diff --git a/Packs/Code42/Integrations/Code42/CHANGELOG.md b/Packs/Code42/Integrations/Code42/CHANGELOG.md
index d30648e0701..64cdf65c7f1 100644
--- a/Packs/Code42/Integrations/Code42/CHANGELOG.md
+++ b/Packs/Code42/Integrations/Code42/CHANGELOG.md
@@ -1,18 +1,22 @@
 ## [Unreleased]
-Added new commands:
-    - **code42-departingemployee-get-all** that gets all the employees on the Departing Employee List.
-    - **code42-highriskemployee-add** that takes a username and adds the employee to the High Risk Employee List.
-    - **code42-highriskemployee-remove** that takes a username and remove the employee from the High Risk Employee List.
-    - **code42-highriskemployee-get-all** that gets all the employees on the High Risk Employee List. 
-        Optionally takes a list of risk tags and only gets employees who have those risk tags.
-    - **code42-highriskemployee-add-risk-tags** that takes a username and risk tags and associates the risk tags with the user.
-    - **code42-highriskemployee-remove-risk-tags** that takes a username and risk tags and disassociates the risk tags from the user.
-    - **code42-user-deactivate** that deactivates a user in Code42.
-    - **code42-user-reactivate** that reactivates a user in Code42.
-    - **code42-user-block** that blocks a user in Code42.
-    - **code42-user-unblock** that unblocks a user in Code42.
-    - **code42-user-create** that creates a user in Code42.
-Improve error messages for all Commands to include exception detail.
+- Internal code improvements.
+- Added new commands:
+    - **code42-departingemployee-get-all**
+    - **code42-highriskemployee-add**
+    - **code42-highriskemployee-remove**
+    - **code42-highriskemployee-get-all**
+    - **code42-highriskemployee-add-risk-tags**
+    - **code42-highriskemployee-remove-risk-tags**
+    - **code42-user-deactivate**
+    - **code42-user-reactivate**
+    - **code42-user-block**
+    - **code42-user-unblock**
+    - **code42-user-create**
+    - **code42-file-download**
+- Improve error messages for all Commands to include exception detail.
+- Fixed bug in Fetch where errors occurred when `FileCategory` was set to include only one category.
+- Fixed bug in Fetch to handle new Code42 exposure type **Outside trusted domains**.
+- Improved Fetch to handle unsupported exposure types better.
 
 ## [20.3.3] - 2020-03-18
 #### New Integration
diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py
index 23dfcbe25f1..7a38ccdd163 100644
--- a/Packs/Code42/Integrations/Code42/Code42.py
+++ b/Packs/Code42/Integrations/Code42/Code42.py
@@ -306,6 +306,15 @@ def search_file_events(self, payload):
         res = self._get_sdk().securitydata.search_file_events(payload)
         return res["fileEvents"]
 
+    def download_file(self, hash_arg):
+        security_module = self._get_sdk().securitydata
+        if _hash_is_md5(hash_arg):
+            return security_module.stream_file_by_md5(hash_arg)
+        elif _hash_is_sha256(hash_arg):
+            return security_module.stream_file_by_sha256(hash_arg)
+        else:
+            raise Exception("Unsupported hash. Must be SHA256 or MD5.")
+
     def _get_user_id(self, username):
         user_id = self.get_user(username).get("userUid")
         if user_id:
@@ -419,12 +428,18 @@ def build_query_payload(args):
     return query
 
 
+def _hash_is_sha256(hash_arg):
+    return hash_arg and len(hash_arg) == 64
+
+
+def _hash_is_md5(hash_arg):
+    return hash_arg and len(hash_arg) == 32
+
+
 def _create_hash_filter(hash_arg):
-    if not hash_arg:
-        return None
-    elif len(hash_arg) == 32:
+    if _hash_is_md5(hash_arg):
         return MD5.eq(hash_arg)
-    elif len(hash_arg) == 64:
+    elif _hash_is_sha256(hash_arg):
         return SHA256.eq(hash_arg)
 
 
@@ -455,7 +470,7 @@ class ObservationToSecurityQueryMapper(object):
     exposure_type_map = {
         "PublicSearchableShare": ExposureType.IS_PUBLIC,
         "PublicLinkShare": ExposureType.SHARED_VIA_LINK,
-        "SharedOutsideTrustedDomain": "OutsideTrustedDomains",
+        "SharedOutsideTrustedDomain": ExposureType.OUTSIDE_TRUSTED_DOMAINS,
     }
 
     def __init__(self, observation, actor):
@@ -935,6 +950,13 @@ def user_reactivate_command(client, args):
     )
 
 
+def download_file_command(client, args):
+    file_hash = args.get("hash")
+    response = client.download_file(file_hash)
+    file_chunks = [c for c in response.iter_content(chunk_size=128) if c]
+    return fileResult(file_hash, data=b"".join(file_chunks))
+
+
 """Fetching"""
 
 
@@ -974,7 +996,7 @@ def __init__(
         self._first_fetch_time = first_fetch_time
         self._event_severity_filter = event_severity_filter
         self._fetch_limit = fetch_limit
-        self._include_files = (include_files,)
+        self._include_files = include_files
         self._integration_context = integration_context
 
     @logger
@@ -996,7 +1018,7 @@ def _fetch_remaining_incidents_from_last_run(self):
             if remaining_incidents:
                 return (
                     self._last_run,
-                    remaining_incidents[: self._fetch_limit],
+                    remaining_incidents[:self._fetch_limit],
                     remaining_incidents[self._fetch_limit:],
                 )
 
@@ -1021,7 +1043,8 @@ def _fetch_alerts(self, start_query_time):
     def _create_incident_from_alert(self, alert):
         details = self._client.get_alert_details(alert["id"])
         incident = _create_incident_from_alert_details(details)
-        details = self._relate_files_to_alert(details)
+        if self._include_files:
+            details = self._relate_files_to_alert(details)
         incident["rawJSON"] = json.dumps(details)
         return incident
 
@@ -1095,6 +1118,7 @@ def get_command_map():
         "code42-user-unblock": user_unblock_command,
         "code42-user-deactivate": user_deactivate_command,
         "code42_user-reactivate": user_reactivate_command,
+        "code42-download-file": download_file_command,
     }
 
 
@@ -1123,10 +1147,10 @@ def handle_fetch_command(client):
     demisto.setIntegrationContext(integration_context)
 
 
-def try_run_command(command):
+def run_command(command):
     try:
         results = command()
-        if not isinstance(results, tuple) and not isinstance(results, list):
+        if not isinstance(results, (tuple, list)):
             results = [results]
         for result in results:
             return_results(result)
@@ -1134,28 +1158,32 @@ def try_run_command(command):
         return_error(create_command_error_message(demisto.command(), e))
 
 
-def run_code42_integration():
+def create_client():
     username = demisto.params().get("credentials").get("identifier")
     password = demisto.params().get("credentials").get("password")
     base_url = demisto.params().get("console_url")
     verify_certificate = not demisto.params().get("insecure", False)
     proxy = demisto.params().get("proxy", False)
-    LOG("Command being called is {0}.".format(demisto.command()))
-    client = Code42Client(
+    return Code42Client(
         base_url=base_url,
         sdk=None,
         auth=(username, password),
         verify=verify_certificate,
         proxy=proxy,
     )
+
+
+def run_code42_integration():
+    client = create_client()
     commands = get_command_map()
-    command = demisto.command()
-    if command == "test-module":
+    command_key = demisto.command()
+    LOG("Command being called is {0}.".format(command_key))
+    if command_key == "test-module":
         handle_test_command(client)
-    elif command == "fetch-incidents":
+    elif command_key == "fetch-incidents":
         handle_fetch_command(client)
-    elif command in commands:
-        try_run_command(lambda: commands[command](client, demisto.args()))
+    elif command_key in commands:
+        run_command(lambda: commands[command_key](client, demisto.args()))
 
 
 def main():
diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml
index 1315f1bff0f..b16f1aa9334 100644
--- a/Packs/Code42/Integrations/Code42/Code42.yml
+++ b/Packs/Code42/Integrations/Code42/Code42.yml
@@ -79,7 +79,7 @@ script:
     - auto: PREDEFINED
       default: false
       description: Exposure types to search for. Can be "RemovableMedia", "ApplicationRead",
-        "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".
+        "CloudStorage", "IsPublic", "SharedViaLink", "SharedViaDomain", or "OutsideTrustedDomains".
       isArray: true
       name: exposure
       predefined:
@@ -89,6 +89,7 @@ script:
       - IsPublic
       - SharedViaLink
       - SharedViaDomain
+      - OutsideTrustedDomains
       required: false
       secret: false
     - default: false
@@ -331,7 +332,7 @@ script:
       description: The username to remove from the Departing Employee List.
       isArray: false
       name: username
-      required: true
+      required: false
       secret: false
     deprecated: false
     description: Removes a user from the Departing Employee List.
@@ -596,7 +597,18 @@ script:
     - contextPath: Code42.User.UserID
       description: The ID of a Code42 User.
       type: String
-  dockerimage: demisto/py42:1.0.0.9323
+  - arguments:
+    - default: false
+      description: Either the SHA256 or MD5 hash of the file.
+      isArray: false
+      name: hash
+      required: true
+      secret: false
+    deprecated: false
+    description: Downloads a file from Code42 servers.
+    execution: false
+    name: code42-download-file
+  dockerimage: demisto/py42:1.0.0.9653
   feed: false
   isfetch: true
   longRunning: false
diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py
index a3698087000..43ea9043687 100644
--- a/Packs/Code42/Integrations/Code42/Code42_test.py
+++ b/Packs/Code42/Integrations/Code42/Code42_test.py
@@ -26,6 +26,7 @@
     user_unblock_command,
     user_deactivate_command,
     user_reactivate_command,
+    download_file_command,
     fetch_incidents,
 )
 import time
@@ -1379,16 +1380,7 @@ def test_departingemployee_get_all_command_when_no_employees(
         no_employees_response
     )
     client = create_client(code42_departing_employee_mock)
-    cmd_res = departingemployee_get_all_command(
-        client,
-        {
-            "risktags": [
-                "PERFORMANCE_CONCERNS",
-                "SUSPICIOUS_SYSTEM_ACTIVITY",
-                "POOR_SECURITY_PRACTICES",
-            ]
-        },
-    )
+    cmd_res = departingemployee_get_all_command(client,{})
     assert cmd_res.outputs_prefix == "Code42.DepartingEmployee"
     assert cmd_res.outputs_key_field == "UserID"
     assert cmd_res.raw_response == {}
@@ -1635,6 +1627,25 @@ def test_security_data_search_command(code42_file_events_mock):
         assert output_item == mapped_event
 
