONTEXT_FIELD_MAPPER = {
-        "eventTimestamp": "EventTimestamp",
-        "createTimestamp": "FileCreated",
-        "deviceUid": "EndpointID",
-        "deviceUserName": "DeviceUsername",
-        "emailFrom": "EmailFrom",
-        "emailRecipients": "EmailTo",
-        "emailSubject": "EmailSubject",
-        "eventId": "EventID",
-        "eventType": "EventType",
-        "fileCategory": "FileCategory",
-        "fileOwner": "FileOwner",
-        "fileName": "FileName",
-        "filePath": "FilePath",
-        "fileSize": "FileSize",
-        "modifyTimestamp": "FileModified",
-        "md5Checksum": "FileMD5",
-        "osHostName": "FileHostname",
-        "privateIpAddresses": "DevicePrivateIPAddress",
-        "publicIpAddresses": "DevicePublicIPAddress",
-        "removableMediaBusType": "RemovableMediaType",
-        "removableMediaCapacity": "RemovableMediaCapacity",
-        "removableMediaMediaName": "RemovableMediaMediaName",
-        "removableMediaName": "RemovableMediaName",
-        "removableMediaSerialNumber": "RemovableMediaSerialNumber",
-        "removableMediaVendor": "RemovableMediaVendor",
-        "sha256Checksum": "FileSHA256",
-        "shared": "FileShared",
-        "sharedWith": "FileSharedWith",
-        "source": "Source",
-        "tabUrl": "ApplicationTabURL",
-        "url": "FileURL",
-        "processName": "ProcessName",
-        "processOwner": "ProcessOwner",
-        "windowTitle": "WindowTitle",
-        "exposure": "Exposure",
-        "sharingTypeAdded": "SharingTypeAdded",
-    }
-
-
-    CODE42_ALERT_CONTEXT_FIELD_MAPPER = {
-        "actor": "Username",
-        "createdAt": "Occurred",
-        "description": "Description",
-        "id": "ID",
-        "name": "Name",
-        "state": "State",
-        "type": "Type",
-        "severity": "Severity",
-    }
-
-
-    FILE_CONTEXT_FIELD_MAPPER = {
-        "fileName": "Name",
-        "filePath": "Path",
-        "fileSize": "Size",
-        "md5Checksum": "MD5",
-        "sha256Checksum": "SHA256",
-        "osHostName": "Hostname",
-    }
-
-
-    CODE42_FILE_TYPE_MAPPER = {
-        "SourceCode": "SOURCE_CODE",
-        "Audio": "AUDIO",
-        "Executable": "EXECUTABLE",
-        "Document": "DOCUMENT",
-        "Image": "IMAGE",
-        "PDF": "PDF",
-        "Presentation": "PRESENTATION",
-        "Script": "SCRIPT",
-        "Spreadsheet": "SPREADSHEET",
-        "Video": "VIDEO",
-        "VirtualDiskImage": "VIRTUAL_DISK_IMAGE",
-        "Archive": "ARCHIVE",
-    }
-
-
-    SECURITY_EVENT_HEADERS = [
-        "EventType",
-        "FileName",
-        "FileSize",
-        "FileHostname",
-        "FileOwner",
-        "FileCategory",
-        "DeviceUsername",
-    ]
-
-
-    SECURITY_ALERT_HEADERS = ["Type", "Occurred", "Username", "Name", "Description", "State", "ID"]
-
-
-
-    def _get_severity_filter_value(severity_arg):
-        """Converts single str to upper case. If given list of strs, converts all to upper case."""
-        if severity_arg:
-            return (
-                [severity_arg.upper()]
-                if isinstance(severity_arg, str)
-                else list(map(lambda x: x.upper(), severity_arg))
-            )
-
-
-    def _create_alert_query(event_severity_filter, start_time):
-        """Creates an alert query for the given severity (or severities) and start time."""
-        alert_filters = AlertQueryFilters()
-        severity = event_severity_filter
-        alert_filters.append_result(_get_severity_filter_value(severity), Severity.is_in)
-        alert_filters.append(AlertState.eq(AlertState.OPEN))
-        alert_filters.append_result(start_time, DateObserved.on_or_after)
-        alert_query = alert_filters.to_all_query()
-        return alert_query
-
-
-    def _get_all_high_risk_employees_from_page(page, risk_tags):
-        res = []
-        for employee in page["items"]:
-            if not risk_tags:
-                res.append(employee)
-                continue
-
-            employee_tags = employee.get("riskFactors")
-            # If the employee risk tags contain all the given risk tags
-            if employee_tags and set(risk_tags) <= set(employee_tags):
-                res.append(employee)
-        return res
-
-
-    def _try_convert_str_list_to_list(str_list):
-        if isinstance(str_list, str):
-            return str_list.split()
-        return str_list
-
-
-    class Code42Client(BaseClient):
-        """
-        Client will implement the service API, should not contain Cortex XSOAR logic.
-        Should do requests and return data
-        """
-
-        def __init__(self, sdk, base_url, auth, verify=True, proxy=False):
-            super().__init__(base_url, verify=verify, proxy=proxy)
-            # Allow sdk parameter for unit testing.
-            # Otherwise, lazily load the SDK so that the TEST Command can effectively check auth.
-            self._sdk = sdk
-            self._sdk_factory = (
-                lambda: py42.sdk.from_local_account(base_url, auth[0], auth[1])
-                if not self._sdk
-                else None
-            )
-            py42.settings.set_user_agent_suffix("Cortex XSOAR")
-
-        def _get_sdk(self):
-            if self._sdk is None:
-                self._sdk = self._sdk_factory()
-            return self._sdk
-
-        def add_user_to_departing_employee(self, username, departure_date=None, note=None):
-            user_id = self.get_user_id(username)
-            self._get_sdk().detectionlists.departing_employee.add(
-                user_id, departure_date=departure_date
-            )
-            if note:
-                self._get_sdk().detectionlists.update_user_notes(user_id, note)
-            return user_id
-
-        def remove_user_from_departing_employee(self, username):
-            user_id = self.get_user_id(username)
-            self._get_sdk().detectionlists.departing_employee.remove(user_id)
-            return user_id
-
-        def get_all_departing_employees(self, results):
-            res = []
-            results = int(results) if results else None
-            pages = self._get_sdk().detectionlists.departing_employee.get_all()
-            for page in pages:
-                employees = page["items"]
-                for employee in employees:
-                    res.append(employee)
-                    if results and len(res) == results:
-                        return res
-            return res
-
-        def add_user_to_high_risk_employee(self, username, note=None):
-            user_id = self.get_user_id(username)
-            self._get_sdk().detectionlists.high_risk_employee.add(user_id)
-            if note:
-                self._get_sdk().detectionlists.update_user_notes(user_id, note)
-            return user_id
-
-        def remove_user_from_high_risk_employee(self, username):
-            user_id = self.get_user_id(username)
-            self._get_sdk().detectionlists.high_risk_employee.remove(user_id)
-            return user_id
-
-        def add_user_risk_tags(self, username, risk_tags):
-            risk_tags = _try_convert_str_list_to_list(risk_tags)
-            user_id = self.get_user_id(username)
-            self._get_sdk().detectionlists.add_user_risk_tags(user_id, risk_tags)
-            return user_id
-
-        def remove_user_risk_tags(self, username, risk_tags):
-            risk_tags = _try_convert_str_list_to_list(risk_tags)
-            user_id = self.get_user_id(username)
-            self._get_sdk().detectionlists.remove_user_risk_tags(user_id, risk_tags)
-            return user_id
-
-        def get_all_high_risk_employees(self, risk_tags, results):
-            risk_tags = _try_convert_str_list_to_list(risk_tags)
-            results = int(results) if results else None
-            res = []
-            pages = self._get_sdk().detectionlists.high_risk_employee.get_all()
-            for page in pages:
-                employees = _get_all_high_risk_employees_from_page(page, risk_tags)
-                for employee in employees:
-                    res.append(employee)
-                    if results and len(res) == results:
-                        return res
-            return res
-
-        def fetch_alerts(self, start_time, event_severity_filter):
-            query = _create_alert_query(event_severity_filter, start_time)
-            res = self._get_sdk().alerts.search(query)
-            return res["alerts"]
-
-        def get_alert_details(self, alert_id):
-            res = self._get_sdk().alerts.get_details(alert_id)["alerts"]
-            if not res:
-                raise Exception("No alert found with ID {0}.".format(alert_id))
-            return res[0]
-
-        def resolve_alert(self, id):
-            self._get_sdk().alerts.resolve(id)
-            return id
-
-        def get_current_user(self):
-            res = self._get_sdk().users.get_current()
-            return res
-
-        def get_user_id(self, username):
-            res = self._get_sdk().users.get_by_username(username)["users"]
-            if not res:
-                raise Exception("No user found with username {0}.".format(username))
-            return res[0]["userUid"]
-
-        def search_file_events(self, payload):
-            res = self._get_sdk().securitydata.search_file_events(payload)
-            return res["fileEvents"]
-
-
-    class Code42SearchFilters(object):
-        def __init__(self):
-            self._filters = []
-
-        @property
-        def filters(self):
-            return self._filters
-
-        def to_all_query(self):
-            """Override"""
-
-        def append(self, _filter):
-            if _filter:
-                self._filters.append(_filter)
-
-        def extend(self, _filters):
-            if _filters:
-                self._filters.extend(_filters)
-
-        def append_result(self, value, create_filter):
-            """Safely creates and appends the filter to the working list."""
-            if not value:
-                return
-            _filter = create_filter(value)
-            self.append(_filter)
-
-
-    class FileEventQueryFilters(Code42SearchFilters):
-        """Class for simplifying building up a file event search query"""
-
-        def __init__(self, pg_size=None):
-            self._pg_size = pg_size
-            super(FileEventQueryFilters, self).__init__()
-
-        def to_all_query(self):
-            """Convert list of search criteria to *args"""
-            query = FileEventQuery.all(*self._filters)
-            if self._pg_size:
-                query.page_size = self._pg_size
-            return query
-
-
-    class AlertQueryFilters(Code42SearchFilters):
-        """Class for simplifying building up an alert search query"""
-
-        def to_all_query(self):
-            query = AlertQuery.all(*self._filters)
-            query.page_size = 500
-            query.sort_direction = "asc"
-            return query
-
-
-    @logger
-
-    def build_query_payload(args):
-        """Build a query payload combining passed args"""
-
-        pg_size = args.get("results")
-        _hash = args.get("hash")
-        hostname = args.get("hostname")
-        username = args.get("username")
-        exposure = args.get("exposure")
-
-        search_args = FileEventQueryFilters(pg_size)
-        search_args.append_result(_hash, _create_hash_filter)
-        search_args.append_result(hostname, OSHostname.eq)
-        search_args.append_result(username, DeviceUsername.eq)
-        search_args.append_result(exposure, _create_exposure_filter)
-
-        query = search_args.to_all_query()
-        LOG("File Event Query: {}".format(str(query)))
-        return query
-
-
-    def _create_hash_filter(hash_arg):
-        if not hash_arg:
-            return None
-        elif len(hash_arg) == 32:
-            return MD5.eq(hash_arg)
-        elif len(hash_arg) == 64:
-            return SHA256.eq(hash_arg)
-
-
-    def _create_exposure_filter(exposure_arg):
-        # Because the CLI can't accept lists, convert the args to a list if the type is string.
-        if isinstance(exposure_arg, str):
-            exposure_arg = exposure_arg.split(",")
-        return ExposureType.is_in(exposure_arg)
-
-
-    def _create_category_filter(file_type):
-        category_value = CODE42_FILE_TYPE_MAPPER.get(file_type["category"], "UNCATEGORIZED")
-        return FileCategory.eq(category_value)
-
-
-    class ObservationToSecurityQueryMapper(object):
-        """Class to simplify the process of mapping observation data to query objects."""