 
+def test_download_file_command_when_given_md5(code42_sdk_mock, mocker):
+    fr = mocker.patch("Code42.fileResult")
+    client = create_client(code42_sdk_mock)
+    _ = download_file_command(client, {"hash": "b6312dbe4aa4212da94523ccb28c5c16"})
+    code42_sdk_mock.securitydata.stream_file_by_md5.assert_called_once_with(
+        "b6312dbe4aa4212da94523ccb28c5c16"
+    )
+    assert fr.call_count == 1
+
+
+def test_download_file_command_when_given_sha256(code42_sdk_mock, mocker):
+    fr = mocker.patch("Code42.fileResult")
+    _hash = "41966f10cc59ab466444add08974fde4cd37f88d79321d42da8e4c79b51c2149"
+    client = create_client(code42_sdk_mock)
+    _ = download_file_command(client, {"hash": _hash})
+    code42_sdk_mock.securitydata.stream_file_by_sha256.assert_called_once_with(_hash)
+    assert fr.call_count == 1
+
+
 def test_fetch_when_no_significant_file_categories_ignores_filter(
     code42_fetch_incidents_mock, mocker
 ):
@@ -1683,8 +1694,41 @@ def test_fetch_incidents_handles_multi_severity(code42_fetch_incidents_mock):
         include_files=True,
         integration_context=None,
     )
-    assert "HIGH" in str(code42_fetch_incidents_mock.alerts.search.call_args[0][0])
-    assert "LOW" in str(code42_fetch_incidents_mock.alerts.search.call_args[0][0])
+    call_args = str(code42_fetch_incidents_mock.alerts.search.call_args[0][0])
+    assert "HIGH" in call_args
+    assert "LOW" in call_args
+
+
+def test_fetch_when_include_files_includes_files(code42_fetch_incidents_mock):
+    client = create_client(code42_fetch_incidents_mock)
+    _, incidents, _ = fetch_incidents(
+        client=client,
+        last_run={"last_fetch": None},
+        first_fetch_time=MOCK_FETCH_TIME,
+        event_severity_filter=["High", "Low"],
+        fetch_limit=10,
+        include_files=True,
+        integration_context=None,
+    )
+    for i in incidents:
+        _json = json.loads(i["rawJSON"])
+        assert len(_json["fileevents"])
+
+
+def test_fetch_when_not_include_files_excludes_files(code42_fetch_incidents_mock):
+    client = create_client(code42_fetch_incidents_mock)
+    _, incidents, _ = fetch_incidents(
+        client=client,
+        last_run={"last_fetch": None},
+        first_fetch_time=MOCK_FETCH_TIME,
+        event_severity_filter=["High", "Low"],
+        fetch_limit=10,
+        include_files=False,
+        integration_context=None,
+    )
+    for i in incidents:
+        _json = json.loads(i["rawJSON"])
+        assert not _json.get("fileevents")
 