-
-        # Exfiltration consts
-        _ENDPOINT_TYPE = "FedEndpointExfiltration"
-        _CLOUD_TYPE = "FedCloudSharePermissions"
-
-        # Query consts
-        _PUBLIC_SEARCHABLE = "PublicSearchableShare"
-        _PUBLIC_LINK = "PublicLinkShare"
-        _OUTSIDE_TRUSTED_DOMAINS = "SharedOutsideTrustedDomain"
-
-        exposure_type_map = {
-            "PublicSearchableShare": ExposureType.IS_PUBLIC,
-            "PublicLinkShare": ExposureType.SHARED_VIA_LINK,
-            "SharedOutsideTrustedDomain": "OutsideTrustedDomains",
-        }
-
-        def __init__(self, observation, actor):
-            self._obs = observation
-            self._actor = actor
-
-        @property
-        def _observation_data(self):
-            return self._obs["data"]
-
-        @property
-        def _exfiltration_type(self):
-            return self._obs["type"]
-
-        @property
-        def _is_endpoint_exfiltration(self):
-            return self._exfiltration_type == self._ENDPOINT_TYPE
-
-        @property
-        def _is_cloud_exfiltration(self):
-            return self._exfiltration_type == self._CLOUD_TYPE
-
-        def _create_user_filter(self):
-            return (
-                DeviceUsername.eq(self._actor)
-                if self._is_endpoint_exfiltration
-                else Actor.eq(self._actor)
-            )
-
-        def map(self):
-            search_args = self._create_search_args()
-            query = search_args.to_all_query()
-            LOG("Alert Observation Query: {}".format(query))
-            return query
-
-        def _create_search_args(self):
-            filters = FileEventQueryFilters()
-            exposure_types = self._observation_data["exposureTypes"]
-            begin_time = _convert_date_arg_to_epoch(self._observation_data["firstActivityAt"])
-            end_time = _convert_date_arg_to_epoch(self._observation_data["lastActivityAt"])
-
-            filters.append(self._create_user_filter())
-            filters.append(EventTimestamp.on_or_after(begin_time))
-            filters.append(EventTimestamp.on_or_before(end_time))
-            filters.extend(self._create_exposure_filters(exposure_types))
-            filters.append(self._create_file_category_filters())
-
-            return filters
-
-        @logger
-        def _create_exposure_filters(self, exposure_types):
-            """Determine exposure types based on alert type"""
-            exp_types = []
-            if self._is_cloud_exfiltration:
-                for t in exposure_types:
-                    exp_type = self.exposure_type_map.get(t)
-                    if exp_type:
-                        exp_types.append(exp_type)
-                    else:
-                        LOG("Received unsupported exposure type {0}.".format(t))
-                if exp_types:
-                    return [ExposureType.is_in(exp_types)]
-                else:
-                    # If not given a support exposure type, search for all unsupported exposure types
-                    supported_exp_types = list(self.exposure_type_map.values())
-                    return [ExposureType.not_in(supported_exp_types)]
-            elif self._is_endpoint_exfiltration:
-                return [
-                    EventType.is_in([EventType.CREATED, EventType.MODIFIED, EventType.READ_BY_APP]),
-                    ExposureType.is_in(exposure_types),
-                ]
-            return []
-
-        def _create_file_category_filters(self):
-            """Determine if file categorization is significant"""
-            observed_file_categories = self._observation_data["fileCategories"]
-            categories = [c["category"].upper() for c in observed_file_categories if c["isSignificant"]]
-            if categories:
-                return FileCategory.is_in(categories)
-
-
-    def map_observation_to_security_query(observation, actor):
-        mapper = ObservationToSecurityQueryMapper(observation, actor)
-        return mapper.map()
-
-
-    def _convert_date_arg_to_epoch(date_arg):
-        date_arg = date_arg[:25]
-        return (
-            datetime.strptime(date_arg, "%Y-%m-%dT%H:%M:%S.%f") - datetime.utcfromtimestamp(0)
-        ).total_seconds()
-
-
-    @logger
-
-    def map_to_code42_event_context(obj):
-        code42_context = _map_obj_to_context(obj, CODE42_EVENT_CONTEXT_FIELD_MAPPER)
-        # FileSharedWith is a special case and needs to be converted to a list
-        if code42_context.get("FileSharedWith"):
-            shared_list = [u["cloudUsername"] for u in code42_context["FileSharedWith"]]
-            code42_context["FileSharedWith"] = str(shared_list)
-        return code42_context
-
-
-    @logger
-
-    def map_to_code42_alert_context(obj):
-        return _map_obj_to_context(obj, CODE42_ALERT_CONTEXT_FIELD_MAPPER)
-
-
-    @logger
-
-    def map_to_file_context(obj):
-        return _map_obj_to_context(obj, FILE_CONTEXT_FIELD_MAPPER)
-
-
-    @logger
-
-    def _map_obj_to_context(obj, context_mapper):
-        return {v: obj.get(k) for k, v in context_mapper.items() if obj.get(k)}
-
-
-    def create_command_error_message(cmd, ex):
-        return "Failed to execute command {0} command. Error: {1}".format(cmd, str(ex))
-
-
-    """Commands"""
-
-
-
-    @logger
-
-    def alert_get_command(client, args):
-        code42_securityalert_context = []
-        alert = client.get_alert_details(args["id"])
-        if not alert:
-            return CommandResults(
-                readable_output="No results found",
-                outputs={"Results": []},
-                outputs_key_field="ID",
-                outputs_prefix="Code42.SecurityAlert",
-                raw_response={},
-            )
-
-        code42_context = map_to_code42_alert_context(alert)
-        code42_securityalert_context.append(code42_context)
-        readable_outputs = tableToMarkdown(
-            "Code42 Security Alert Results",
-            code42_securityalert_context,
-            headers=SECURITY_ALERT_HEADERS,
-        )
-        return CommandResults(
-            outputs_prefix="Code42.SecurityAlert",
-            outputs_key_field="ID",
-            outputs=code42_securityalert_context,
-            readable_output=readable_outputs,
-            raw_response=alert,
-        )
-
-
-    @logger
-
-    def alert_resolve_command(client, args):
-        code42_securityalert_context = []
-        alert_id = client.resolve_alert(args["id"])
-        if not alert_id:
-            return CommandResults(
-                readable_output="No results found",
-                outputs={"Results": []},
-                outputs_key_field="ID",
-                outputs_prefix="Code42.SecurityAlert",
-                raw_response={},
-            )
-
-        # Retrieve new alert details
-        alert_details = client.get_alert_details(alert_id)
-        code42_context = map_to_code42_alert_context(alert_details)
-        code42_securityalert_context.append(code42_context)
-        readable_outputs = tableToMarkdown(
-            "Code42 Security Alert Resolved",
-            code42_securityalert_context,
-            headers=SECURITY_ALERT_HEADERS,
-        )
-        return CommandResults(
-            outputs_prefix="Code42.SecurityAlert",
-            outputs_key_field="ID",
-            outputs=code42_securityalert_context,
-            readable_output=readable_outputs,
-            raw_response=alert_details,
-        )
-
-
-    @logger
-
-    def departingemployee_add_command(client, args):
-        departing_date = args.get("departuredate")
-        username = args["username"]
-        note = args.get("note")
-        user_id = client.add_user_to_departing_employee(username, departing_date, note)
-        # CaseID included but is deprecated.
-        de_context = {
-            "CaseID": user_id,
-            "UserID": user_id,
-            "Username": username,
-            "DepartureDate": departing_date,
-            "Note": note,
-        }
-        readable_outputs = tableToMarkdown("Code42 Departing Employee List User Added", de_context)
-        return CommandResults(
-            outputs_prefix="Code42.DepartingEmployee",
-            outputs_key_field="UserID",
-            outputs=de_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def departingemployee_remove_command(client, args):
-        username = args["username"]
-        user_id = client.remove_user_from_departing_employee(username)
-        # CaseID included but is deprecated.
-        de_context = {"CaseID": user_id, "UserID": user_id, "Username": username}
-        readable_outputs = tableToMarkdown("Code42 Departing Employee List User Removed", de_context)
-        return CommandResults(
-            outputs_prefix="Code42.DepartingEmployee",
-            outputs_key_field="UserID",
-            outputs=de_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def departingemployee_get_all_command(client, args):
-        results = args.get("results") or 50
-        employees = client.get_all_departing_employees(results)
-        if not employees:
-            return CommandResults(
-                readable_output="No results found",
-                outputs_prefix="Code42.DepartingEmployee",
-                outputs_key_field="UserID",
-                outputs={"Results": []},
-                raw_response={}
-            )
-
-        employees_context = [
-            {
-                "UserID": e.get("userId"),
-                "Username": e.get("userName"),
-                "DepartureDate": e.get("departureDate"),
-                "Note": e.get("notes"),
-            }
-            for e in employees
-        ]
-        readable_outputs = tableToMarkdown("All Departing Employees", employees_context)
-        return CommandResults(
-            outputs_prefix="Code42.DepartingEmployee",
-            outputs_key_field="UserID",
-            outputs=employees_context,
-            readable_output=readable_outputs,
-            raw_response=employees,
-        )
-
-
-    @logger
-
-    def highriskemployee_add_command(client, args):
-        username = args["username"]
-        note = args.get("note")
-        user_id = client.add_user_to_high_risk_employee(username, note)
-        hr_context = {"UserID": user_id, "Username": username}
-        readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Added", hr_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=hr_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def highriskemployee_remove_command(client, args):
-        username = args["username"]
-        user_id = client.remove_user_from_high_risk_employee(username)
-        hr_context = {"UserID": user_id, "Username": username}
-        readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Removed", hr_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=hr_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def highriskemployee_get_all_command(client, args):
-        tags = args.get("risktags")
-        results = args.get("results") or 50
-        employees = client.get_all_high_risk_employees(tags, results)
-        if not employees:
-            return CommandResults(
-                readable_output="No results found",
-                outputs_prefix="Code42.HighRiskEmployee",
-                outputs_key_field="UserID",
-                outputs={"Results": []},
-                raw_response={}
-            )
-        employees_context = [
-            {"UserID": e.get("userId"), "Username": e.get("userName"), "Note": e.get("notes")}
-            for e in employees
-        ]
-        readable_outputs = tableToMarkdown("Retrieved All High Risk Employees", employees_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=employees_context,
-            readable_output=readable_outputs,
-            raw_response=employees,
-        )
-
-
-    @logger
-
-    def highriskemployee_add_risk_tags_command(client, args):
-        username = args.get("username")
-        tags = args.get("risktags")
-        user_id = client.add_user_risk_tags(username, tags)
-        rt_context = {"UserID": user_id, "Username": username, "RiskTags": tags}
-        readable_outputs = tableToMarkdown("Code42 Risk Tags Added", rt_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=rt_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def highriskemployee_remove_risk_tags_command(client, args):
-        username = args.get("username")
-        tags = args.get("risktags")
-        user_id = client.remove_user_risk_tags(username, tags)
-        rt_context = {"UserID": user_id, "Username": username, "RiskTags": tags}
-        readable_outputs = tableToMarkdown("Code42 Risk Tags Removed", rt_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=rt_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def securitydata_search_command(client, args):
-        code42_security_data_context = []
-        _json = args.get("json")
-        file_context = []
-
-        # If JSON payload is passed as an argument, ignore all other args and search by JSON payload
-        if _json is not None:
-            file_events = client.search_file_events(_json)
-        else:
-            # Build payload
-            payload = build_query_payload(args)
-            file_events = client.search_file_events(payload)
-        if file_events:
-            for file_event in file_events:
-                code42_context_event = map_to_code42_event_context(file_event)
-                code42_security_data_context.append(code42_context_event)
-                file_context_event = map_to_file_context(file_event)
-                file_context.append(file_context_event)
-            readable_outputs = tableToMarkdown(
-                "Code42 Security Data Results",
-                code42_security_data_context,
-                headers=SECURITY_EVENT_HEADERS,
-            )
-            code42_results = CommandResults(
-                outputs_prefix="Code42.SecurityData",
-                outputs_key_field="EventID",
-                outputs=code42_security_data_context,
-                readable_output=readable_outputs,
-                raw_response=file_events,
-            )
-            file_results = CommandResults(
-                outputs_prefix="File", outputs_key_field=None, outputs=file_context
-            )
-            return code42_results, file_results
-
-        else:
-            return CommandResults(
-                readable_output="No results found",
-                outputs={"Results": []},
-                outputs_key_field="EventID",
-                outputs_prefix="Code42.SecurityData",
-                raw_response={},
-            )
-
-
-    """Fetching"""
-
-
-
-    def _create_incident_from_alert_details(details):
-        return {"name": "Code42 - {}".format(details["name"]), "occurred": details["createdAt"]}
-
-
-    def _stringify_lists_if_needed(event):
-        # We need to convert certain fields to a stringified list or React.JS will throw an error
-        shared_with = event.get("sharedWith")
-        private_ip_addresses = event.get("privateIpAddresses")
-        if shared_with:
-            shared_list = [u.get("cloudUsername") for u in shared_with if u.get("cloudUsername")]
-            event["sharedWith"] = str(shared_list)
-        if private_ip_addresses:
-            event["privateIpAddresses"] = str(private_ip_addresses)
-        return event
-
-
-    def _process_event_from_observation(event):
-        return _stringify_lists_if_needed(event)
-
-
-    class Code42SecurityIncidentFetcher(object):
-        def __init__(
-            self,
-            client,
-            last_run,
-            first_fetch_time,
-            event_severity_filter,
-            fetch_limit,
-            include_files,
-            integration_context=None,
-        ):
-            self._client = client
-            self._last_run = last_run
-            self._first_fetch_time = first_fetch_time
-            self._event_severity_filter = event_severity_filter
-            self._fetch_limit = fetch_limit
-            self._include_files = (include_files,)
-            self._integration_context = integration_context
-
-        @logger
-        def fetch(self):
-            remaining_incidents_from_last_run = self._fetch_remaining_incidents_from_last_run()
-            if remaining_incidents_from_last_run:
-                return remaining_incidents_from_last_run
-            start_query_time = self._get_start_query_time()
-            alerts = self._fetch_alerts(start_query_time)
-            incidents = [self._create_incident_from_alert(a) for a in alerts]
-            save_time = datetime.utcnow().timestamp()
-            next_run = {"last_fetch": save_time}
-            return next_run, incidents[: self._fetch_limit], incidents[self._fetch_limit:]
-
-        def _fetch_remaining_incidents_from_last_run(self):
-            if self._integration_context:
-                remaining_incidents = self._integration_context.get("remaining_incidents")
-                # return incidents if exists in context.
-                if remaining_incidents:
-                    return (
-                        self._last_run,
-                        remaining_incidents[: self._fetch_limit],
-                        remaining_incidents[self._fetch_limit:],
-                    )
-
-        def _get_start_query_time(self):
-            start_query_time = self._try_get_last_fetch_time()
-
-            # Handle first time fetch, fetch incidents retroactively
-            if not start_query_time:
-                start_query_time, _ = parse_date_range(
-                    self._first_fetch_time, to_timestamp=True, utc=True
-                )
-                start_query_time /= 1000
-
-            return start_query_time
-
-        def _try_get_last_fetch_time(self):
-            return self._last_run.get("last_fetch")
-
-        def _fetch_alerts(self, start_query_time):
-            return self._client.fetch_alerts(start_query_time, self._event_severity_filter)
-
-        def _create_incident_from_alert(self, alert):
-            details = self._client.get_alert_details(alert["id"])
-            incident = _create_incident_from_alert_details(details)
-            details = self._relate_files_to_alert(details)
-            incident["rawJSON"] = json.dumps(details)
-            return incident
-
-        def _relate_files_to_alert(self, alert_details):
-            observations = alert_details.get("observations")
-            if not observations:
-                alert_details["fileevents"] = []
-                return
-            for obs in observations:
-                file_events = self._get_file_events_from_alert_details(obs, alert_details)
-                alert_details["fileevents"] = [_process_event_from_observation(e) for e in file_events]
-            return alert_details
-
-        def _get_file_events_from_alert_details(self, observation, alert_details):
-            security_data_query = map_observation_to_security_query(observation, alert_details["actor"])
-            return self._client.search_file_events(security_data_query)
-
-
-    def fetch_incidents(
-        client,
-        last_run,
-        first_fetch_time,
-        event_severity_filter,
-        fetch_limit,
-        include_files,
-        integration_context=None,
-    ):
-        fetcher = Code42SecurityIncidentFetcher(
-            client,
-            last_run,
-            first_fetch_time,
-            event_severity_filter,
-            fetch_limit,
-            include_files,
-            integration_context,
-        )
-        return fetcher.fetch()
-
-
-    """Main and test"""
-
-
-
-    def test_module(client):
-        try:
-            # Will fail if unauthorized
-            client.get_current_user()
-            return "ok"
-        except Exception:
-            return (
-                "Invalid credentials or host address. Check that the username and password are correct, that the host "
-                "is available and reachable, and that you have supplied the full scheme, domain, and port "
-                "(e.g. https://myhost.code42.com:4285)."
-            )
-
-
-    def get_command_map():
-        return {
-            "code42-alert-get": alert_get_command,
-            "code42-alert-resolve": alert_resolve_command,
-            "code42-securitydata-search": securitydata_search_command,
-            "code42-departingemployee-add": departingemployee_add_command,
-            "code42-departingemployee-remove": departingemployee_remove_command,
-            "code42-departingemployee-get-all": departingemployee_get_all_command,
-            "code42-highriskemployee-add": highriskemployee_add_command,
-            "code42-highriskemployee-remove": highriskemployee_remove_command,
-            "code42-highriskemployee-get-all": highriskemployee_get_all_command,
-            "code42-highriskemployee-add-risk-tags": highriskemployee_add_risk_tags_command,
-            "code42-highriskemployee-remove-risk-tags": highriskemployee_remove_risk_tags_command,
-        }
-
-
-    def handle_test_command(client):
-        # This is the call made when pressing the integration Test button.
-        result = test_module(client)
-        demisto.results(result)
-
-
-    def handle_fetch_command(client):
-        integration_context = demisto.getIntegrationContext()
-        # Set and define the fetch incidents command to run after activated via integration settings.
-        next_run, incidents, remaining_incidents = fetch_incidents(
-            client=client,
-            last_run=demisto.getLastRun(),
-            first_fetch_time=demisto.params().get("fetch_time"),
-            event_severity_filter=demisto.params().get("alert_severity"),
-            fetch_limit=int(demisto.params().get("fetch_limit")),
-            include_files=demisto.params().get("include_files"),
-            integration_context=integration_context,
-        )
-        demisto.setLastRun(next_run)
-        demisto.incidents(incidents)
-        # Store remaining incidents in integration context
-        integration_context["remaining_incidents"] = remaining_incidents
-        demisto.setIntegrationContext(integration_context)
-
-
-    def try_run_command(command):
-        try:
-            results = command()
-            if not isinstance(results, tuple) and not isinstance(results, list):
-                results = [results]
-            for result in results:
-                return_results(result)
-        except Exception as e:
-            return_error(create_command_error_message(demisto.command(), e))
-
-
-    def run_code42_integration():
-        username = demisto.params().get("credentials").get("identifier")
-        password = demisto.params().get("credentials").get("password")
-        base_url = demisto.params().get("console_url")
-        verify_certificate = not demisto.params().get("insecure", False)
-        proxy = demisto.params().get("proxy", False)
-        LOG("Command being called is {0}.".format(demisto.command()))
-        client = Code42Client(
-            base_url=base_url,
-            sdk=None,
-            auth=(username, password),
-            verify=verify_certificate,
-            proxy=proxy,
-        )
-        commands = get_command_map()
-        command = demisto.command()
-        if command == "test-module":
-            handle_test_command(client)
-        elif command == "fetch-incidents":
-            handle_fetch_command(client)
-        elif command in commands:
-            try_run_command(lambda: commands[command](client, demisto.args()))
-
-
-    def main():
-        run_code42_integration()
-
-
-    if __name__ in ("__main__", "__builtin__", "builtins"):
-        main()
-  type: python
   commands:
-  - name: code42-securitydata-search
-    arguments:
-    - name: json
+  - arguments:
+    - default: false
       description: JSON query payload using Code42 query syntax.
-    - name: hash
+      isArray: false
+      name: json
+      required: false
+      secret: false
+    - default: false
       description: MD5 or SHA256 hash of the file to search for.
-    - name: username
+      isArray: false
+      name: hash
+      required: false
+      secret: false
+    - default: false
       description: Username to search for.
-    - name: hostname
+      isArray: false
+      name: username
+      required: false
+      secret: false
+    - default: false
       description: Hostname to search for.
-    - name: exposure
-      auto: PREDEFINED
+      isArray: false
+      name: hostname
+      required: false
+      secret: false
+    - auto: PREDEFINED
+      default: false
+      description: Exposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".
+      isArray: true
+      name: exposure
       predefined:
       - RemovableMedia
       - ApplicationRead
@@ -1108,11 +85,19 @@ script:
       - IsPublic
       - SharedViaLink
       - SharedViaDomain
-      description: Exposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".
-      isArray: true
-    - name: results
+      required: false
+      secret: false
+    - default: false
+      defaultValue: '100'
       description: The number of results to return. The default is 100.
-      defaultValue: "100"
+      isArray: false
+      name: results
+      required: false
+      secret: false
+    deprecated: false
+    description: Searches for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.
+    execution: false
+    name: code42-securitydata-search
     outputs:
     - contextPath: Code42.SecurityData.EventTimestamp
       description: Timestamp for the event.
@@ -1240,12 +225,17 @@ script:
     - contextPath: File.Hostname
       description: The hostname where the file event was captured.
       type: string
-    description: Searches for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.
-  - name: code42-alert-get
-    arguments:
-    - name: id
-      required: true
+  - arguments:
+    - default: false
       description: The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents.
+      isArray: false
+      name: id
+      required: true
+      secret: false
+    deprecated: false
+    description: Retrieve alert details by alert ID
+    execution: false
+    name: code42-alert-get
     outputs:
     - contextPath: Code42.SecurityAlert.Username
       description: The username associated with the alert.
@@ -1271,26 +261,44 @@ script:
     - contextPath: Code42.SecurityAlert.Severity
       description: The severity of the alert.
       type: string
-    description: Retrieve alert details by alert ID
-  - name: code42-alert-resolve
-    arguments:
-    - name: id
-      required: true
+  - arguments:
+    - default: false
       description: The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents.
+      isArray: false
+      name: id
+      required: true
+      secret: false
+    deprecated: false
+    description: Resolves a Code42 Security alert.
+    execution: false
+    name: code42-alert-resolve
     outputs:
     - contextPath: Code42.SecurityAlert.ID
       description: The alert ID of the resolved alert.
       type: string
-    description: Resolves a Code42 Security alert.
-  - name: code42-departingemployee-add
-    arguments:
-    - name: username
-      required: true
+  - arguments:
+    - default: false
       description: The username to add to the Departing Employee List.
-    - name: departuredate
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    - default: false
       description: The departure date for the employee, in the format YYYY-MM-DD.
-    - name: note
+      isArray: false
+      name: departuredate
+      required: false
+      secret: false
+    - default: false
       description: Note to attach to the Departing Employee.
+      isArray: false
+      name: note
+      required: false
+      secret: false
+    deprecated: false
+    description: Adds a user to the Departing Employee List.
+    execution: false
+    name: code42-departingemployee-add
     outputs:
     - contextPath: Code42.DepartingEmployee.CaseID
       description: Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
@@ -1306,12 +314,18 @@ script:
       type: string
     - contextPath: Code42.DepartingEmployee.DepartureDate
       description: The departure date for the Departing Employee.
-    description: Adds a user to the Departing Employee List.
-  - name: code42-departingemployee-remove
-    arguments:
-    - name: username
-      required: true
+      type: Unknown
+  - arguments:
+    - default: false
       description: The username to remove from the Departing Employee List.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Removes a user from the Departing Employee List.
+    execution: false
+    name: code42-departingemployee-remove
     outputs:
     - contextPath: Code42.DepartingEmployee.CaseID
       description: Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
@@ -1322,13 +336,17 @@ script:
     - contextPath: Code42.DepartingEmployee.Username
       description: The username of the Departing Employee.
       type: string
-    description: Removes a user from the Departing Employee List.
-  - name: code42-departingemployee-get-all
-    arguments:
-    - name: results
+  - arguments:
+    - default: false
       description: The number of items to return.
-      defaultvalue: "50"
-      type: number
+      isArray: false
+      name: results
+      required: false
+      secret: false
+    deprecated: false
+    description: Get all employees on the Departing Employee List.
+    execution: false
+    name: code42-departingemployee-get-all
     outputs:
     - contextPath: Code42.DepartingEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -1341,14 +359,24 @@ script:
       type: string
     - contextPath: Code42.DepartingEmployee.DepartureDate
       description: The departure date for the Departing Employee.
-    description: Get all employees on the Departing Employee List.
-  - name: code42-highriskemployee-add
-    arguments:
-    - name: username
-      required: true
+      type: Unknown
+  - arguments:
+    - default: false
       description: The username to add to the High Risk Employee List.
-    - name: note
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    - default: false
       description: Note to attach to the High Risk Employee.
+      isArray: false
+      name: note
+      required: false
+      secret: false
+    deprecated: false
+    description: Adds a user from the High Risk Employee List.
+    execution: false
+    name: code42-highriskemployee-add
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the High Risk Employee.
@@ -1359,26 +387,41 @@ script:
     - contextPath: Code42.HighRiskEmployee.Note
       description: Note associated with the High Risk Employee.
       type: string
-    description: Adds a user from the High Risk Employee List.
-  - name: code42-highriskemployee-remove
-    arguments:
-    - name: username
-      required: true
+  - arguments:
+    - default: false
       description: The username to remove from the High Risk Employee List.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Removes a user from the High Risk Employee List.
+    execution: false
+    name: code42-highriskemployee-remove
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the High Risk Employee.
+      type: Unknown
     - contextPath: Code42.HighRiskEmployee.Username
       description: The username of the High Risk Employee.
-    description: Removes a user from the High Risk Employee List.
-  - name: code42-highriskemployee-get-all
-    arguments:
-    - name: risktags
+      type: Unknown
+  - arguments:
+    - default: false
       description: To filter results by employees who have these risk tags. Space delimited.
-    - name: results
+      isArray: false
+      name: risktags
+      required: false
+      secret: false
+    - default: false
       description: The number of items to return.