 
 def test_fetch_incidents_first_run(code42_fetch_incidents_mock):
diff --git a/Packs/Code42/Integrations/Code42/README.md b/Packs/Code42/Integrations/Code42/README.md
index 5ad1a1e2e4c..02c75bdbd7d 100644
--- a/Packs/Code42/Integrations/Code42/README.md
+++ b/Packs/Code42/Integrations/Code42/README.md
@@ -717,3 +717,27 @@ Reactivates the user with the given username.
 | UserID |
 | ------ |
 | 123456790 |
+
+
+### code42-download-file
+***
+Downloads a file from Code42 servers.
+
+#### Base Command
+
+`code42-download-file`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| hash | Either the SHA256 or MD5 hash of the file. | Required | 
+
+
+#### Command Example
+```!code42-download-file hash="bf6b326107d4d85eb485eed84b28133a"```
+
+#### Human Readable Output
+### Code42 User Deactivated
+| Type   | Size | Info | MD5 | SHA1 | SHA256 | SHA512 | SSDeep |
+| ------ | ---- | ---- | --- | ---- | ------ | ------ | ------ |
+| application/vnd.ms-excel | 41,472 bytes | Composite Document File V2 Document, Little Endian, Os: MacOS, Version 14.10, Code page: 10000, Last Saved By: John Doe, Name of Creating Application: Microsoft Macintosh Excel, Create Time/Date: Fri Feb 21 17:35:19 2020, Last Saved Time/Date: Mon Apr 13 11:54:08 2020, Security: 0 | 2e45562437ec4f41387f2e14c3850dd6 | 59e552e637bfe5254b163bb4e426a2322d10f50d | d3f8566d04df5dc34bf2607ac803a585ac81e06f28afe81f35cc2e5fe63d2ab5 | 776bd9626761cd567a4b498bafe4f5f896c3f4bc9f3c60513ccacd14251a2568fa3ba44060000affa8b57fb768c417cf271500086e4e49272f26b26a90627abb | 768:pudkQzl3ZpWh+QO3uMdS9dSttRJwyE/KtxA1almvy6mhk+GlESOwWoqSY7bTKCUv:siQzl3ZpWh+QO3uMdS9dSttRJwyE/KtF |  
\ No newline at end of file
diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml
deleted file mode 100644
index 80c39d1cad6..00000000000
--- a/Packs/Code42/Integrations/Code42/integration-Code42.yml
+++ /dev/null
@@ -1,1822 +0,0 @@
-category: Endpoint
-commonfields:
-  id: Code42
-  version: -1
-configuration:
-- defaultvalue: console.us.code42.com
-  display: Code42 Console URL for the pod your Code42 instance is running in
-  name: console_url
-  required: true
-  type: 0
-- display: Username
-  name: credentials
-  required: true
-  type: 9
-- display: Fetch incidents
-  name: isFetch
-  required: false
-  type: 8
-- display: Incident type
-  name: incidentType
-  required: false
-  type: 13
-- display: Alert severities to fetch when fetching incidents
-  name: alert_severity
-  options:
-  - High
-  - Medium
-  - Low
-  required: false
-  type: 16
-- defaultvalue: 24 hours
-  display: First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)
-  name: fetch_time
-  required: false
-  type: 0
-- defaultvalue: '10'
-  display: Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once
-  name: fetch_limit
-  required: false
-  type: 0
-- defaultvalue: 'false'
-  display: Include the list of files in returned incidents.
-  name: include_files
-  required: false
-  type: 8
-description: Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
-display: Code42 (Partner Contribution)
-name: Code42
-script:
-  commands:
-  - arguments:
-    - default: false
-      description: JSON query payload using Code42 query syntax.
-      isArray: false
-      name: json
-      required: false
-      secret: false
-    - default: false
-      description: MD5 or SHA256 hash of the file to search for.
-      isArray: false
-      name: hash
-      required: false
-      secret: false
-    - default: false
-      description: Username to search for.
-      isArray: false
-      name: username
-      required: false
-      secret: false
-    - default: false
-      description: Hostname to search for.
-      isArray: false
-      name: hostname
-      required: false
-      secret: false
-    - auto: PREDEFINED
-      default: false
-      description: Exposure types to search for. Can be "RemovableMedia", "ApplicationRead", "CloudStorage", "IsPublic", "SharedViaLink", or "SharedViaDomain".
-      isArray: true
-      name: exposure
-      predefined:
-      - RemovableMedia
-      - ApplicationRead
-      - CloudStorage
-      - IsPublic
-      - SharedViaLink
-      - SharedViaDomain
-      required: false
-      secret: false
-    - default: false
-      defaultValue: '100'
-      description: The number of results to return. The default is 100.
-      isArray: false
-      name: results
-      required: false
-      secret: false
-    deprecated: false
-    description: Searches for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one argument must be passed in the command. If a JSON argument is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.
-    execution: false
-    name: code42-securitydata-search
-    outputs:
-    - contextPath: Code42.SecurityData.EventTimestamp
-      description: Timestamp for the event.
-      type: date
-    - contextPath: Code42.SecurityData.FileCreated
-      description: File creation date.
-      type: date
-    - contextPath: Code42.SecurityData.EndpointID
-      description: Code42 device ID.
-      type: string
-    - contextPath: Code42.SecurityData.DeviceUsername
-      description: The username that the device is associated with in Code42.
-      type: string
-    - contextPath: Code42.SecurityData.EmailFrom
-      description: The sender email address for email exfiltration events.
-      type: string
-    - contextPath: Code42.SecurityData.EmailTo
-      description: The recipient email address for email exfiltration events.
-      type: string
-    - contextPath: Code42.SecurityData.EmailSubject
-      description: The email subject line for email exfiltration events.
-      type: string
-    - contextPath: Code42.SecurityData.EventID
-      description: The Security Data event ID.
-      type: string
-    - contextPath: Code42.SecurityData.EventType
-      description: The type of Security Data event.
-      type: string
-    - contextPath: Code42.SecurityData.FileCategory
-      description: The file type, as determined by Code42 engine.
-      type: string
-    - contextPath: Code42.SecurityData.FileOwner
-      description: The owner of the file.
-      type: string
-    - contextPath: Code42.SecurityData.FileName
-      description: The file name.
-      type: string
-    - contextPath: Code42.SecurityData.FilePath
-      description: The path to file.
-      type: string
-    - contextPath: Code42.SecurityData.FileSize
-      description: The size of the file (in bytes).
-      type: number
-    - contextPath: Code42.SecurityData.FileModified
-      description: The date the file was last modified.
-      type: date
-    - contextPath: Code42.SecurityData.FileMD5
-      description: MD5 hash of the file.
-      type: string
-    - contextPath: Code42.SecurityData.FileHostname
-      description: Hostname where the file event was captured.
-      type: string
-    - contextPath: Code42.SecurityData.DevicePrivateIPAddress
-      description: Private IP addresses of the device where the event was captured.
-      type: string
-    - contextPath: Code42.SecurityData.DevicePublicIPAddress
-      description: Public IP address of the device where the event was captured.
-      type: string
-    - contextPath: Code42.SecurityData.RemovableMediaType
-      description: Type of removable media.
-      type: string
-    - contextPath: Code42.SecurityData.RemovableMediaCapacity
-      description: Total capacity of removable media (in bytes).
-      type: number
-    - contextPath: Code42.SecurityData.RemovableMediaMediaName
-      description: The full name of the removable media.
-      type: string
-    - contextPath: Code42.SecurityData.RemovableMediaName
-      description: The name of the removable media.
-      type: string
-    - contextPath: Code42.SecurityData.RemovableMediaSerialNumber
-      description: The serial number for the removable medial device.
-      type: string
-    - contextPath: Code42.SecurityData.RemovableMediaVendor
-      description: The vendor name for removable device.
-      type: string
-    - contextPath: Code42.SecurityData.FileSHA256
-      description: The SHA256 hash of the file.
-      type: string
-    - contextPath: Code42.SecurityData.FileShared
-      description: Whether the file is shared using a cloud file service.
-      type: boolean
-    - contextPath: Code42.SecurityData.FileSharedWith
-      description: Accounts that the file is shared with on a cloud file service.
-      type: string
-    - contextPath: Code42.SecurityData.Source
-      description: The source of the file event. Can be "Cloud" or "Endpoint".
-      type: string
-    - contextPath: Code42.SecurityData.ApplicationTabURL
-      description: The URL associated with the application read event.
-      type: string
-    - contextPath: Code42.SecurityData.ProcessName
-      description: The process name for the application read event.
-      type: string
-    - contextPath: Code42.SecurityData.ProcessOwner
-      description: The process owner for the application read event.
-      type: string
-    - contextPath: Code42.SecurityData.WindowTitle
-      description: The process name for the application read event.
-      type: string
-    - contextPath: Code42.SecurityData.FileURL
-      description: The URL of the file on a cloud file service.
-      type: string
-    - contextPath: Code42.SecurityData.Exposure
-      description: The event exposure type.
-      type: string
-    - contextPath: Code42.SecurityData.SharingTypeAdded
-      description: The type of sharing added to the file.
-      type: string
-    - contextPath: File.Name
-      description: The file name.
-      type: string
-    - contextPath: File.Path
-      description: The file path.
-      type: string
-    - contextPath: File.Size
-      description: The file size (in bytes).
-      type: number
-    - contextPath: File.MD5
-      description: The MD5 hash of the file.
-      type: string
-    - contextPath: File.SHA256
-      description: The SHA256 hash of the file.
-      type: string
-    - contextPath: File.Hostname
-      description: The hostname where the file event was captured.
-      type: string
-  - arguments:
-    - default: false
-      description: The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents.
-      isArray: false
-      name: id
-      required: true
-      secret: false
-    deprecated: false
-    description: Retrieve alert details by alert ID
-    execution: false
-    name: code42-alert-get
-    outputs:
-    - contextPath: Code42.SecurityAlert.Username
-      description: The username associated with the alert.
-      type: string
-    - contextPath: Code42.SecurityAlert.Occurred
-      description: The timestamp when the alert occurred.
-      type: date
-    - contextPath: Code42.SecurityAlert.Description
-      description: The description of the alert.
-      type: string
-    - contextPath: Code42.SecurityAlert.ID
-      description: The alert ID.
-      type: string
-    - contextPath: Code42.SecurityAlert.Name
-      description: The alert rule name that generated the alert.
-      type: string
-    - contextPath: Code42.SecurityAlert.State
-      description: The alert state.
-      type: string
-    - contextPath: Code42.SecurityAlert.Type
-      description: The alert type.
-      type: string
-    - contextPath: Code42.SecurityAlert.Severity
-      description: The severity of the alert.
-      type: string
-  - arguments:
-    - default: false
-      description: The alert ID to resolve. Alert IDs are associated with alerts that are fetched via fetch-incidents.
-      isArray: false
-      name: id
-      required: true
-      secret: false
-    deprecated: false
-    description: Resolves a Code42 Security alert.
-    execution: false
-    name: code42-alert-resolve
-    outputs:
-    - contextPath: Code42.SecurityAlert.ID
-      description: The alert ID of the resolved alert.
-      type: string
-  - arguments:
-    - default: false