-      defaultvalue: 50
-      type: number
+      isArray: false
+      name: results
+      required: false
+      secret: false
+    deprecated: false
+    description: Get all employees on the High Risk Employee List.
+    execution: false
+    name: code42-highriskemployee-get-all
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the High Risk Employee.
@@ -1389,15 +432,23 @@ script:
     - contextPath: Code42.HighRiskEmployee.Note
       description: Note associated with the High Risk Employee.
       type: string
-    description: Get all employees on the High Risk Employee List.
-  - name: code42-highriskemployee-add-risk-tags
-    arguments:
-    - name: username
-      required: true
+  - arguments:
+    - default: false
       description: The username of the High Risk Employee.
-    - name: risktags
+      isArray: false
+      name: username
       required: true
+      secret: false
+    - default: false
       description: Space-delimited risk tags to associate with the High Risk Employee.
+      isArray: false
+      name: risktags
+      required: true
+      secret: false
+    deprecated: false
+    description: Associates risk tags with the employee with the given username.
+    execution: false
+    name: code42-highriskemployee-add-risk-tags
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -1407,14 +458,24 @@ script:
       type: string
     - contextPath: Code42.HighRiskEmployee.RiskTags
       description: Risk tags to associate with the High Risk Employee.
-  - name: code42-highriskemployee-remove-risk-tags
-    arguments:
-    - name: username
-      required: true
+      type: Unknown
+  - arguments:
+    - default: false
       description: The username of the High Risk Employee.
-    - name: risktags
+      isArray: false
+      name: username
       required: true
+      secret: false
+    - default: false
       description: Space-delimited risk tags to disassociate from the High Risk Employee.
+      isArray: false
+      name: risktags
+      required: true
+      secret: false
+    deprecated: false
+    description: Disassociates risk tags from the user with the given username.
+    execution: false
+    name: code42-highriskemployee-remove-risk-tags
     outputs:
     - contextPath: Code42.HighRiskEmployee.UserID
       description: Internal Code42 User ID for the Departing Employee.
@@ -1424,10 +485,1314 @@ script:
       type: string
     - contextPath: Code42.HighRiskEmployee.RiskTags
       description: Risk tags to disassociate from the High Risk Employee.
-  dockerimage: demisto/py42:1.0.0.9242
+      type: Unknown
+  - arguments:
+    - default: false
+      description: The name of the Code42 organization from which to add the user.
+      isArray: false
+      name: orgname
+      required: true
+      secret: false
+    - default: false
+      description: The username to give to the user.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    - default: false
+      defaultValue: The email to give to the user.
+      description: The email of the employee to create.
+      isArray: false
+      name: email
+      required: true
+      secret: false
+    deprecated: false
+    description: Creates a Code42 user.
+    execution: false
+    name: code42-user-create
+    outputs:
+    - contextPath: Code42.User.Username
+      description: A username for a Code42 user.
+      type: String
+    - contextPath: Code42.User.Email
+      description: An email for a Code42 user.
+      type: String
+    - contextPath: Code42.User.UserID
+      description: An ID for a Code42 user.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to block.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Blocks a user in Code42.  A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
+    execution: false
+    name: code42-user-block
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: An ID for a Code42 user.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to deactivate.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
+    execution: false
+    name: code42-user-deactivate
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: The ID of a Code42 User.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to unblock.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
+    execution: false
+    name: code42-user-unblock
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: An ID for a Code42 user.
+      type: String
+  - arguments:
+    - default: false
+      description: The username of the user to reactivate.
+      isArray: false
+      name: username
+      required: true
+      secret: false
+    deprecated: false
+    description: Reactivates the user with the given username.
+    execution: false
+    name: code42-user-reactivate
+    outputs:
+    - contextPath: Code42.User.UserID
+      description: The ID of a Code42 User.
+      type: String
+  dockerimage: demisto/py42:1.0.0.9323
+  feed: false
   isfetch: true
+  longRunning: false
+  longRunningPort: false
   runonce: false
+  script: >2
+
+
+
+    """ IMPORTS """
+
+    import json
+
+    import requests
+
+    import py42.sdk
+
+    import py42.settings
+
+    from datetime import datetime
+
+    from py42.sdk.queries.fileevents.file_event_query import FileEventQuery
+
+    from py42.sdk.queries.fileevents.filters import (
+        MD5,
+        SHA256,
+        Actor,
+        EventTimestamp,
+        OSHostname,
+        DeviceUsername,
+        ExposureType,
+        EventType,
+        FileCategory,
+    )
+
+    from py42.sdk.queries.alerts.alert_query import AlertQuery
+
+    from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState
+
+
+    # Disable insecure warnings
+
+    requests.packages.urllib3.disable_warnings()
+
+
+    """ CONSTANTS """
+
+    CODE42_EVENT_CONTEXT_FIELD_MAPPER = {
+        "eventTimestamp": "EventTimestamp",
+        "createTimestamp": "FileCreated",
+        "deviceUid": "EndpointID",
+        "deviceUserName": "DeviceUsername",
+        "emailFrom": "EmailFrom",
+        "emailRecipients": "EmailTo",
+        "emailSubject": "EmailSubject",
+        "eventId": "EventID",
+        "eventType": "EventType",
+        "fileCategory": "FileCategory",
+        "fileOwner": "FileOwner",
+        "fileName": "FileName",
+        "filePath": "FilePath",
+        "fileSize": "FileSize",
+        "modifyTimestamp": "FileModified",
+        "md5Checksum": "FileMD5",
+        "osHostName": "FileHostname",
+        "privateIpAddresses": "DevicePrivateIPAddress",
+        "publicIpAddresses": "DevicePublicIPAddress",
+        "removableMediaBusType": "RemovableMediaType",
+        "removableMediaCapacity": "RemovableMediaCapacity",
+        "removableMediaMediaName": "RemovableMediaMediaName",
+        "removableMediaName": "RemovableMediaName",
+        "removableMediaSerialNumber": "RemovableMediaSerialNumber",
+        "removableMediaVendor": "RemovableMediaVendor",
+        "sha256Checksum": "FileSHA256",
+        "shared": "FileShared",
+        "sharedWith": "FileSharedWith",
+        "source": "Source",
+        "tabUrl": "ApplicationTabURL",
+        "url": "FileURL",
+        "processName": "ProcessName",
+        "processOwner": "ProcessOwner",
+        "windowTitle": "WindowTitle",
+        "exposure": "Exposure",
+        "sharingTypeAdded": "SharingTypeAdded",
+    }
+
+
+    CODE42_ALERT_CONTEXT_FIELD_MAPPER = {
+        "actor": "Username",
+        "createdAt": "Occurred",
+        "description": "Description",
+        "id": "ID",
+        "name": "Name",
+        "state": "State",
+        "type": "Type",
+        "severity": "Severity",
+    }
+
+
+    FILE_CONTEXT_FIELD_MAPPER = {
+        "fileName": "Name",
+        "filePath": "Path",
+        "fileSize": "Size",
+        "md5Checksum": "MD5",
+        "sha256Checksum": "SHA256",
+        "osHostName": "Hostname",
+    }
+
+
+    CODE42_FILE_TYPE_MAPPER = {
+        "SourceCode": "SOURCE_CODE",
+        "Audio": "AUDIO",
+        "Executable": "EXECUTABLE",
+        "Document": "DOCUMENT",
+        "Image": "IMAGE",
+        "PDF": "PDF",
+        "Presentation": "PRESENTATION",
+        "Script": "SCRIPT",
+        "Spreadsheet": "SPREADSHEET",
+        "Video": "VIDEO",
+        "VirtualDiskImage": "VIRTUAL_DISK_IMAGE",
+        "Archive": "ARCHIVE",
+    }
+
+
+    SECURITY_EVENT_HEADERS = [
+        "EventType",
+        "FileName",
+        "FileSize",
+        "FileHostname",
+        "FileOwner",
+        "FileCategory",
+        "DeviceUsername",
+    ]
+
+
+    SECURITY_ALERT_HEADERS = ["Type", "Occurred", "Username", "Name", "Description", "State", "ID"]
+
+
+
+    def _get_severity_filter_value(severity_arg):
+        """Converts single str to upper case. If given list of strs, converts all to upper case."""
+        if severity_arg:
+            return (
+                [severity_arg.upper()]
+                if isinstance(severity_arg, str)
+                else list(map(lambda x: x.upper(), severity_arg))
+            )
+
+
+    def _create_alert_query(event_severity_filter, start_time):
+        """Creates an alert query for the given severity (or severities) and start time."""
+        alert_filters = AlertQueryFilters()
+        severity = event_severity_filter
+        alert_filters.append_result(_get_severity_filter_value(severity), Severity.is_in)
+        alert_filters.append(AlertState.eq(AlertState.OPEN))
+        alert_filters.append_result(start_time, DateObserved.on_or_after)
+        alert_query = alert_filters.to_all_query()
+        return alert_query
+
+
+    def _get_all_high_risk_employees_from_page(page, risk_tags):
+        res = []
+        # Note: page is a `Py42Response` and has no `get()` method.
+        employees = page["items"]
+        for employee in employees:
+            if not risk_tags:
+                res.append(employee)
+                continue
+
+            employee_tags = employee.get("riskFactors")
+            # If the employee risk tags contain all the given risk tags
+            if employee_tags and set(risk_tags) <= set(employee_tags):
+                res.append(employee)
+        return res
+
+
+    def _try_convert_str_list_to_list(str_list):
+        if isinstance(str_list, str):
+            return str_list.split()
+        return str_list
+
+
+    class Code42Client(BaseClient):
+        """
+        Client will implement the service API, should not contain Cortex XSOAR logic.
+        Should do requests and return data
+        """
+
+        def __init__(self, sdk, base_url, auth, verify=True, proxy=False):
+            super().__init__(base_url, verify=verify, proxy=proxy)
+            # Allow sdk parameter for unit testing.
+            # Otherwise, lazily load the SDK so that the TEST Command can effectively check auth.
+            self._sdk = sdk
+            self._sdk_factory = (
+                lambda: py42.sdk.from_local_account(base_url, auth[0], auth[1])
+                if not self._sdk
+                else None
+            )
+            py42.settings.set_user_agent_suffix("Cortex XSOAR")
+
+        def _get_sdk(self):
+            if self._sdk is None:
+                self._sdk = self._sdk_factory()
+            return self._sdk
+
+        def add_user_to_departing_employee(self, username, departure_date=None, note=None):
+            user_id = self._get_user_id(username)
+            self._get_sdk().detectionlists.departing_employee.add(
+                user_id, departure_date=departure_date
+            )
+            if note:
+                self._get_sdk().detectionlists.update_user_notes(user_id, note)
+            return user_id
+
+        def remove_user_from_departing_employee(self, username):
+            user_id = self._get_user_id(username)
+            self._get_sdk().detectionlists.departing_employee.remove(user_id)
+            return user_id
+
+        def get_all_departing_employees(self, results):
+            res = []
+            results = int(results) if results else None
+            pages = self._get_sdk().detectionlists.departing_employee.get_all()
+            for page in pages:
+                # Note: page is a `Py42Response` and has no `get()` method.
+                employees = page["items"]
+                for employee in employees:
+                    res.append(employee)
+                    if results and len(res) == results:
+                        return res
+            return res
+
+        def add_user_to_high_risk_employee(self, username, note=None):
+            user_id = self._get_user_id(username)
+            self._get_sdk().detectionlists.high_risk_employee.add(user_id)
+            if note:
+                self._get_sdk().detectionlists.update_user_notes(user_id, note)
+            return user_id
+
+        def remove_user_from_high_risk_employee(self, username):
+            user_id = self._get_user_id(username)
+            self._get_sdk().detectionlists.high_risk_employee.remove(user_id)
+            return user_id
+
+        def add_user_risk_tags(self, username, risk_tags):
+            risk_tags = _try_convert_str_list_to_list(risk_tags)
+            user_id = self._get_user_id(username)
+            self._get_sdk().detectionlists.add_user_risk_tags(user_id, risk_tags)
+            return user_id
+
+        def remove_user_risk_tags(self, username, risk_tags):
+            risk_tags = _try_convert_str_list_to_list(risk_tags)
+            user_id = self._get_user_id(username)
+            self._get_sdk().detectionlists.remove_user_risk_tags(user_id, risk_tags)
+            return user_id
+
+        def get_all_high_risk_employees(self, risk_tags, results):
+            risk_tags = _try_convert_str_list_to_list(risk_tags)
+            results = int(results) if results else None
+            res = []
+            pages = self._get_sdk().detectionlists.high_risk_employee.get_all()
+            for page in pages:
+                employees = _get_all_high_risk_employees_from_page(page, risk_tags)
+                for employee in employees:
+                    res.append(employee)
+                    if results and len(res) == results:
+                        return res
+            return res
+
+        def fetch_alerts(self, start_time, event_severity_filter):
+            query = _create_alert_query(event_severity_filter, start_time)
+            res = self._get_sdk().alerts.search(query)
+            return res["alerts"]
+
+        def get_alert_details(self, alert_id):
+            res = self._get_sdk().alerts.get_details(alert_id)["alerts"]
+            if not res:
+                raise Code42AlertNotFoundError(alert_id)
+            return res[0]
+
+        def resolve_alert(self, id):
+            self._get_sdk().alerts.resolve(id)
+            return id
+
+        def get_current_user(self):
+            res = self._get_sdk().users.get_current()
+            return res
+
+        def get_user(self, username):
+            res = self._get_sdk().users.get_by_username(username)["users"]
+            if not res:
+                raise Code42UserNotFoundError(username)
+            return res[0]
+
+        def create_user(self, org_name, username, email):
+            org_uid = self._get_org_id(org_name)
+            response = self._get_sdk().users.create_user(org_uid, username, email)
+            return json.loads(response.text)
+
+        def block_user(self, username):
+            user_id = self._get_legacy_user_id(username)
+            self._get_sdk().users.block(user_id)
+            return user_id
+
+        def unblock_user(self, username):
+            user_id = self._get_legacy_user_id(username)
+            self._get_sdk().users.unblock(user_id)
+            return user_id
+
+        def deactivate_user(self, username):
+            user_id = self._get_legacy_user_id(username)
+            self._get_sdk().users.deactivate(user_id)
+            return user_id
+
+        def reactivate_user(self, username):
+            user_id = self._get_legacy_user_id(username)
+            self._get_sdk().users.reactivate(user_id)
+            return user_id
+
+        def get_org(self, org_name):
+            org_pages = self._get_sdk().orgs.get_all()
+            for org_page in org_pages:
+                orgs = org_page["orgs"]
+                for org in orgs:
+                    if org.get("orgName") == org_name:
+                        return org
+            raise Code42OrgNotFoundError(org_name)
+
+        def search_file_events(self, payload):
+            res = self._get_sdk().securitydata.search_file_events(payload)
+            return res["fileEvents"]
+
+        def _get_user_id(self, username):
+            user_id = self.get_user(username).get("userUid")
+            if user_id:
+                return user_id
+            raise Code42UserNotFoundError(username)
+
+        def _get_legacy_user_id(self, username):
+            user_id = self.get_user(username).get("userId")
+            if user_id:
+                return user_id
+            raise Code42UserNotFoundError(username)
+
+        def _get_org_id(self, org_name):
+            org_uid = self.get_org(org_name).get("orgUid")
+            if org_uid:
+                return org_uid
+            raise Code42OrgNotFoundError(org_name)
+
+
+    class Code42AlertNotFoundError(Exception):
+        def __init__(self, alert_id):
+            super(Code42AlertNotFoundError, self).__init__(
+                "No alert found with ID {0}.".format(alert_id)
+            )
+
+
+    class Code42UserNotFoundError(Exception):
+        def __init__(self, username):
+            super(Code42UserNotFoundError, self).__init__(
+                "No user found with username {0}.".format(username)
+            )
+
+
+    class Code42OrgNotFoundError(Exception):
+        def __init__(self, org_name):
+            super(Code42OrgNotFoundError, self).__init__(
+                "No organization found with name {0}.".format(org_name)
+            )
+
+
+    class Code42SearchFilters(object):
+        def __init__(self):
+            self._filters = []
+
+        @property
+        def filters(self):
+            return self._filters
+
+        def to_all_query(self):
+            """Override"""
+
+        def append(self, _filter):
+            if _filter:
+                self._filters.append(_filter)
+
+        def extend(self, _filters):
+            if _filters:
+                self._filters.extend(_filters)
+
+        def append_result(self, value, create_filter):
+            """Safely creates and appends the filter to the working list."""
+            if not value:
+                return
+            _filter = create_filter(value)
+            self.append(_filter)
+
+
+    class FileEventQueryFilters(Code42SearchFilters):
+        """Class for simplifying building up a file event search query"""
+
+        def __init__(self, pg_size=None):
+            self._pg_size = pg_size
+            super(FileEventQueryFilters, self).__init__()
+
+        def to_all_query(self):
+            """Convert list of search criteria to *args"""
+            query = FileEventQuery.all(*self._filters)
+            if self._pg_size:
+                query.page_size = self._pg_size
+            return query
+
+
+    class AlertQueryFilters(Code42SearchFilters):
+        """Class for simplifying building up an alert search query"""
+
+        def to_all_query(self):
+            query = AlertQuery.all(*self._filters)
+            query.page_size = 500
+            query.sort_direction = "asc"
+            return query
+
+
+    @logger
+
+    def build_query_payload(args):
+        """Build a query payload combining passed args"""
+
+        pg_size = args.get("results")
+        _hash = args.get("hash")
+        hostname = args.get("hostname")
+        username = args.get("username")
+        exposure = args.get("exposure")
+
+        search_args = FileEventQueryFilters(pg_size)
+        search_args.append_result(_hash, _create_hash_filter)
+        search_args.append_result(hostname, OSHostname.eq)
+        search_args.append_result(username, DeviceUsername.eq)
+        search_args.append_result(exposure, _create_exposure_filter)
+
+        query = search_args.to_all_query()
+        LOG("File Event Query: {}".format(str(query)))
+        return query
+
+
+    def _create_hash_filter(hash_arg):
+        if not hash_arg:
+            return None
+        elif len(hash_arg) == 32:
+            return MD5.eq(hash_arg)
+        elif len(hash_arg) == 64:
+            return SHA256.eq(hash_arg)
+
+
+    def _create_exposure_filter(exposure_arg):
+        # Because the CLI can't accept lists, convert the args to a list if the type is string.
+        if isinstance(exposure_arg, str):
+            exposure_arg = exposure_arg.split(",")
+        return ExposureType.is_in(exposure_arg)
+
+
+    def _create_category_filter(file_type):
+        category_value = CODE42_FILE_TYPE_MAPPER.get(file_type.get("category"), "UNCATEGORIZED")
+        return FileCategory.eq(category_value)
+
+
+    class ObservationToSecurityQueryMapper(object):
+        """Class to simplify the process of mapping observation data to query objects."""
+
+        # Exfiltration consts
+        _ENDPOINT_TYPE = "FedEndpointExfiltration"
+        _CLOUD_TYPE = "FedCloudSharePermissions"
+
+        # Query consts
+        _PUBLIC_SEARCHABLE = "PublicSearchableShare"
+        _PUBLIC_LINK = "PublicLinkShare"
+        _OUTSIDE_TRUSTED_DOMAINS = "SharedOutsideTrustedDomain"
+
+        exposure_type_map = {
+            "PublicSearchableShare": ExposureType.IS_PUBLIC,
+            "PublicLinkShare": ExposureType.SHARED_VIA_LINK,
+            "SharedOutsideTrustedDomain": "OutsideTrustedDomains",
+        }
+
+        def __init__(self, observation, actor):
+            self._obs = observation
+            self._actor = actor
+
+        @property
+        def _observation_data(self):
+            return self._obs.get("data")
+
+        @property
+        def _exfiltration_type(self):
+            return self._obs.get("type")
+
+        @property
+        def _is_endpoint_exfiltration(self):
+            return self._exfiltration_type == self._ENDPOINT_TYPE
+
+        @property
+        def _is_cloud_exfiltration(self):
+            return self._exfiltration_type == self._CLOUD_TYPE
+
+        def _create_user_filter(self):
+            return (
+                DeviceUsername.eq(self._actor)
+                if self._is_endpoint_exfiltration
+                else Actor.eq(self._actor)
+            )
+
+        def map(self):
+            search_args = self._create_search_args()
+            query = search_args.to_all_query()
+            LOG("Alert Observation Query: {}".format(query))
+            return query
+
+        def _create_search_args(self):
+            filters = FileEventQueryFilters()
+            exposure_types = self._observation_data.get("exposureTypes")
+            first_activity = self._observation_data.get("firstActivityAt")
+            last_activity = self._observation_data.get("lastActivityAt")
+            filters.append(self._create_user_filter())
+            if first_activity:
+                begin_time = _convert_date_arg_to_epoch(first_activity)
+                if begin_time:
+                    filters.append(EventTimestamp.on_or_after(begin_time))
+            if last_activity:
+                end_time = _convert_date_arg_to_epoch(last_activity)
+                if end_time:
+                    filters.append(EventTimestamp.on_or_before(end_time))
+            filters.extend(self._create_exposure_filters(exposure_types))
+            filters.append(self._create_file_category_filters())
+            return filters
+
+        @logger
+        def _create_exposure_filters(self, exposure_types):
+            """Determine exposure types based on alert type"""
+            exp_types = []
+            if self._is_cloud_exfiltration:
+                for t in exposure_types:
+                    exp_type = self.exposure_type_map.get(t)
+                    if exp_type:
+                        exp_types.append(exp_type)
+                    else:
+                        LOG("Received unsupported exposure type {0}.".format(t))
+                if exp_types:
+                    return [ExposureType.is_in(exp_types)]
+                else:
+                    # If not given a support exposure type, search for all unsupported exposure types
+                    supported_exp_types = list(self.exposure_type_map.values())
+                    return [ExposureType.not_in(supported_exp_types)]
+            elif self._is_endpoint_exfiltration:
+                return [
+                    EventType.is_in([EventType.CREATED, EventType.MODIFIED, EventType.READ_BY_APP]),
+                    ExposureType.is_in(exposure_types),
+                ]
+            return []
+
+        def _create_file_category_filters(self):
+            """Determine if file categorization is significant"""
+            observed_file_categories = self._observation_data.get("fileCategories")
+            if observed_file_categories:
+                categories = [
+                    c.get("category").upper()
+                    for c in observed_file_categories
+                    if c.get("isSignificant") and c.get("category")
+                ]
+                if categories:
+                    return FileCategory.is_in(categories)
+
+
+    def map_observation_to_security_query(observation, actor):
+        mapper = ObservationToSecurityQueryMapper(observation, actor)
+        return mapper.map()
+
+
+    def _convert_date_arg_to_epoch(date_arg):
+        date_arg = date_arg[:25]
+        return (
+            datetime.strptime(date_arg, "%Y-%m-%dT%H:%M:%S.%f") - datetime.utcfromtimestamp(0)
+        ).total_seconds()
+
+
+    @logger
+
+    def map_to_code42_event_context(obj):
+        code42_context = _map_obj_to_context(obj, CODE42_EVENT_CONTEXT_FIELD_MAPPER)
+        # FileSharedWith is a special case and needs to be converted to a list
+        shared_with_list = code42_context.get("FileSharedWith")
+        if shared_with_list:
+            shared_list = [u.get("cloudUsername") for u in shared_with_list if u.get("cloudUsername")]
+            code42_context["FileSharedWith"] = str(shared_list)
+        return code42_context
+
+
+    @logger
+
+    def map_to_code42_alert_context(obj):
+        return _map_obj_to_context(obj, CODE42_ALERT_CONTEXT_FIELD_MAPPER)
+
+
+    @logger
+
+    def map_to_file_context(obj):
+        return _map_obj_to_context(obj, FILE_CONTEXT_FIELD_MAPPER)
+
+
+    @logger
+
+    def _map_obj_to_context(obj, context_mapper):
+        return {v: obj.get(k) for k, v in context_mapper.items() if obj.get(k)}
+
+
+    def create_command_error_message(cmd, ex):
+        return "Failed to execute command {0} command. Error: {1}".format(cmd, str(ex))
+
+
+    """Commands"""
+
+
+
+    @logger
+
+    def alert_get_command(client, args):
+        code42_securityalert_context = []
+        alert = client.get_alert_details(args.get("id"))
+        if not alert:
+            return CommandResults(
+                readable_output="No results found",
+                outputs={"Results": []},
+                outputs_key_field="ID",
+                outputs_prefix="Code42.SecurityAlert",
+                raw_response={},
+            )
+
+        code42_context = map_to_code42_alert_context(alert)
+        code42_securityalert_context.append(code42_context)
+        readable_outputs = tableToMarkdown(
+            "Code42 Security Alert Results",
+            code42_securityalert_context,
+            headers=SECURITY_ALERT_HEADERS,
+        )
+        return CommandResults(
+            outputs_prefix="Code42.SecurityAlert",
+            outputs_key_field="ID",
+            outputs=code42_securityalert_context,
+            readable_output=readable_outputs,
+            raw_response=alert,
+        )
+
+
+    @logger
+
+    def alert_resolve_command(client, args):
+        code42_securityalert_context = []
+        alert_id = client.resolve_alert(args.get("id"))
+        if not alert_id:
+            return CommandResults(
+                readable_output="No results found",
+                outputs={"Results": []},
+                outputs_key_field="ID",
+                outputs_prefix="Code42.SecurityAlert",
+                raw_response={},
+            )
+
+        # Retrieve new alert details
+        alert_details = client.get_alert_details(alert_id)
+        code42_context = map_to_code42_alert_context(alert_details)
+        code42_securityalert_context.append(code42_context)
+        readable_outputs = tableToMarkdown(
+            "Code42 Security Alert Resolved",
+            code42_securityalert_context,
+            headers=SECURITY_ALERT_HEADERS,
+        )
+        return CommandResults(
+            outputs_prefix="Code42.SecurityAlert",
+            outputs_key_field="ID",
+            outputs=code42_securityalert_context,
+            readable_output=readable_outputs,
+            raw_response=alert_details,
+        )
+
+
+    @logger
+
+    def departingemployee_add_command(client, args):
+        departing_date = args.get("departuredate")
+        username = args.get("username")
+        note = args.get("note")
+        user_id = client.add_user_to_departing_employee(username, departing_date, note)
+        # CaseID included but is deprecated.