-      description: The username to add to the Departing Employee List.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    - default: false
-      description: The departure date for the employee, in the format YYYY-MM-DD.
-      isArray: false
-      name: departuredate
-      required: false
-      secret: false
-    - default: false
-      description: Note to attach to the Departing Employee.
-      isArray: false
-      name: note
-      required: false
-      secret: false
-    deprecated: false
-    description: Adds a user to the Departing Employee List.
-    execution: false
-    name: code42-departingemployee-add
-    outputs:
-    - contextPath: Code42.DepartingEmployee.CaseID
-      description: Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
-      type: string
-    - contextPath: Code42.DepartingEmployee.UserID
-      description: Internal Code42 User ID for the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.Username
-      description: The username of the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.Note
-      description: Note associated with the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.DepartureDate
-      description: The departure date for the Departing Employee.
-      type: Unknown
-  - arguments:
-    - default: false
-      description: The username to remove from the Departing Employee List.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    deprecated: false
-    description: Removes a user from the Departing Employee List.
-    execution: false
-    name: code42-departingemployee-remove
-    outputs:
-    - contextPath: Code42.DepartingEmployee.CaseID
-      description: Internal Code42 Case ID for the Departing Employee. Deprecated. Use Code42.DepartingEmployee.UserID.
-      type: string
-    - contextPath: Code42.DepartingEmployee.UserID
-      description: Internal Code42 User ID for the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.Username
-      description: The username of the Departing Employee.
-      type: string
-  - arguments:
-    - default: false
-      description: The number of items to return.
-      isArray: false
-      name: results
-      required: false
-      secret: false
-    deprecated: false
-    description: Get all employees on the Departing Employee List.
-    execution: false
-    name: code42-departingemployee-get-all
-    outputs:
-    - contextPath: Code42.DepartingEmployee.UserID
-      description: Internal Code42 User ID for the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.Username
-      description: The username of the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.Note
-      description: Note associated with the Departing Employee.
-      type: string
-    - contextPath: Code42.DepartingEmployee.DepartureDate
-      description: The departure date for the Departing Employee.
-      type: Unknown
-  - arguments:
-    - default: false
-      description: The username to add to the High Risk Employee List.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    - default: false
-      description: Note to attach to the High Risk Employee.
-      isArray: false
-      name: note
-      required: false
-      secret: false
-    deprecated: false
-    description: Adds a user from the High Risk Employee List.
-    execution: false
-    name: code42-highriskemployee-add
-    outputs:
-    - contextPath: Code42.HighRiskEmployee.UserID
-      description: Internal Code42 User ID for the High Risk Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.Username
-      description: The username of the High Risk Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.Note
-      description: Note associated with the High Risk Employee.
-      type: string
-  - arguments:
-    - default: false
-      description: The username to remove from the High Risk Employee List.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    deprecated: false
-    description: Removes a user from the High Risk Employee List.
-    execution: false
-    name: code42-highriskemployee-remove
-    outputs:
-    - contextPath: Code42.HighRiskEmployee.UserID
-      description: Internal Code42 User ID for the High Risk Employee.
-      type: Unknown
-    - contextPath: Code42.HighRiskEmployee.Username
-      description: The username of the High Risk Employee.
-      type: Unknown
-  - arguments:
-    - default: false
-      description: To filter results by employees who have these risk tags. Space delimited.
-      isArray: false
-      name: risktags
-      required: false
-      secret: false
-    - default: false
-      description: The number of items to return.
-      isArray: false
-      name: results
-      required: false
-      secret: false
-    deprecated: false
-    description: Get all employees on the High Risk Employee List.
-    execution: false
-    name: code42-highriskemployee-get-all
-    outputs:
-    - contextPath: Code42.HighRiskEmployee.UserID
-      description: Internal Code42 User ID for the High Risk Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.Username
-      description: The username of the High Risk Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.Note
-      description: Note associated with the High Risk Employee.
-      type: string
-  - arguments:
-    - default: false
-      description: The username of the High Risk Employee.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    - default: false
-      description: Space-delimited risk tags to associate with the High Risk Employee.
-      isArray: false
-      name: risktags
-      required: true
-      secret: false
-    deprecated: false
-    description: Associates risk tags with the employee with the given username.
-    execution: false
-    name: code42-highriskemployee-add-risk-tags
-    outputs:
-    - contextPath: Code42.HighRiskEmployee.UserID
-      description: Internal Code42 User ID for the Departing Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.Username
-      description: The username of the High Risk Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.RiskTags
-      description: Risk tags to associate with the High Risk Employee.
-      type: Unknown
-  - arguments:
-    - default: false
-      description: The username of the High Risk Employee.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    - default: false
-      description: Space-delimited risk tags to disassociate from the High Risk Employee.
-      isArray: false
-      name: risktags
-      required: true
-      secret: false
-    deprecated: false
-    description: Disassociates risk tags from the user with the given username.
-    execution: false
-    name: code42-highriskemployee-remove-risk-tags
-    outputs:
-    - contextPath: Code42.HighRiskEmployee.UserID
-      description: Internal Code42 User ID for the Departing Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.Username
-      description: The username of the High Risk Employee.
-      type: string
-    - contextPath: Code42.HighRiskEmployee.RiskTags
-      description: Risk tags to disassociate from the High Risk Employee.
-      type: Unknown
-  - arguments:
-    - default: false
-      description: The name of the Code42 organization from which to add the user.
-      isArray: false
-      name: orgname
-      required: true
-      secret: false
-    - default: false
-      description: The username to give to the user.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    - default: false
-      defaultValue: The email to give to the user.
-      description: The email of the employee to create.
-      isArray: false
-      name: email
-      required: true
-      secret: false
-    deprecated: false
-    description: Creates a Code42 user.
-    execution: false
-    name: code42-user-create
-    outputs:
-    - contextPath: Code42.User.Username
-      description: A username for a Code42 user.
-      type: String
-    - contextPath: Code42.User.Email
-      description: An email for a Code42 user.
-      type: String
-    - contextPath: Code42.User.UserID
-      description: An ID for a Code42 user.
-      type: String
-  - arguments:
-    - default: false
-      description: The username of the user to block.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    deprecated: false
-    description: Blocks a user in Code42.  A blocked user is not allowed to log in or restore files. Backups will continue if the user is still active.
-    execution: false
-    name: code42-user-block
-    outputs:
-    - contextPath: Code42.User.UserID
-      description: An ID for a Code42 user.
-      type: String
-  - arguments:
-    - default: false
-      description: The username of the user to deactivate.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    deprecated: false
-    description: Deactivate a user in Code42; signing them out of their devices. Backups discontinue for a deactivated user, and their archives go to cold storage.
-    execution: false
-    name: code42-user-deactivate
-    outputs:
-    - contextPath: Code42.User.UserID
-      description: The ID of a Code42 User.
-      type: String
-  - arguments:
-    - default: false
-      description: The username of the user to unblock.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    deprecated: false
-    description: Removes a block, if one exists, on the user with the given user ID. Unblocked users are allowed to log in and restore.
-    execution: false
-    name: code42-user-unblock
-    outputs:
-    - contextPath: Code42.User.UserID
-      description: An ID for a Code42 user.
-      type: String
-  - arguments:
-    - default: false
-      description: The username of the user to reactivate.
-      isArray: false
-      name: username
-      required: true
-      secret: false
-    deprecated: false
-    description: Reactivates the user with the given username.
-    execution: false
-    name: code42-user-reactivate
-    outputs:
-    - contextPath: Code42.User.UserID
-      description: The ID of a Code42 User.
-      type: String
-  dockerimage: demisto/py42:1.0.0.9323
-  feed: false
-  isfetch: true
-  longRunning: false
-  longRunningPort: false
-  runonce: false
-  script: >2
-
-
-
-    """ IMPORTS """
-
-    import json
-
-    import requests
-
-    import py42.sdk
-
-    import py42.settings
-
-    from datetime import datetime
-
-    from py42.sdk.queries.fileevents.file_event_query import FileEventQuery
-
-    from py42.sdk.queries.fileevents.filters import (
-        MD5,
-        SHA256,
-        Actor,
-        EventTimestamp,
-        OSHostname,
-        DeviceUsername,
-        ExposureType,
-        EventType,
-        FileCategory,
-    )
-
-    from py42.sdk.queries.alerts.alert_query import AlertQuery
-
-    from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState
-
-
-    # Disable insecure warnings
-
-    requests.packages.urllib3.disable_warnings()
-
-
-    """ CONSTANTS """
-
-    CODE42_EVENT_CONTEXT_FIELD_MAPPER = {
-        "eventTimestamp": "EventTimestamp",
-        "createTimestamp": "FileCreated",
-        "deviceUid": "EndpointID",
-        "deviceUserName": "DeviceUsername",
-        "emailFrom": "EmailFrom",
-        "emailRecipients": "EmailTo",
-        "emailSubject": "EmailSubject",
-        "eventId": "EventID",
-        "eventType": "EventType",
-        "fileCategory": "FileCategory",
-        "fileOwner": "FileOwner",
-        "fileName": "FileName",
-        "filePath": "FilePath",
-        "fileSize": "FileSize",
-        "modifyTimestamp": "FileModified",
-        "md5Checksum": "FileMD5",
-        "osHostName": "FileHostname",
-        "privateIpAddresses": "DevicePrivateIPAddress",
-        "publicIpAddresses": "DevicePublicIPAddress",
-        "removableMediaBusType": "RemovableMediaType",
-        "removableMediaCapacity": "RemovableMediaCapacity",
-        "removableMediaMediaName": "RemovableMediaMediaName",
-        "removableMediaName": "RemovableMediaName",
-        "removableMediaSerialNumber": "RemovableMediaSerialNumber",
-        "removableMediaVendor": "RemovableMediaVendor",
-        "sha256Checksum": "FileSHA256",
-        "shared": "FileShared",
-        "sharedWith": "FileSharedWith",
-        "source": "Source",
-        "tabUrl": "ApplicationTabURL",
-        "url": "FileURL",
-        "processName": "ProcessName",
-        "processOwner": "ProcessOwner",
-        "windowTitle": "WindowTitle",
-        "exposure": "Exposure",
-        "sharingTypeAdded": "SharingTypeAdded",
-    }
-
-
-    CODE42_ALERT_CONTEXT_FIELD_MAPPER = {
-        "actor": "Username",
-        "createdAt": "Occurred",
-        "description": "Description",
-        "id": "ID",
-        "name": "Name",
-        "state": "State",
-        "type": "Type",
-        "severity": "Severity",
-    }
-
-
-    FILE_CONTEXT_FIELD_MAPPER = {
-        "fileName": "Name",
-        "filePath": "Path",
-        "fileSize": "Size",
-        "md5Checksum": "MD5",
-        "sha256Checksum": "SHA256",
-        "osHostName": "Hostname",
-    }
-
-
-    CODE42_FILE_TYPE_MAPPER = {
-        "SourceCode": "SOURCE_CODE",
-        "Audio": "AUDIO",
-        "Executable": "EXECUTABLE",
-        "Document": "DOCUMENT",
-        "Image": "IMAGE",
-        "PDF": "PDF",
-        "Presentation": "PRESENTATION",
-        "Script": "SCRIPT",
-        "Spreadsheet": "SPREADSHEET",
-        "Video": "VIDEO",
-        "VirtualDiskImage": "VIRTUAL_DISK_IMAGE",
-        "Archive": "ARCHIVE",
-    }
-
-
-    SECURITY_EVENT_HEADERS = [
-        "EventType",
-        "FileName",
-        "FileSize",
-        "FileHostname",
-        "FileOwner",
-        "FileCategory",
-        "DeviceUsername",
-    ]
-
-
-    SECURITY_ALERT_HEADERS = ["Type", "Occurred", "Username", "Name", "Description", "State", "ID"]
-
-
-
-    def _get_severity_filter_value(severity_arg):
-        """Converts single str to upper case. If given list of strs, converts all to upper case."""
-        if severity_arg:
-            return (
-                [severity_arg.upper()]
-                if isinstance(severity_arg, str)
-                else list(map(lambda x: x.upper(), severity_arg))
-            )
-
-
-    def _create_alert_query(event_severity_filter, start_time):
-        """Creates an alert query for the given severity (or severities) and start time."""
-        alert_filters = AlertQueryFilters()
-        severity = event_severity_filter
-        alert_filters.append_result(_get_severity_filter_value(severity), Severity.is_in)
-        alert_filters.append(AlertState.eq(AlertState.OPEN))
-        alert_filters.append_result(start_time, DateObserved.on_or_after)
-        alert_query = alert_filters.to_all_query()
-        return alert_query
-
-
-    def _get_all_high_risk_employees_from_page(page, risk_tags):
-        res = []
-        # Note: page is a `Py42Response` and has no `get()` method.
-        employees = page["items"]
-        for employee in employees:
-            if not risk_tags:
-                res.append(employee)
-                continue
-
-            employee_tags = employee.get("riskFactors")
-            # If the employee risk tags contain all the given risk tags
-            if employee_tags and set(risk_tags) <= set(employee_tags):
-                res.append(employee)
-        return res
-
-
-    def _try_convert_str_list_to_list(str_list):
-        if isinstance(str_list, str):
-            return str_list.split()
-        return str_list
-
-
-    class Code42Client(BaseClient):
-        """
-        Client will implement the service API, should not contain Cortex XSOAR logic.
-        Should do requests and return data
-        """
-
-        def __init__(self, sdk, base_url, auth, verify=True, proxy=False):
-            super().__init__(base_url, verify=verify, proxy=proxy)
-            # Allow sdk parameter for unit testing.
-            # Otherwise, lazily load the SDK so that the TEST Command can effectively check auth.
-            self._sdk = sdk
-            self._sdk_factory = (
-                lambda: py42.sdk.from_local_account(base_url, auth[0], auth[1])
-                if not self._sdk
-                else None
-            )
-            py42.settings.set_user_agent_suffix("Cortex XSOAR")
-
-        def _get_sdk(self):
-            if self._sdk is None:
-                self._sdk = self._sdk_factory()
-            return self._sdk
-
-        def add_user_to_departing_employee(self, username, departure_date=None, note=None):
-            user_id = self._get_user_id(username)
-            self._get_sdk().detectionlists.departing_employee.add(
-                user_id, departure_date=departure_date
-            )
-            if note:
-                self._get_sdk().detectionlists.update_user_notes(user_id, note)
-            return user_id
-
-        def remove_user_from_departing_employee(self, username):
-            user_id = self._get_user_id(username)
-            self._get_sdk().detectionlists.departing_employee.remove(user_id)
-            return user_id
-
-        def get_all_departing_employees(self, results):
-            res = []
-            results = int(results) if results else None
-            pages = self._get_sdk().detectionlists.departing_employee.get_all()
-            for page in pages:
-                # Note: page is a `Py42Response` and has no `get()` method.
-                employees = page["items"]
-                for employee in employees:
-                    res.append(employee)
-                    if results and len(res) == results:
-                        return res
-            return res
-
-        def add_user_to_high_risk_employee(self, username, note=None):
-            user_id = self._get_user_id(username)
-            self._get_sdk().detectionlists.high_risk_employee.add(user_id)
-            if note:
-                self._get_sdk().detectionlists.update_user_notes(user_id, note)
-            return user_id
-
-        def remove_user_from_high_risk_employee(self, username):
-            user_id = self._get_user_id(username)
-            self._get_sdk().detectionlists.high_risk_employee.remove(user_id)
-            return user_id
-
-        def add_user_risk_tags(self, username, risk_tags):
-            risk_tags = _try_convert_str_list_to_list(risk_tags)
-            user_id = self._get_user_id(username)
-            self._get_sdk().detectionlists.add_user_risk_tags(user_id, risk_tags)
-            return user_id
-
-        def remove_user_risk_tags(self, username, risk_tags):
-            risk_tags = _try_convert_str_list_to_list(risk_tags)
-            user_id = self._get_user_id(username)
-            self._get_sdk().detectionlists.remove_user_risk_tags(user_id, risk_tags)
-            return user_id
-
-        def get_all_high_risk_employees(self, risk_tags, results):
-            risk_tags = _try_convert_str_list_to_list(risk_tags)
-            results = int(results) if results else None
-            res = []
-            pages = self._get_sdk().detectionlists.high_risk_employee.get_all()
-            for page in pages:
-                employees = _get_all_high_risk_employees_from_page(page, risk_tags)
-                for employee in employees:
-                    res.append(employee)
-                    if results and len(res) == results:
-                        return res
-            return res
-
-        def fetch_alerts(self, start_time, event_severity_filter):
-            query = _create_alert_query(event_severity_filter, start_time)
-            res = self._get_sdk().alerts.search(query)
-            return res["alerts"]
-
-        def get_alert_details(self, alert_id):
-            res = self._get_sdk().alerts.get_details(alert_id)["alerts"]
-            if not res:
-                raise Code42AlertNotFoundError(alert_id)
-            return res[0]
-
-        def resolve_alert(self, id):
-            self._get_sdk().alerts.resolve(id)
-            return id
-
-        def get_current_user(self):
-            res = self._get_sdk().users.get_current()
-            return res
-
-        def get_user(self, username):
-            res = self._get_sdk().users.get_by_username(username)["users"]
-            if not res:
-                raise Code42UserNotFoundError(username)
-            return res[0]
-
-        def create_user(self, org_name, username, email):
-            org_uid = self._get_org_id(org_name)
-            response = self._get_sdk().users.create_user(org_uid, username, email)
-            return json.loads(response.text)
-
-        def block_user(self, username):
-            user_id = self._get_legacy_user_id(username)
-            self._get_sdk().users.block(user_id)
-            return user_id
-
-        def unblock_user(self, username):
-            user_id = self._get_legacy_user_id(username)
-            self._get_sdk().users.unblock(user_id)
-            return user_id
-
-        def deactivate_user(self, username):
-            user_id = self._get_legacy_user_id(username)
-            self._get_sdk().users.deactivate(user_id)
-            return user_id
-
-        def reactivate_user(self, username):
-            user_id = self._get_legacy_user_id(username)
-            self._get_sdk().users.reactivate(user_id)
-            return user_id
-
-        def get_org(self, org_name):
-            org_pages = self._get_sdk().orgs.get_all()
-            for org_page in org_pages:
-                orgs = org_page["orgs"]
-                for org in orgs:
-                    if org.get("orgName") == org_name:
-                        return org
-            raise Code42OrgNotFoundError(org_name)
-
-        def search_file_events(self, payload):
-            res = self._get_sdk().securitydata.search_file_events(payload)
-            return res["fileEvents"]
-
-        def _get_user_id(self, username):
-            user_id = self.get_user(username).get("userUid")
-            if user_id:
-                return user_id
-            raise Code42UserNotFoundError(username)
-
-        def _get_legacy_user_id(self, username):
-            user_id = self.get_user(username).get("userId")
-            if user_id:
-                return user_id
-            raise Code42UserNotFoundError(username)
-
-        def _get_org_id(self, org_name):
-            org_uid = self.get_org(org_name).get("orgUid")
-            if org_uid:
-                return org_uid
-            raise Code42OrgNotFoundError(org_name)
-
-
-    class Code42AlertNotFoundError(Exception):
-        def __init__(self, alert_id):
-            super(Code42AlertNotFoundError, self).__init__(
-                "No alert found with ID {0}.".format(alert_id)
-            )
-
-
-    class Code42UserNotFoundError(Exception):
-        def __init__(self, username):
-            super(Code42UserNotFoundError, self).__init__(
-                "No user found with username {0}.".format(username)
-            )
-
-
-    class Code42OrgNotFoundError(Exception):
-        def __init__(self, org_name):
-            super(Code42OrgNotFoundError, self).__init__(
-                "No organization found with name {0}.".format(org_name)
-            )
-
-
-    class Code42SearchFilters(object):
-        def __init__(self):
-            self._filters = []
-
-        @property
-        def filters(self):
-            return self._filters
-
-        def to_all_query(self):
-            """Override"""
-
-        def append(self, _filter):
-            if _filter:
-                self._filters.append(_filter)
-
-        def extend(self, _filters):
-            if _filters:
-                self._filters.extend(_filters)
-
-        def append_result(self, value, create_filter):
-            """Safely creates and appends the filter to the working list."""
-            if not value:
-                return
-            _filter = create_filter(value)
-            self.append(_filter)
-
-
-    class FileEventQueryFilters(Code42SearchFilters):
-        """Class for simplifying building up a file event search query"""
-
-        def __init__(self, pg_size=None):