+        de_context = {
+            "CaseID": user_id,
+            "UserID": user_id,
+            "Username": username,
+            "DepartureDate": departing_date,
+            "Note": note,
+        }
+        readable_outputs = tableToMarkdown("Code42 Departing Employee List User Added", de_context)
+        return CommandResults(
+            outputs_prefix="Code42.DepartingEmployee",
+            outputs_key_field="UserID",
+            outputs=de_context,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    @logger
+
+    def departingemployee_remove_command(client, args):
+        username = args.get("username")
+        user_id = client.remove_user_from_departing_employee(username)
+        # CaseID included but is deprecated.
+        de_context = {"CaseID": user_id, "UserID": user_id, "Username": username}
+        readable_outputs = tableToMarkdown("Code42 Departing Employee List User Removed", de_context)
+        return CommandResults(
+            outputs_prefix="Code42.DepartingEmployee",
+            outputs_key_field="UserID",
+            outputs=de_context,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    @logger
+
+    def departingemployee_get_all_command(client, args):
+        results = args.get("results") or 50
+        employees = client.get_all_departing_employees(results)
+        if not employees:
+            return CommandResults(
+                readable_output="No results found",
+                outputs_prefix="Code42.DepartingEmployee",
+                outputs_key_field="UserID",
+                outputs={"Results": []},
+                raw_response={},
+            )
+
+        employees_context = [
+            {
+                "UserID": e.get("userId"),
+                "Username": e.get("userName"),
+                "DepartureDate": e.get("departureDate"),
+                "Note": e.get("notes"),
+            }
+            for e in employees
+        ]
+        readable_outputs = tableToMarkdown("All Departing Employees", employees_context)
+        return CommandResults(
+            outputs_prefix="Code42.DepartingEmployee",
+            outputs_key_field="UserID",
+            outputs=employees_context,
+            readable_output=readable_outputs,
+            raw_response=employees,
+        )
+
+
+    @logger
+
+    def highriskemployee_add_command(client, args):
+        username = args.get("username")
+        note = args.get("note")
+        user_id = client.add_user_to_high_risk_employee(username, note)
+        hr_context = {"UserID": user_id, "Username": username}
+        readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Added", hr_context)
+        return CommandResults(
+            outputs_prefix="Code42.HighRiskEmployee",
+            outputs_key_field="UserID",
+            outputs=hr_context,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    @logger
+
+    def highriskemployee_remove_command(client, args):
+        username = args.get("username")
+        user_id = client.remove_user_from_high_risk_employee(username)
+        hr_context = {"UserID": user_id, "Username": username}
+        readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Removed", hr_context)
+        return CommandResults(
+            outputs_prefix="Code42.HighRiskEmployee",
+            outputs_key_field="UserID",
+            outputs=hr_context,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    @logger
+
+    def highriskemployee_get_all_command(client, args):
+        tags = args.get("risktags")
+        results = args.get("results") or 50
+        employees = client.get_all_high_risk_employees(tags, results)
+        if not employees:
+            return CommandResults(
+                readable_output="No results found",
+                outputs_prefix="Code42.HighRiskEmployee",
+                outputs_key_field="UserID",
+                outputs={"Results": []},
+                raw_response={},
+            )
+        employees_context = [
+            {"UserID": e.get("userId"), "Username": e.get("userName"), "Note": e.get("notes")}
+            for e in employees
+        ]
+        readable_outputs = tableToMarkdown("Retrieved All High Risk Employees", employees_context)
+        return CommandResults(
+            outputs_prefix="Code42.HighRiskEmployee",
+            outputs_key_field="UserID",
+            outputs=employees_context,
+            readable_output=readable_outputs,
+            raw_response=employees,
+        )
+
+
+    @logger
+
+    def highriskemployee_add_risk_tags_command(client, args):
+        username = args.get("username")
+        tags = args.get("risktags")
+        user_id = client.add_user_risk_tags(username, tags)
+        rt_context = {"UserID": user_id, "Username": username, "RiskTags": tags}
+        readable_outputs = tableToMarkdown("Code42 Risk Tags Added", rt_context)
+        return CommandResults(
+            outputs_prefix="Code42.HighRiskEmployee",
+            outputs_key_field="UserID",
+            outputs=rt_context,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    @logger
+
+    def highriskemployee_remove_risk_tags_command(client, args):
+        username = args.get("username")
+        tags = args.get("risktags")
+        user_id = client.remove_user_risk_tags(username, tags)
+        rt_context = {"UserID": user_id, "Username": username, "RiskTags": tags}
+        readable_outputs = tableToMarkdown("Code42 Risk Tags Removed", rt_context)
+        return CommandResults(
+            outputs_prefix="Code42.HighRiskEmployee",
+            outputs_key_field="UserID",
+            outputs=rt_context,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    @logger
+
+    def securitydata_search_command(client, args):
+        code42_security_data_context = []
+        _json = args.get("json")
+        file_context = []
+
+        # If JSON payload is passed as an argument, ignore all other args and search by JSON payload
+        if _json is not None:
+            file_events = client.search_file_events(_json)
+        else:
+            # Build payload
+            payload = build_query_payload(args)
+            file_events = client.search_file_events(payload)
+        if file_events:
+            for file_event in file_events:
+                code42_context_event = map_to_code42_event_context(file_event)
+                code42_security_data_context.append(code42_context_event)
+                file_context_event = map_to_file_context(file_event)
+                file_context.append(file_context_event)
+            readable_outputs = tableToMarkdown(
+                "Code42 Security Data Results",
+                code42_security_data_context,
+                headers=SECURITY_EVENT_HEADERS,
+            )
+            code42_results = CommandResults(
+                outputs_prefix="Code42.SecurityData",
+                outputs_key_field="EventID",
+                outputs=code42_security_data_context,
+                readable_output=readable_outputs,
+                raw_response=file_events,
+            )
+            file_results = CommandResults(
+                outputs_prefix="File", outputs_key_field=None, outputs=file_context
+            )
+            return code42_results, file_results
+
+        else:
+            return CommandResults(
+                readable_output="No results found",
+                outputs={"Results": []},
+                outputs_key_field="EventID",
+                outputs_prefix="Code42.SecurityData",
+                raw_response={},
+            )
+
+
+    def user_create_command(client, args):
+        org_name = args.get("orgname")
+        username = args.get("username")
+        email = args.get("email")
+        res = client.create_user(org_name, username, email)
+        outputs = {
+            "Username": res.get("username"),
+            "UserID": res.get("userUid"),
+            "Email": res.get("email"),
+        }
+        readable_outputs = tableToMarkdown("Code42 User Created", outputs)
+        return CommandResults(
+            outputs_prefix="Code42.User",
+            outputs_key_field="UserID",
+            outputs=outputs,
+            readable_output=readable_outputs,
+            raw_response=res,
+        )
+
+
+    def user_block_command(client, args):
+        username = args.get("username")
+        user_id = client.block_user(username)
+        outputs = {"UserID": user_id}
+        readable_outputs = tableToMarkdown("Code42 User Blocked", outputs)
+        return CommandResults(
+            outputs_prefix="Code42.User",
+            outputs_key_field="UserID",
+            outputs=outputs,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    def user_unblock_command(client, args):
+        username = args.get("username")
+        user_id = client.unblock_user(username)
+        outputs = {"UserID": user_id}
+        readable_outputs = tableToMarkdown("Code42 User Unblocked", outputs)
+        return CommandResults(
+            outputs_prefix="Code42.User",
+            outputs_key_field="UserID",
+            outputs=outputs,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    def user_deactivate_command(client, args):
+        username = args.get("username")
+        user_id = client.deactivate_user(username)
+        outputs = {"UserID": user_id}
+        readable_outputs = tableToMarkdown("Code42 User Deactivated", outputs)
+        return CommandResults(
+            outputs_prefix="Code42.User",
+            outputs_key_field="UserID",
+            outputs=outputs,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    def user_reactivate_command(client, args):
+        username = args.get("username")
+        user_id = client.reactivate_user(username)
+        outputs = {"UserID": user_id}
+        readable_outputs = tableToMarkdown("Code42 User Reactivated", outputs)
+        return CommandResults(
+            outputs_prefix="Code42.User",
+            outputs_key_field="UserID",
+            outputs=outputs,
+            readable_output=readable_outputs,
+            raw_response=user_id,
+        )
+
+
+    """Fetching"""
+
+
+
+    def _create_incident_from_alert_details(details):
+        return {"name": "Code42 - {}".format(details.get("name")), "occurred": details.get("createdAt")}
+
+
+    def _stringify_lists_if_needed(event):
+        # We need to convert certain fields to a stringified list or React.JS will throw an error
+        shared_with = event.get("sharedWith")
+        private_ip_addresses = event.get("privateIpAddresses")
+        if shared_with:
+            shared_list = [u.get("cloudUsername") for u in shared_with if u.get("cloudUsername")]
+            event["sharedWith"] = str(shared_list)
+        if private_ip_addresses:
+            event["privateIpAddresses"] = str(private_ip_addresses)
+        return event
+
+
+    def _process_event_from_observation(event):
+        return _stringify_lists_if_needed(event)
+
+
+    class Code42SecurityIncidentFetcher(object):
+        def __init__(
+            self,
+            client,
+            last_run,
+            first_fetch_time,
+            event_severity_filter,
+            fetch_limit,
+            include_files,
+            integration_context=None,
+        ):
+            self._client = client
+            self._last_run = last_run
+            self._first_fetch_time = first_fetch_time
+            self._event_severity_filter = event_severity_filter
+            self._fetch_limit = fetch_limit
+            self._include_files = (include_files,)
+            self._integration_context = integration_context
+
+        @logger
+        def fetch(self):
+            remaining_incidents_from_last_run = self._fetch_remaining_incidents_from_last_run()
+            if remaining_incidents_from_last_run:
+                return remaining_incidents_from_last_run
+            start_query_time = self._get_start_query_time()
+            alerts = self._fetch_alerts(start_query_time)
+            incidents = [self._create_incident_from_alert(a) for a in alerts]
+            save_time = datetime.utcnow().timestamp()
+            next_run = {"last_fetch": save_time}
+            return next_run, incidents[: self._fetch_limit], incidents[self._fetch_limit:]
+
+        def _fetch_remaining_incidents_from_last_run(self):
+            if self._integration_context:
+                remaining_incidents = self._integration_context.get("remaining_incidents")
+                # return incidents if exists in context.
+                if remaining_incidents:
+                    return (
+                        self._last_run,
+                        remaining_incidents[: self._fetch_limit],
+                        remaining_incidents[self._fetch_limit:],
+                    )
+
+        def _get_start_query_time(self):
+            start_query_time = self._try_get_last_fetch_time()
+
+            # Handle first time fetch, fetch incidents retroactively
+            if not start_query_time:
+                start_query_time, _ = parse_date_range(
+                    self._first_fetch_time, to_timestamp=True, utc=True
+                )
+                start_query_time /= 1000
+
+            return start_query_time
+
+        def _try_get_last_fetch_time(self):
+            return self._last_run.get("last_fetch")
+
+        def _fetch_alerts(self, start_query_time):
+            return self._client.fetch_alerts(start_query_time, self._event_severity_filter)
+
+        def _create_incident_from_alert(self, alert):
+            details = self._client.get_alert_details(alert["id"])
+            incident = _create_incident_from_alert_details(details)
+            details = self._relate_files_to_alert(details)
+            incident["rawJSON"] = json.dumps(details)
+            return incident
+
+        def _relate_files_to_alert(self, alert_details):
+            observations = alert_details.get("observations")
+            if not observations:
+                alert_details["fileevents"] = []
+                return
+            for obs in observations:
+                file_events = self._get_file_events_from_alert_details(obs, alert_details)
+                alert_details["fileevents"] = [_process_event_from_observation(e) for e in file_events]
+            return alert_details
+
+        def _get_file_events_from_alert_details(self, observation, alert_details):
+            security_data_query = map_observation_to_security_query(observation, alert_details["actor"])
+            return self._client.search_file_events(security_data_query)
+
+
+    def fetch_incidents(
+        client,
+        last_run,
+        first_fetch_time,
+        event_severity_filter,
+        fetch_limit,
+        include_files,
+        integration_context=None,
+    ):
+        fetcher = Code42SecurityIncidentFetcher(
+            client,
+            last_run,
+            first_fetch_time,
+            event_severity_filter,
+            fetch_limit,
+            include_files,
+            integration_context,
+        )
+        return fetcher.fetch()
+
+
+    """Main and test"""
+
+
+
+    def test_module(client):
+        try:
+            # Will fail if unauthorized
+            client.get_current_user()
+            return "ok"
+        except Exception:
+            return (
+                "Invalid credentials or host address. Check that the username and password are correct, that the host "
+                "is available and reachable, and that you have supplied the full scheme, domain, and port "
+                "(e.g. https://myhost.code42.com:4285)."