-            self._pg_size = pg_size
-            super(FileEventQueryFilters, self).__init__()
-
-        def to_all_query(self):
-            """Convert list of search criteria to *args"""
-            query = FileEventQuery.all(*self._filters)
-            if self._pg_size:
-                query.page_size = self._pg_size
-            return query
-
-
-    class AlertQueryFilters(Code42SearchFilters):
-        """Class for simplifying building up an alert search query"""
-
-        def to_all_query(self):
-            query = AlertQuery.all(*self._filters)
-            query.page_size = 500
-            query.sort_direction = "asc"
-            return query
-
-
-    @logger
-
-    def build_query_payload(args):
-        """Build a query payload combining passed args"""
-
-        pg_size = args.get("results")
-        _hash = args.get("hash")
-        hostname = args.get("hostname")
-        username = args.get("username")
-        exposure = args.get("exposure")
-
-        search_args = FileEventQueryFilters(pg_size)
-        search_args.append_result(_hash, _create_hash_filter)
-        search_args.append_result(hostname, OSHostname.eq)
-        search_args.append_result(username, DeviceUsername.eq)
-        search_args.append_result(exposure, _create_exposure_filter)
-
-        query = search_args.to_all_query()
-        LOG("File Event Query: {}".format(str(query)))
-        return query
-
-
-    def _create_hash_filter(hash_arg):
-        if not hash_arg:
-            return None
-        elif len(hash_arg) == 32:
-            return MD5.eq(hash_arg)
-        elif len(hash_arg) == 64:
-            return SHA256.eq(hash_arg)
-
-
-    def _create_exposure_filter(exposure_arg):
-        # Because the CLI can't accept lists, convert the args to a list if the type is string.
-        if isinstance(exposure_arg, str):
-            exposure_arg = exposure_arg.split(",")
-        return ExposureType.is_in(exposure_arg)
-
-
-    def _create_category_filter(file_type):
-        category_value = CODE42_FILE_TYPE_MAPPER.get(file_type.get("category"), "UNCATEGORIZED")
-        return FileCategory.eq(category_value)
-
-
-    class ObservationToSecurityQueryMapper(object):
-        """Class to simplify the process of mapping observation data to query objects."""
-
-        # Exfiltration consts
-        _ENDPOINT_TYPE = "FedEndpointExfiltration"
-        _CLOUD_TYPE = "FedCloudSharePermissions"
-
-        # Query consts
-        _PUBLIC_SEARCHABLE = "PublicSearchableShare"
-        _PUBLIC_LINK = "PublicLinkShare"
-        _OUTSIDE_TRUSTED_DOMAINS = "SharedOutsideTrustedDomain"
-
-        exposure_type_map = {
-            "PublicSearchableShare": ExposureType.IS_PUBLIC,
-            "PublicLinkShare": ExposureType.SHARED_VIA_LINK,
-            "SharedOutsideTrustedDomain": "OutsideTrustedDomains",
-        }
-
-        def __init__(self, observation, actor):
-            self._obs = observation
-            self._actor = actor
-
-        @property
-        def _observation_data(self):
-            return self._obs.get("data")
-
-        @property
-        def _exfiltration_type(self):
-            return self._obs.get("type")
-
-        @property
-        def _is_endpoint_exfiltration(self):
-            return self._exfiltration_type == self._ENDPOINT_TYPE
-
-        @property
-        def _is_cloud_exfiltration(self):
-            return self._exfiltration_type == self._CLOUD_TYPE
-
-        def _create_user_filter(self):
-            return (
-                DeviceUsername.eq(self._actor)
-                if self._is_endpoint_exfiltration
-                else Actor.eq(self._actor)
-            )
-
-        def map(self):
-            search_args = self._create_search_args()
-            query = search_args.to_all_query()
-            LOG("Alert Observation Query: {}".format(query))
-            return query
-
-        def _create_search_args(self):
-            filters = FileEventQueryFilters()
-            exposure_types = self._observation_data.get("exposureTypes")
-            first_activity = self._observation_data.get("firstActivityAt")
-            last_activity = self._observation_data.get("lastActivityAt")
-            filters.append(self._create_user_filter())
-            if first_activity:
-                begin_time = _convert_date_arg_to_epoch(first_activity)
-                if begin_time:
-                    filters.append(EventTimestamp.on_or_after(begin_time))
-            if last_activity:
-                end_time = _convert_date_arg_to_epoch(last_activity)
-                if end_time:
-                    filters.append(EventTimestamp.on_or_before(end_time))
-            filters.extend(self._create_exposure_filters(exposure_types))
-            filters.append(self._create_file_category_filters())
-            return filters
-
-        @logger
-        def _create_exposure_filters(self, exposure_types):
-            """Determine exposure types based on alert type"""
-            exp_types = []
-            if self._is_cloud_exfiltration:
-                for t in exposure_types:
-                    exp_type = self.exposure_type_map.get(t)
-                    if exp_type:
-                        exp_types.append(exp_type)
-                    else:
-                        LOG("Received unsupported exposure type {0}.".format(t))
-                if exp_types:
-                    return [ExposureType.is_in(exp_types)]
-                else:
-                    # If not given a support exposure type, search for all unsupported exposure types
-                    supported_exp_types = list(self.exposure_type_map.values())
-                    return [ExposureType.not_in(supported_exp_types)]
-            elif self._is_endpoint_exfiltration:
-                return [
-                    EventType.is_in([EventType.CREATED, EventType.MODIFIED, EventType.READ_BY_APP]),
-                    ExposureType.is_in(exposure_types),
-                ]
-            return []
-
-        def _create_file_category_filters(self):
-            """Determine if file categorization is significant"""
-            observed_file_categories = self._observation_data.get("fileCategories")
-            if observed_file_categories:
-                categories = [
-                    c.get("category").upper()
-                    for c in observed_file_categories
-                    if c.get("isSignificant") and c.get("category")
-                ]
-                if categories:
-                    return FileCategory.is_in(categories)
-
-
-    def map_observation_to_security_query(observation, actor):
-        mapper = ObservationToSecurityQueryMapper(observation, actor)
-        return mapper.map()
-
-
-    def _convert_date_arg_to_epoch(date_arg):
-        date_arg = date_arg[:25]
-        return (
-            datetime.strptime(date_arg, "%Y-%m-%dT%H:%M:%S.%f") - datetime.utcfromtimestamp(0)
-        ).total_seconds()
-
-
-    @logger
-
-    def map_to_code42_event_context(obj):
-        code42_context = _map_obj_to_context(obj, CODE42_EVENT_CONTEXT_FIELD_MAPPER)
-        # FileSharedWith is a special case and needs to be converted to a list
-        shared_with_list = code42_context.get("FileSharedWith")
-        if shared_with_list:
-            shared_list = [u.get("cloudUsername") for u in shared_with_list if u.get("cloudUsername")]
-            code42_context["FileSharedWith"] = str(shared_list)
-        return code42_context
-
-
-    @logger
-
-    def map_to_code42_alert_context(obj):
-        return _map_obj_to_context(obj, CODE42_ALERT_CONTEXT_FIELD_MAPPER)
-
-
-    @logger
-
-    def map_to_file_context(obj):
-        return _map_obj_to_context(obj, FILE_CONTEXT_FIELD_MAPPER)
-
-
-    @logger
-
-    def _map_obj_to_context(obj, context_mapper):
-        return {v: obj.get(k) for k, v in context_mapper.items() if obj.get(k)}
-
-
-    def create_command_error_message(cmd, ex):
-        return "Failed to execute command {0} command. Error: {1}".format(cmd, str(ex))
-
-
-    """Commands"""
-
-
-
-    @logger
-
-    def alert_get_command(client, args):
-        code42_securityalert_context = []
-        alert = client.get_alert_details(args.get("id"))
-        if not alert:
-            return CommandResults(
-                readable_output="No results found",
-                outputs={"Results": []},
-                outputs_key_field="ID",
-                outputs_prefix="Code42.SecurityAlert",
-                raw_response={},
-            )
-
-        code42_context = map_to_code42_alert_context(alert)
-        code42_securityalert_context.append(code42_context)
-        readable_outputs = tableToMarkdown(
-            "Code42 Security Alert Results",
-            code42_securityalert_context,
-            headers=SECURITY_ALERT_HEADERS,
-        )
-        return CommandResults(
-            outputs_prefix="Code42.SecurityAlert",
-            outputs_key_field="ID",
-            outputs=code42_securityalert_context,
-            readable_output=readable_outputs,
-            raw_response=alert,
-        )
-
-
-    @logger
-
-    def alert_resolve_command(client, args):
-        code42_securityalert_context = []
-        alert_id = client.resolve_alert(args.get("id"))
-        if not alert_id:
-            return CommandResults(
-                readable_output="No results found",
-                outputs={"Results": []},
-                outputs_key_field="ID",
-                outputs_prefix="Code42.SecurityAlert",
-                raw_response={},
-            )
-
-        # Retrieve new alert details
-        alert_details = client.get_alert_details(alert_id)
-        code42_context = map_to_code42_alert_context(alert_details)
-        code42_securityalert_context.append(code42_context)
-        readable_outputs = tableToMarkdown(
-            "Code42 Security Alert Resolved",
-            code42_securityalert_context,
-            headers=SECURITY_ALERT_HEADERS,
-        )
-        return CommandResults(
-            outputs_prefix="Code42.SecurityAlert",
-            outputs_key_field="ID",
-            outputs=code42_securityalert_context,
-            readable_output=readable_outputs,
-            raw_response=alert_details,
-        )
-
-
-    @logger
-
-    def departingemployee_add_command(client, args):
-        departing_date = args.get("departuredate")
-        username = args.get("username")
-        note = args.get("note")
-        user_id = client.add_user_to_departing_employee(username, departing_date, note)
-        # CaseID included but is deprecated.
-        de_context = {
-            "CaseID": user_id,
-            "UserID": user_id,
-            "Username": username,
-            "DepartureDate": departing_date,
-            "Note": note,
-        }
-        readable_outputs = tableToMarkdown("Code42 Departing Employee List User Added", de_context)
-        return CommandResults(
-            outputs_prefix="Code42.DepartingEmployee",
-            outputs_key_field="UserID",
-            outputs=de_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def departingemployee_remove_command(client, args):
-        username = args.get("username")
-        user_id = client.remove_user_from_departing_employee(username)
-        # CaseID included but is deprecated.
-        de_context = {"CaseID": user_id, "UserID": user_id, "Username": username}
-        readable_outputs = tableToMarkdown("Code42 Departing Employee List User Removed", de_context)
-        return CommandResults(
-            outputs_prefix="Code42.DepartingEmployee",
-            outputs_key_field="UserID",
-            outputs=de_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def departingemployee_get_all_command(client, args):
-        results = args.get("results") or 50
-        employees = client.get_all_departing_employees(results)
-        if not employees:
-            return CommandResults(
-                readable_output="No results found",
-                outputs_prefix="Code42.DepartingEmployee",
-                outputs_key_field="UserID",
-                outputs={"Results": []},
-                raw_response={},
-            )
-
-        employees_context = [
-            {
-                "UserID": e.get("userId"),
-                "Username": e.get("userName"),
-                "DepartureDate": e.get("departureDate"),
-                "Note": e.get("notes"),
-            }
-            for e in employees
-        ]
-        readable_outputs = tableToMarkdown("All Departing Employees", employees_context)
-        return CommandResults(
-            outputs_prefix="Code42.DepartingEmployee",
-            outputs_key_field="UserID",
-            outputs=employees_context,
-            readable_output=readable_outputs,
-            raw_response=employees,
-        )
-
-
-    @logger
-
-    def highriskemployee_add_command(client, args):
-        username = args.get("username")
-        note = args.get("note")
-        user_id = client.add_user_to_high_risk_employee(username, note)
-        hr_context = {"UserID": user_id, "Username": username}
-        readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Added", hr_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=hr_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def highriskemployee_remove_command(client, args):
-        username = args.get("username")
-        user_id = client.remove_user_from_high_risk_employee(username)
-        hr_context = {"UserID": user_id, "Username": username}
-        readable_outputs = tableToMarkdown("Code42 High Risk Employee List User Removed", hr_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=hr_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def highriskemployee_get_all_command(client, args):
-        tags = args.get("risktags")
-        results = args.get("results") or 50
-        employees = client.get_all_high_risk_employees(tags, results)
-        if not employees:
-            return CommandResults(
-                readable_output="No results found",
-                outputs_prefix="Code42.HighRiskEmployee",
-                outputs_key_field="UserID",
-                outputs={"Results": []},
-                raw_response={},
-            )
-        employees_context = [
-            {"UserID": e.get("userId"), "Username": e.get("userName"), "Note": e.get("notes")}
-            for e in employees
-        ]
-        readable_outputs = tableToMarkdown("Retrieved All High Risk Employees", employees_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=employees_context,
-            readable_output=readable_outputs,
-            raw_response=employees,
-        )
-
-
-    @logger
-
-    def highriskemployee_add_risk_tags_command(client, args):
-        username = args.get("username")
-        tags = args.get("risktags")
-        user_id = client.add_user_risk_tags(username, tags)
-        rt_context = {"UserID": user_id, "Username": username, "RiskTags": tags}
-        readable_outputs = tableToMarkdown("Code42 Risk Tags Added", rt_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=rt_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def highriskemployee_remove_risk_tags_command(client, args):
-        username = args.get("username")
-        tags = args.get("risktags")
-        user_id = client.remove_user_risk_tags(username, tags)
-        rt_context = {"UserID": user_id, "Username": username, "RiskTags": tags}
-        readable_outputs = tableToMarkdown("Code42 Risk Tags Removed", rt_context)
-        return CommandResults(
-            outputs_prefix="Code42.HighRiskEmployee",
-            outputs_key_field="UserID",
-            outputs=rt_context,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    @logger
-
-    def securitydata_search_command(client, args):
-        code42_security_data_context = []
-        _json = args.get("json")
-        file_context = []
-
-        # If JSON payload is passed as an argument, ignore all other args and search by JSON payload
-        if _json is not None:
-            file_events = client.search_file_events(_json)
-        else:
-            # Build payload
-            payload = build_query_payload(args)
-            file_events = client.search_file_events(payload)
-        if file_events:
-            for file_event in file_events:
-                code42_context_event = map_to_code42_event_context(file_event)
-                code42_security_data_context.append(code42_context_event)
-                file_context_event = map_to_file_context(file_event)
-                file_context.append(file_context_event)
-            readable_outputs = tableToMarkdown(
-                "Code42 Security Data Results",
-                code42_security_data_context,
-                headers=SECURITY_EVENT_HEADERS,
-            )
-            code42_results = CommandResults(
-                outputs_prefix="Code42.SecurityData",
-                outputs_key_field="EventID",
-                outputs=code42_security_data_context,
-                readable_output=readable_outputs,
-                raw_response=file_events,
-            )
-            file_results = CommandResults(
-                outputs_prefix="File", outputs_key_field=None, outputs=file_context
-            )
-            return code42_results, file_results
-
-        else:
-            return CommandResults(
-                readable_output="No results found",
-                outputs={"Results": []},
-                outputs_key_field="EventID",
-                outputs_prefix="Code42.SecurityData",
-                raw_response={},
-            )
-
-
-    def user_create_command(client, args):
-        org_name = args.get("orgname")
-        username = args.get("username")
-        email = args.get("email")
-        res = client.create_user(org_name, username, email)
-        outputs = {
-            "Username": res.get("username"),
-            "UserID": res.get("userUid"),
-            "Email": res.get("email"),
-        }
-        readable_outputs = tableToMarkdown("Code42 User Created", outputs)
-        return CommandResults(
-            outputs_prefix="Code42.User",
-            outputs_key_field="UserID",
-            outputs=outputs,
-            readable_output=readable_outputs,
-            raw_response=res,
-        )
-
-
-    def user_block_command(client, args):
-        username = args.get("username")
-        user_id = client.block_user(username)
-        outputs = {"UserID": user_id}
-        readable_outputs = tableToMarkdown("Code42 User Blocked", outputs)
-        return CommandResults(
-            outputs_prefix="Code42.User",
-            outputs_key_field="UserID",
-            outputs=outputs,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    def user_unblock_command(client, args):
-        username = args.get("username")
-        user_id = client.unblock_user(username)
-        outputs = {"UserID": user_id}
-        readable_outputs = tableToMarkdown("Code42 User Unblocked", outputs)
-        return CommandResults(
-            outputs_prefix="Code42.User",
-            outputs_key_field="UserID",
-            outputs=outputs,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    def user_deactivate_command(client, args):
-        username = args.get("username")
-        user_id = client.deactivate_user(username)
-        outputs = {"UserID": user_id}
-        readable_outputs = tableToMarkdown("Code42 User Deactivated", outputs)
-        return CommandResults(
-            outputs_prefix="Code42.User",
-            outputs_key_field="UserID",
-            outputs=outputs,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    def user_reactivate_command(client, args):
-        username = args.get("username")
-        user_id = client.reactivate_user(username)
-        outputs = {"UserID": user_id}
-        readable_outputs = tableToMarkdown("Code42 User Reactivated", outputs)
-        return CommandResults(
-            outputs_prefix="Code42.User",
-            outputs_key_field="UserID",
-            outputs=outputs,
-            readable_output=readable_outputs,
-            raw_response=user_id,
-        )
-
-
-    """Fetching"""
-
-
-
-    def _create_incident_from_alert_details(details):
-        return {"name": "Code42 - {}".format(details.get("name")), "occurred": details.get("createdAt")}
-
-
-    def _stringify_lists_if_needed(event):
-        # We need to convert certain fields to a stringified list or React.JS will throw an error
-        shared_with = event.get("sharedWith")
-        private_ip_addresses = event.get("privateIpAddresses")
-        if shared_with:
-            shared_list = [u.get("cloudUsername") for u in shared_with if u.get("cloudUsername")]
-            event["sharedWith"] = str(shared_list)
-        if private_ip_addresses:
-            event["privateIpAddresses"] = str(private_ip_addresses)
-        return event
-
-
-    def _process_event_from_observation(event):
-        return _stringify_lists_if_needed(event)
-
-
-    class Code42SecurityIncidentFetcher(object):
-        def __init__(
-            self,
-            client,
-            last_run,
-            first_fetch_time,
-            event_severity_filter,
-            fetch_limit,
-            include_files,
-            integration_context=None,
-        ):
-            self._client = client
-            self._last_run = last_run
-            self._first_fetch_time = first_fetch_time
-            self._event_severity_filter = event_severity_filter
-            self._fetch_limit = fetch_limit
-            self._include_files = (include_files,)
-            self._integration_context = integration_context
-
-        @logger
-        def fetch(self):
-            remaining_incidents_from_last_run = self._fetch_remaining_incidents_from_last_run()
-            if remaining_incidents_from_last_run:
-                return remaining_incidents_from_last_run
-            start_query_time = self._get_start_query_time()
-            alerts = self._fetch_alerts(start_query_time)
-            incidents = [self._create_incident_from_alert(a) for a in alerts]
-            save_time = datetime.utcnow().timestamp()
-            next_run = {"last_fetch": save_time}
-            return next_run, incidents[: self._fetch_limit], incidents[self._fetch_limit:]
-
-        def _fetch_remaining_incidents_from_last_run(self):
-            if self._integration_context:
-                remaining_incidents = self._integration_context.get("remaining_incidents")
-                # return incidents if exists in context.
-                if remaining_incidents:
-                    return (
-                        self._last_run,
-                        remaining_incidents[: self._fetch_limit],
-                        remaining_incidents[self._fetch_limit:],
-                    )
-
-        def _get_start_query_time(self):
-            start_query_time = self._try_get_last_fetch_time()
-
-            # Handle first time fetch, fetch incidents retroactively
-            if not start_query_time:
-                start_query_time, _ = parse_date_range(
-                    self._first_fetch_time, to_timestamp=True, utc=True
-                )
-                start_query_time /= 1000
-
-            return start_query_time
-
-        def _try_get_last_fetch_time(self):
-            return self._last_run.get("last_fetch")
-
-        def _fetch_alerts(self, start_query_time):
-            return self._client.fetch_alerts(start_query_time, self._event_severity_filter)
-
-        def _create_incident_from_alert(self, alert):
-            details = self._client.get_alert_details(alert["id"])
-            incident = _create_incident_from_alert_details(details)
-            details = self._relate_files_to_alert(details)
-            incident["rawJSON"] = json.dumps(details)
-            return incident
-
-        def _relate_files_to_alert(self, alert_details):
-            observations = alert_details.get("observations")