+            )
+
+
+    def get_command_map():
+        return {
+            "code42-alert-get": alert_get_command,
+            "code42-alert-resolve": alert_resolve_command,
+            "code42-securitydata-search": securitydata_search_command,
+            "code42-departingemployee-add": departingemployee_add_command,
+            "code42-departingemployee-remove": departingemployee_remove_command,
+            "code42-departingemployee-get-all": departingemployee_get_all_command,
+            "code42-highriskemployee-add": highriskemployee_add_command,
+            "code42-highriskemployee-remove": highriskemployee_remove_command,
+            "code42-highriskemployee-get-all": highriskemployee_get_all_command,
+            "code42-highriskemployee-add-risk-tags": highriskemployee_add_risk_tags_command,
+            "code42-highriskemployee-remove-risk-tags": highriskemployee_remove_risk_tags_command,
+            "code42-user-create": user_create_command,
+            "code42-user-block": user_block_command,
+            "code42-user-unblock": user_unblock_command,
+            "code42-user-deactivate": user_deactivate_command,
+            "code42_user-reactivate": user_reactivate_command,
+        }
+
+
+    def handle_test_command(client):
+        # This is the call made when pressing the integration Test button.
+        result = test_module(client)
+        demisto.results(result)
+
+
+    def handle_fetch_command(client):
+        integration_context = demisto.getIntegrationContext()
+        # Set and define the fetch incidents command to run after activated via integration settings.
+        next_run, incidents, remaining_incidents = fetch_incidents(
+            client=client,
+            last_run=demisto.getLastRun(),
+            first_fetch_time=demisto.params().get("fetch_time"),
+            event_severity_filter=demisto.params().get("alert_severity"),
+            fetch_limit=int(demisto.params().get("fetch_limit")),
+            include_files=demisto.params().get("include_files"),
+            integration_context=integration_context,
+        )
+        demisto.setLastRun(next_run)
+        demisto.incidents(incidents)
+        # Store remaining incidents in integration context
+        integration_context["remaining_incidents"] = remaining_incidents
+        demisto.setIntegrationContext(integration_context)
+
+
+    def try_run_command(command):
+        try:
+            results = command()
+            if not isinstance(results, tuple) and not isinstance(results, list):
+                results = [results]
+            for result in results:
+                return_results(result)
+        except Exception as e:
+            return_error(create_command_error_message(demisto.command(), e))
+
+
+    def run_code42_integration():
+        username = demisto.params().get("credentials").get("identifier")
+        password = demisto.params().get("credentials").get("password")
+        base_url = demisto.params().get("console_url")
+        verify_certificate = not demisto.params().get("insecure", False)
+        proxy = demisto.params().get("proxy", False)
+        LOG("Command being called is {0}.".format(demisto.command()))
+        client = Code42Client(
+            base_url=base_url,
+            sdk=None,
+            auth=(username, password),
+            verify=verify_certificate,
+            proxy=proxy,
+        )
+        commands = get_command_map()
+        command = demisto.command()
+        if command == "test-module":
+            handle_test_command(client)
+        elif command == "fetch-incidents":
+            handle_fetch_command(client)
+        elif command in commands:
+            try_run_command(lambda: commands[command](client, demisto.args()))
+
+
+    def main():
+        run_code42_integration()
+
+
+    if __name__ in ("__main__", "__builtin__", "builtins"):
+        main()
   subtype: python3
+  type: python
 image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAYAAACXpx/YAAAHjElEQVR4nO2aeYxV1R3HP/e+h2wyoCxalhkQpFJpUcQ2LijRLsE9ikutUjCh44poWzUqalyitmqiQdM0rfsSlbjVuFsXlChVaaWKSnBBBnDsMAwyFpiZd815871wuNztDTP4B+eT3Hn3nv2e3zm/3+/87uBwOBwOh8PhcDgcDofD4XA4HA6Hw7EteKXjqAMGA9908kz2AVYDY4B6O8ML4GN/ANOKU/AJ6EGrE2IXUZQgsH47E9Omb7fn6fdef19Wen3YM2igtCnV0dn4XTyjga4tUhb7g3i6MIYhwVon3C6mqwW8BaEo7/b3pZEe9Kbl+3rvHYbidn3RAD7wB/Fs4YdUB020bbl7+wIHAbsBG4CFwOIKWt8f2AsoAMuA+cD6jDo1wE5Am549XQ1AY44+ewDDgNJWmmoz3YAmYFVGWz3VVpvaMu+xUe+S1LbZoPsBo3T/KfC2xlOmUgG3qrNuFdazbO941tCT3fmGtnYFYgZ3E3CMVSzkE2Am8HxK05cBFwD9I+lmcu4GLgbWxNQzE/gmMCSh3c+AF4AbgM8TyvwUeC1lbCHPAEdmlLkROC+SZhZFNWyl6nYBrgJO173NWuDPwLVUoKL/BkzQ7hoEjANuzVm3nQAW+bvxTGE0NUFjKNxTgCXAsRKuWb11lkc/GngOuDqmxSpgkV4kFG6DtVPMzvwdsBzYp6KxtjMCqJWgoxPf2RxUQR8n63QyM0a44bxcA7xIDgF/K8HOAN5Vw2Y3vA/Mkkr8X9aIwm35lD+GRnqFx6JfAg9ZxWYDuwJDNcjJUk9h3mmRZs3uGqv7f2gxDAB+oIU4R3m9tcsGpwxxLrCzjnSmnfGapGbl3wZcmPGaf5CaHRu5jAo9K6PuLRn5NuNi0pq0c21+DlyUJeBfSbBJfAxMSrERm2jxfBb4wxgYNIee8+1W9gHaifYgn5NdNbv0PuCfVt5FwM90f7PU+xIrv147Yrqeq1QuidUS5kdqx9j/K4CR0ihhP3untLFMNv+DyPWetVDj+L1UPaq3KGMqLzWWTvePaTH1kw9zQaTsMWkCNmr5jYzOwkHdmJDnl68Alnr9qaOKncv+EyfJ9houB95KqF+vFTsVWGGlT9XvJ9o5SRgb/KTyjGobnlAu6az2FTDNep6R0ldHqA5tpZgtJymL2TJrJ2j+Q+ZE5mlAmpP1YAUD/gvQXd5vGJYy6mpdaE+Xe1Ws83aiT1AW8C9UpmStxiSi2mGstZOeyDG2RywbPzHFYUriJe3C8aqfRLXeeWQk33jaX2qxRLle+UhjPQ6cmWNMyxK0woSIKVqVJOBWqd+8fJFkozz9ubMwgSIlCgRGYuFOWqyXr4Q9rLIf5qj3X+s+aQfnaWO8hNgj4fh1k644jIa7JJJ+NHCq9TxLvz07OEbjfzwcSZubpqIz7WoltFDA29xk2G9HgtAF6z5PffuIUUgpl0bYj99JwSE/4hPUWhuqI/P+Y9WvttJeNio7aQcX5U2uzNnBUA1yozUZZqU3B3C7F9A8ve0dZhWPKjtYHkF4lBku56Cpgpeps+7z7EhbZeZ9nyh76rleJ4s4ZsnbHhXJ6x4T5LjCahPVuUyevD3eKpkwc+S5M6HfM4C/R9IW6BSSGuj4dc5DPBLu5THprfKAm4cGa8uhSRO9KhLMl3rqK/uYZYdtFsqRGCwv/7qM8pOt+39V0E/IOMv2vpNSboV235KUMiHRc/kfE8r1UqxgYIKAH5ScbO4Azgmf09RNreW+pzFa0aI4SuXLg5pgDQOCZr5tD4I9IgcMeZFVCfV9BVROsdJa5IygiZ+aUNdgjlln636enKVKucMq/0AH6ncFP5KTFRXuGZZwy2HXLHvyfMbZz8RyX8kTuuwbrGefYCVfe73NuelrqSkUf/1PzKo2bT6qiM1D1pkWhelW6/4e4PyYLs3OfcV6np01Rgtfnr6xawcq+S55uklU8lnsbcUXnrSux7XwG6xyG7QoX7XSJupoNCzSpqk3RWOuU0zhffPBf22Ob8HGtvxVR4ySjPlvFXBIc1w2quxX5iP/y4WRzCgez/CgMXS45tjqRBGyfysceqjlUb6mgIrNgYolh6zSuX2DgiC2LazV+G0K8v6HKMhRr7RA/dverIl0nRjzfodYZqxBvkR0sQ/TIpwWUz+O1y2TEBeL/g1wf862mvJ+bJipa70E3Ctnvc14cHjbUg7xP+NNv6Ys5BLeuVrNtyka8xNdNn9KMAHzdWS6X8LeXSvY5nOp8HkZo+ut2HMUcwy7UgJOeKtN9I/54BEyKM8UxbS5zeTdwR1l0w5G/6rzUmEUtcXjqA7WtIe42jEq8QjgYE3SBqmauTk9X3NMOEq7paD+zDEhzUn0FOI08e//W+lFecrv5QiKDNRXoo32J7oIVQqBvp5zDg/Xwm1R3P+pSNs1Mh/NGUcq472v274Cpn1I07tNYZ5fw4j2XdxFXTvY3v/RES6300sLy+Ju3b7d75B09Qx7W9kUDw5rW8qk0qfUeVV2dMvRBRTl+fVJ+K+HbaGf2tzCNgWS+LS2d1ngDy2HMIuJ5svhcDgcDofD4XA4HA6Hw+FwOBwOh8Px/QF8B+pZzTnuPtCMAAAAAElFTkSuQmCC
 detaileddescription: >
   ### Partner Contributed Integration
diff --git a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json
index d741790c8118..d33aea2ec4e3 100644
--- a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json
+++ b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json
@@ -468,6 +468,6 @@
               }
        ],
        "typeId": "Code42 Security Alert",
-       "version": -1,
-       "fromVersion": "5.0.0"
+       "fromVersion": "5.0.0",
+       "version": -1
 }
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status.yml b/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status.yml
new file mode 100644
index 000000000000..9f150de37e6e
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status.yml
@@ -0,0 +1,245 @@
+id: Code42 Change Blocked Status
+description: A simple playbook for blocking or unblocking a user in Code42.
+inputs:
+- description: Either the string "block" or "unblock".
+  key: Action
+  playbookInputQuery:
+  required: false
+  value: {}
+- description: The username of the user to block or unblock in Code42.
+  key: username
+  playbookInputQuery:
+  required: false
+  value: {}
+name: Code42 Change Blocked Status
+outputs: []
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "1"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 9a342074-7df0-4dd1-8a82-d7804e6082b3
+      iscommand: false
+      name: ""
+      version: -1
+      description: ""
+    taskid: 9a342074-7df0-4dd1-8a82-d7804e6082b3
+    timertriggers: []
+    type: start
+    view: |-
+      {
+        "position": {
+          "x": 602.5,
+          "y": 50
+        }
+      }
+  "1":
+    id: "1"
+    ignoreworker: false
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "2"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      brandname:
+        simple: Code42
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      description: Returns 'yes' if integration brand is available. Otherwise returns
+        'no'
+      id: a63a96d0-a534-48ce-8e6f-83861753e106
+      iscommand: false
+      name: Is Code42 Available?
+      script: IsIntegrationAvailable
+      type: condition
+      version: -1
+    taskid: a63a96d0-a534-48ce-8e6f-83861753e106
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 602.5,
+          "y": 195
+        }
+      }
+  "2":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              complex:
+                root: inputs.action
+                transformers:
+                - operator: toUpperCase
+          operator: isEqualString
+          right:
+            value:
+              simple: BLOCK
+      label: block
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              complex:
+                root: inputs.action
+                transformers:
+                - operator: toUpperCase
+          operator: isEqualString
+          right:
+            value:
+              simple: UNBLOCK
+      label: unblock
+    id: "2"
+    ignoreworker: false
+    nexttasks:
+      '#default#':
+      - "5"
+      block:
+      - "3"
+      unblock:
+      - "4"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 435ab4db-7c90-42fe-8c5c-4d195b5d52a4
+      iscommand: false
+      name: Is Block or Unblock?
+      type: condition
+      version: -1
+      description: ""
+    taskid: 435ab4db-7c90-42fe-8c5c-4d195b5d52a4
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 370
+        }
+      }
+  "3":
+    id: "3"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "5"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      username:
+        simple: ${inputs.username}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Blocks a user in Code42.  A blocked user is not allowed to log
+        in or restore files. Backups will continue if the user is still active.
+      id: fcfd80be-6e52-409f-8d89-8d38a18b56c9
+      iscommand: true
+      name: Block User
+      script: Code42|||code42-user-block
+      type: regular
+      version: -1
+    taskid: fcfd80be-6e52-409f-8d89-8d38a18b56c9
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 545
+        }
+      }
+  "4":
+    id: "4"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "5"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      username:
+        simple: ${inputs.username}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Removes a block, if one exists, on the user with the given user
+        ID. Unblocked users are allowed to log in and restore.
+      id: a92925e8-749c-4d05-8ef1-f68f72ed4d98
+      iscommand: true
+      name: Unblock User
+      script: Code42|||code42-user-unblock
+      type: regular
+      version: -1
+    taskid: a92925e8-749c-4d05-8ef1-f68f72ed4d98
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 545
+        }
+      }
+  "5":
+    id: "5"
+    ignoreworker: false
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: d9a6c88f-b5e1-4c92-850a-99b4f59908aa
+      iscommand: false
+      name: Done
+      type: title
+      version: -1
+      description: ""
+    taskid: d9a6c88f-b5e1-4c92-850a-99b4f59908aa
+    timertriggers: []
+    type: title
+    view: |-
+      {
+        "position": {
+          "x": 490,
+          "y": 720
+        }
+      }
+version: -1
+fromversion: 5.0.0
+tests:
+- No Test
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 735,
+        "width": 932.5,
+        "x": 50,
+        "y": 50
+      }
+    }
+  }
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status_CHANGELOG.md
new file mode 100644
index 000000000000..cfe7a08d89dc
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status_CHANGELOG.md
@@ -0,0 +1,2 @@
+## [Unreleased]
+A simple playbook for blocking or unblocking a user in Code42.
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status_README.md b/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status_README.md
new file mode 100644
index 000000000000..85a73e984686
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Change_Blocked_Status_README.md
@@ -0,0 +1,33 @@
+A simple playbook for blocking or unblocking a user in Code42.
+
+## Dependencies
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+This playbook does not use any sub-playbooks.
+
+### Integrations
+* Code42
+
+### Scripts
+This playbook does not use any scripts.
+
+### Commands
+* code42-user-unblock
+* code42-user-block
+
+## Playbook Inputs
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Action | Either the string "block" or "unblock". |  | Optional |
+| username | The username of the user to block or unblock in Code42. |  | Optional |
+
+## Playbook Outputs
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+---
+![Code42 Change Blocked Status](../Integrations/Code42/Code42_image.png)
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation.yml b/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation.yml
new file mode 100644
index 000000000000..25f43943ea4a
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation.yml
@@ -0,0 +1,248 @@
+id: Code42 Change User Activation
+description: A simple playbook for deactivating or reactivating a user in Code42.
+inputs:
+- description: Either "deactivate" or "reactivate"; the action you want to be done
+    to the user.
+  key: Action
+  playbookInputQuery: null
+  required: true
+  value: {}
+- description: The username of the user to deactivate or reactivate.
+  key: Username
+  playbookInputQuery: null
+  required: true
+  value: {}
+name: Code42 Change User Activation
+outputs: []
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "1"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 94f6760d-eacc-498d-8b1c-0d9aff499a08
+      iscommand: false
+      name: ""
+      version: -1
+      description: ""
+    taskid: 94f6760d-eacc-498d-8b1c-0d9aff499a08
+    timertriggers: []
+    type: start
+    view: |-
+      {
+        "position": {
+          "x": 152.5,
+          "y": 50
+        }
+      }
+  "1":
+    id: "1"
+    ignoreworker: false
+    nexttasks:
+      "no":
+      - "3"
+      "yes":
+      - "2"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      brandname:
+        simple: Code42
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      description: Returns 'yes' if integration brand is available. Otherwise returns
+        'no'
+      id: 38d4eed0-6ed4-4720-8c7f-7ea2f73f26d3
+      iscommand: false
+      name: Is Code42 Available?
+      script: IsIntegrationAvailable
+      type: condition
+      version: -1
+    taskid: 38d4eed0-6ed4-4720-8c7f-7ea2f73f26d3
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 152.5,
+          "y": 195
+        }
+      }
+  "2":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              complex:
+                root: inputs.Action
+                transformers:
+                - operator: toUpperCase
+          operator: isEqualString
+          right:
+            value:
+              simple: DEACTIVATE
+      label: DEACTIVATE
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              complex:
+                root: inputs.Action
+                transformers:
+                - operator: toUpperCase
+          operator: isEqualString
+          right:
+            value:
+              simple: REACTIVATE
+      label: REACTIVATE
+    id: "2"
+    ignoreworker: false
+    nexttasks:
+      '#default#':
+      - "3"
+      DEACTIVATE:
+      - "5"
+      REACTIVATE:
+      - "4"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 013b9275-f36c-49f4-8ad5-d3989cd6b088
+      iscommand: false
+      name: Is Deactivate or Reactivate?
+      type: condition
+      version: -1
+      description: ""
+    taskid: 013b9275-f36c-49f4-8ad5-d3989cd6b088
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 370
+        }
+      }
+  "3":
+    id: "3"
+    ignoreworker: false
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 7d22084e-bc48-4c9c-8af9-1e83d8901002
+      iscommand: false
+      name: Done
+      type: title
+      version: -1
+      description: ""
+    taskid: 7d22084e-bc48-4c9c-8af9-1e83d8901002
+    timertriggers: []
+    type: title
+    view: |-
+      {
+        "position": {
+          "x": 265,
+          "y": 720
+        }
+      }
+  "4":
+    id: "4"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "3"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      username:
+        simple: ${inputs.Username}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Reactivates the user with the given username.
+      id: acd35060-92e6-4b7e-86b1-a2445679689a
+      iscommand: true
+      name: Code42 Reactivate User
+      script: Code42|||code42-user-reactivate
+      type: regular
+      version: -1
+    taskid: acd35060-92e6-4b7e-86b1-a2445679689a
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 545
+        }
+      }
+  "5":
+    id: "5"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "3"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      username:
+        simple: ${inputs.Username}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Deactivate a user in Code42; signing them out of their devices.
+        Backups discontinue for a deactivated user, and their archives go to cold
+        storage.
+      id: 410c35b8-5506-4b98-89e8-1f7602cc66bd
+      iscommand: true
+      name: Code42 Deactivate User
+      script: Code42|||code42-user-deactivate
+      type: regular
+      version: -1
+    taskid: 410c35b8-5506-4b98-89e8-1f7602cc66bd
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 545
+        }
+      }
+version: -1
+fromversion: 5.0.0
+tests:
+- No Test
+view: |-
+  {
+    "linkLabelsPosition": {
+      "1_2_yes": 0.83
+    },
+    "paper": {
+      "dimensions": {
+        "height": 735,
+        "width": 810,
+        "x": 50,
+        "y": 50
+      }
+    }
+  }
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation_CHANGELOG.md
new file mode 100644
index 000000000000..9625441480af
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation_CHANGELOG.md
@@ -0,0 +1,2 @@
+## [Unreleased]
+A simple playbook for deactivating or reactivating a user in Code42.
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation_README.md b/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation_README.md
new file mode 100644
index 000000000000..b2f5151306ab
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Change_User_Activation_README.md
@@ -0,0 +1,33 @@
+A simple playbook for deactivating or reactivating a user in Code42.
+
+## Dependencies
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+This playbook does not use any sub-playbooks.
+
+### Integrations
+* Code42
+
+### Scripts
+This playbook does not use any scripts.
+
+### Commands
+* code42-user-reactivate
+* code42-user-deactivate
+
+## Playbook Inputs
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Action | Either "deactivate" or "reactivate"; the action you want to be done to the user. |  | Required |
+| Username | The username of the user to deactivate or reactivate. |  | Required |
+
+## Playbook Outputs
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+---
+![Code42 Change User Activation](../Integrations/Code42/Code42_image.png)
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook.yml b/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook.yml
new file mode 100644
index 000000000000..84da67c4b6b4
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook.yml
@@ -0,0 +1,159 @@
+id: Code42 Create User Playbook
+description: A simple playbook for creating a user in Code42.
+inputs:
+- description: The username to give to the newly created user.
+  key: Username
+  playbookInputQuery:
+  required: true
+  value: {}
+- description: The email of the user to create.
+  key: Email
+  playbookInputQuery:
+  required: true
+  value: {}
+- description: The name of the Code42 organization to create the user in.
+  key: OrgName
+  playbookInputQuery:
+  required: true
+  value: {}
+name: Code42 Create User Playbook
+outputs: []
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "1"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: b1876bae-e1fa-400e-8bd3-97ed9762ce39
+      iscommand: false
+      name: ""
+      version: -1
+      description: ""
+    taskid: b1876bae-e1fa-400e-8bd3-97ed9762ce39
+    timertriggers: []
+    type: start
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 50
+        }
+      }
+  "1":
+    id: "1"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "2"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      brandname:
+        simple: Code42
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      description: Returns 'yes' if integration brand is available. Otherwise returns
+        'no'
+      id: 35bc6954-feef-4e12-86b7-f57173635f0b
+      iscommand: false
+      name: Is Code42 Available?
+      script: IsIntegrationAvailable
+      type: condition
+      version: -1
+    taskid: 35bc6954-feef-4e12-86b7-f57173635f0b
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 210
+        }
+      }
+  "2":
+    id: "2"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "3"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      email:
+        simple: ${inputs.Email}
+      orgname:
+        simple: ${inputs.OrgName}
+      username:
+        simple: ${inputs.Username}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Creates a Code42 user.
+      id: 4734acef-5883-4e4b-85a1-0e36008c2ced
+      iscommand: true
+      name: Create User
+      script: Code42|||code42-user-create
+      type: regular
+      version: -1
+    taskid: 4734acef-5883-4e4b-85a1-0e36008c2ced
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 410
+        }
+      }
+  "3":
+    id: "3"
+    ignoreworker: false
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 532d230b-7312-4430-8f2a-e1c8108c17fa
+      iscommand: false
+      name: Done
+      type: title
+      version: -1
+      description: ""
+    taskid: 532d230b-7312-4430-8f2a-e1c8108c17fa
+    timertriggers: []
+    type: title
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 580
+        }
+      }
+version: -1
+fromversion: 5.0.0
+tests:
+- No Test
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 595,
+        "width": 380,
+        "x": 450,
+        "y": 50
+      }
+    }
+  }
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook_CHANGELOG.md
new file mode 100644
index 000000000000..9c2e275d34ca
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook_CHANGELOG.md
@@ -0,0 +1,2 @@
+## [Unreleased]
+A simple playbook for creating a user in Code42.
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook_README.md b/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook_README.md
new file mode 100644
index 000000000000..02e8452d243e
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_Create_User_Playbook_README.md
@@ -0,0 +1,33 @@
+A simple playbook for creating a user in Code42.
+
+## Dependencies
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+This playbook does not use any sub-playbooks.
+
+### Integrations
+* Code42
+
+### Scripts
+This playbook does not use any scripts.
+
+### Commands
+* code42-user-create
+
+## Playbook Inputs
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Username | The username to give to the newly created user. |  | Required |
+| Email | The email of the user to create. |  | Required |
+| OrgName | The name of the Code42 organization to create the user in. |  | Required |
+
+## Playbook Outputs
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+---
+![Code42 Create User Playbook](../Integrations/Code42/Code42_image.png)
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_README.md b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_README.md
index d99283b652ad..c24562a01ecc 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_README.md
+++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_README.md
@@ -38,4 +38,4 @@ There are no outputs for this playbook.
 
 ## Playbook Image
 ---
-![Code42 Exfiltration Playbook](Insert the link to your image here)
\ No newline at end of file
+![Code42 Exfiltration Playbook](../Integrations/Code42/Code42_image.png)
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md b/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md
index fdc7ee39b468..4c7201673fe5 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md
@@ -75,4 +75,4 @@ This playbook does not use any scripts.
 
 ## Playbook Image
 ---
-![Code42 File Search](Insert the link to your image here)
\ No newline at end of file
+![Code42 File Search](../Integrations/Code42/Code42_image.png)
\ No newline at end of file