-            if not observations:
-                alert_details["fileevents"] = []
-                return
-            for obs in observations:
-                file_events = self._get_file_events_from_alert_details(obs, alert_details)
-                alert_details["fileevents"] = [_process_event_from_observation(e) for e in file_events]
-            return alert_details
-
-        def _get_file_events_from_alert_details(self, observation, alert_details):
-            security_data_query = map_observation_to_security_query(observation, alert_details["actor"])
-            return self._client.search_file_events(security_data_query)
-
-
-    def fetch_incidents(
-        client,
-        last_run,
-        first_fetch_time,
-        event_severity_filter,
-        fetch_limit,
-        include_files,
-        integration_context=None,
-    ):
-        fetcher = Code42SecurityIncidentFetcher(
-            client,
-            last_run,
-            first_fetch_time,
-            event_severity_filter,
-            fetch_limit,
-            include_files,
-            integration_context,
-        )
-        return fetcher.fetch()
-
-
-    """Main and test"""
-
-
-
-    def test_module(client):
-        try:
-            # Will fail if unauthorized
-            client.get_current_user()
-            return "ok"
-        except Exception:
-            return (
-                "Invalid credentials or host address. Check that the username and password are correct, that the host "
-                "is available and reachable, and that you have supplied the full scheme, domain, and port "
-                "(e.g. https://myhost.code42.com:4285)."
-            )
-
-
-    def get_command_map():
-        return {
-            "code42-alert-get": alert_get_command,
-            "code42-alert-resolve": alert_resolve_command,
-            "code42-securitydata-search": securitydata_search_command,
-            "code42-departingemployee-add": departingemployee_add_command,
-            "code42-departingemployee-remove": departingemployee_remove_command,
-            "code42-departingemployee-get-all": departingemployee_get_all_command,
-            "code42-highriskemployee-add": highriskemployee_add_command,
-            "code42-highriskemployee-remove": highriskemployee_remove_command,
-            "code42-highriskemployee-get-all": highriskemployee_get_all_command,
-            "code42-highriskemployee-add-risk-tags": highriskemployee_add_risk_tags_command,
-            "code42-highriskemployee-remove-risk-tags": highriskemployee_remove_risk_tags_command,
-            "code42-user-create": user_create_command,
-            "code42-user-block": user_block_command,
-            "code42-user-unblock": user_unblock_command,
-            "code42-user-deactivate": user_deactivate_command,
-            "code42_user-reactivate": user_reactivate_command,
-        }
-
-
-    def handle_test_command(client):
-        # This is the call made when pressing the integration Test button.
-        result = test_module(client)
-        demisto.results(result)
-
-
-    def handle_fetch_command(client):
-        integration_context = demisto.getIntegrationContext()
-        # Set and define the fetch incidents command to run after activated via integration settings.
-        next_run, incidents, remaining_incidents = fetch_incidents(
-            client=client,
-            last_run=demisto.getLastRun(),
-            first_fetch_time=demisto.params().get("fetch_time"),
-            event_severity_filter=demisto.params().get("alert_severity"),
-            fetch_limit=int(demisto.params().get("fetch_limit")),
-            include_files=demisto.params().get("include_files"),
-            integration_context=integration_context,
-        )
-        demisto.setLastRun(next_run)
-        demisto.incidents(incidents)
-        # Store remaining incidents in integration context
-        integration_context["remaining_incidents"] = remaining_incidents
-        demisto.setIntegrationContext(integration_context)
-
-
-    def try_run_command(command):
-        try:
-            results = command()
-            if not isinstance(results, tuple) and not isinstance(results, list):
-                results = [results]
-            for result in results:
-                return_results(result)
-        except Exception as e:
-            return_error(create_command_error_message(demisto.command(), e))
-
-
-    def run_code42_integration():
-        username = demisto.params().get("credentials").get("identifier")
-        password = demisto.params().get("credentials").get("password")
-        base_url = demisto.params().get("console_url")
-        verify_certificate = not demisto.params().get("insecure", False)
-        proxy = demisto.params().get("proxy", False)
-        LOG("Command being called is {0}.".format(demisto.command()))
-        client = Code42Client(
-            base_url=base_url,
-            sdk=None,
-            auth=(username, password),
-            verify=verify_certificate,
-            proxy=proxy,
-        )
-        commands = get_command_map()
-        command = demisto.command()
-        if command == "test-module":
-            handle_test_command(client)
-        elif command == "fetch-incidents":
-            handle_fetch_command(client)
-        elif command in commands:
-            try_run_command(lambda: commands[command](client, demisto.args()))
-
-
-    def main():
-        run_code42_integration()
-
-
-    if __name__ in ("__main__", "__builtin__", "builtins"):
-        main()
-  subtype: python3
-  type: python
-image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAYAAACXpx/YAAAHjElEQVR4nO2aeYxV1R3HP/e+h2wyoCxalhkQpFJpUcQ2LijRLsE9ikutUjCh44poWzUqalyitmqiQdM0rfsSlbjVuFsXlChVaaWKSnBBBnDsMAwyFpiZd815871wuNztDTP4B+eT3Hn3nv2e3zm/3+/87uBwOBwOh8PhcDgcDofD4XA4HA6Hw7EteKXjqAMGA9908kz2AVYDY4B6O8ML4GN/ANOKU/AJ6EGrE2IXUZQgsH47E9Omb7fn6fdef19Wen3YM2igtCnV0dn4XTyjga4tUhb7g3i6MIYhwVon3C6mqwW8BaEo7/b3pZEe9Kbl+3rvHYbidn3RAD7wB/Fs4YdUB020bbl7+wIHAbsBG4CFwOIKWt8f2AsoAMuA+cD6jDo1wE5Am549XQ1AY44+ewDDgNJWmmoz3YAmYFVGWz3VVpvaMu+xUe+S1LbZoPsBo3T/KfC2xlOmUgG3qrNuFdazbO941tCT3fmGtnYFYgZ3E3CMVSzkE2Am8HxK05cBFwD9I+lmcu4GLgbWxNQzE/gmMCSh3c+AF4AbgM8TyvwUeC1lbCHPAEdmlLkROC+SZhZFNWyl6nYBrgJO173NWuDPwLVUoKL/BkzQ7hoEjANuzVm3nQAW+bvxTGE0NUFjKNxTgCXAsRKuWb11lkc/GngOuDqmxSpgkV4kFG6DtVPMzvwdsBzYp6KxtjMCqJWgoxPf2RxUQR8n63QyM0a44bxcA7xIDgF/K8HOAN5Vw2Y3vA/Mkkr8X9aIwm35lD+GRnqFx6JfAg9ZxWYDuwJDNcjJUk9h3mmRZs3uGqv7f2gxDAB+oIU4R3m9tcsGpwxxLrCzjnSmnfGapGbl3wZcmPGaf5CaHRu5jAo9K6PuLRn5NuNi0pq0c21+DlyUJeBfSbBJfAxMSrERm2jxfBb4wxgYNIee8+1W9gHaifYgn5NdNbv0PuCfVt5FwM90f7PU+xIrv147Yrqeq1QuidUS5kdqx9j/K4CR0ihhP3untLFMNv+DyPWetVDj+L1UPaq3KGMqLzWWTvePaTH1kw9zQaTsMWkCNmr5jYzOwkHdmJDnl68Alnr9qaOKncv+EyfJ9houB95KqF+vFTsVWGGlT9XvJ9o5SRgb/KTyjGobnlAu6az2FTDNep6R0ldHqA5tpZgtJymL2TJrJ2j+Q+ZE5mlAmpP1YAUD/gvQXd5vGJYy6mpdaE+Xe1Ws83aiT1AW8C9UpmStxiSi2mGstZOeyDG2RywbPzHFYUriJe3C8aqfRLXeeWQk33jaX2qxRLle+UhjPQ6cmWNMyxK0woSIKVqVJOBWqd+8fJFkozz9ubMwgSIlCgRGYuFOWqyXr4Q9rLIf5qj3X+s+aQfnaWO8hNgj4fh1k644jIa7JJJ+NHCq9TxLvz07OEbjfzwcSZubpqIz7WoltFDA29xk2G9HgtAF6z5PffuIUUgpl0bYj99JwSE/4hPUWhuqI/P+Y9WvttJeNio7aQcX5U2uzNnBUA1yozUZZqU3B3C7F9A8ve0dZhWPKjtYHkF4lBku56Cpgpeps+7z7EhbZeZ9nyh76rleJ4s4ZsnbHhXJ6x4T5LjCahPVuUyevD3eKpkwc+S5M6HfM4C/R9IW6BSSGuj4dc5DPBLu5THprfKAm4cGa8uhSRO9KhLMl3rqK/uYZYdtFsqRGCwv/7qM8pOt+39V0E/IOMv2vpNSboV235KUMiHRc/kfE8r1UqxgYIKAH5ScbO4Azgmf09RNreW+pzFa0aI4SuXLg5pgDQOCZr5tD4I9IgcMeZFVCfV9BVROsdJa5IygiZ+aUNdgjlln636enKVKucMq/0AH6ncFP5KTFRXuGZZwy2HXLHvyfMbZz8RyX8kTuuwbrGefYCVfe73NuelrqSkUf/1PzKo2bT6qiM1D1pkWhelW6/4e4PyYLs3OfcV6np01Rgtfnr6xawcq+S55uklU8lnsbcUXnrSux7XwG6xyG7QoX7XSJupoNCzSpqk3RWOuU0zhffPBf22Ob8HGtvxVR4ySjPlvFXBIc1w2quxX5iP/y4WRzCgez/CgMXS45tjqRBGyfysceqjlUb6mgIrNgYolh6zSuX2DgiC2LazV+G0K8v6HKMhRr7RA/dverIl0nRjzfodYZqxBvkR0sQ/TIpwWUz+O1y2TEBeL/g1wf862mvJ+bJipa70E3Ctnvc14cHjbUg7xP+NNv6Ys5BLeuVrNtyka8xNdNn9KMAHzdWS6X8LeXSvY5nOp8HkZo+ut2HMUcwy7UgJOeKtN9I/54BEyKM8UxbS5zeTdwR1l0w5G/6rzUmEUtcXjqA7WtIe42jEq8QjgYE3SBqmauTk9X3NMOEq7paD+zDEhzUn0FOI08e//W+lFecrv5QiKDNRXoo32J7oIVQqBvp5zDg/Xwm1R3P+pSNs1Mh/NGUcq472v274Cpn1I07tNYZ5fw4j2XdxFXTvY3v/RES6300sLy+Ju3b7d75B09Qx7W9kUDw5rW8qk0qfUeVV2dMvRBRTl+fVJ+K+HbaGf2tzCNgWS+LS2d1ngDy2HMIuJ5svhcDgcDofD4XA4HA6Hw+FwOBwOh8Px/QF8B+pZzTnuPtCMAAAAAElFTkSuQmCC
-detaileddescription: >
-  ### Partner Contributed Integration
-
-  #### Integration Author: Code42
-
-  Support and maintenance for this integration are provided by the author. Please use the following contact details:
-
-  - **URL**: [https://support.code42.com/Administrator/Cloud/Monitoring_and_managing](https://support.code42.com/Administrator/Cloud/Monitoring_and_managing)
-
-  ***
-
-  ## Code42
-
-
-  Code42 provides simple, fast detection and response to everyday data loss from insider threats by focusing on customer data on endpoints and the cloud.
-
-
-  To configure this integration, you will need to create a local (non-SSO) user within the Code42 application with one of the following sets of roles:
-
-
-  * Customer Cloud Admin
-
-  * Security Center User + (Org Security Viewer or Cross Org Security Viewer)
-
-
-  After this user is set up, use the username and password to configure the Code42 integration.
diff --git a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json
index d33aea2ec4e..a9fb242081d 100644
--- a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json
+++ b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json
@@ -1,473 +1,478 @@
 {
-       "TypeName": "",
-       "id": "Code42 Security Alert",
-       "kind": "details",
-       "name": "",
-       "sortValues": null,
-       "system": false,
-       "tabs": [
-              {
-                     "id": "summary",
-                     "name": "Legacy Summary",
-                     "type": "summary"
-              },
-              {
-                     "id": "caseinfoid",
-                     "name": "Incident Info",
-                     "sections": [
+    "typeId": "Code42 Security Alert",
+    "version": -1,
+    "TypeName": "Code42 Security Alert",
+    "kind": "details",
+    "fromVersion": "5.0.0",
+    "layout": {
+        "TypeName": "",
+        "id": "Code42 Security Alert",
+        "kind": "details",
+        "name": "",
+        "system": false,
+        "typeId": "Code42 Security Alert",
+        "version": -1,
+        "tabs": [
+            {
+                "id": "summary",
+                "name": "Legacy Summary",
+                "type": "summary"
+            },
+            {
+                "id": "caseinfoid",
+                "name": "Incident Info",
+                "sections": [
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8",
+                        "isVisible": true,
+                        "items": [
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8",
-                                   "isVisible": true,
-                                   "items": [
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "type",
-                                                 "height": 22,
-                                                 "id": "incident-type-field",
-                                                 "index": 0,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "severity",
-                                                 "height": 22,
-                                                 "id": "incident-severity-field",
-                                                 "index": 1,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "owner",
-                                                 "height": 22,
-                                                 "id": "incident-owner-field",
-                                                 "index": 2,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "dbotsource",
-                                                 "height": 22,
-                                                 "id": "incident-source-field",
-                                                 "index": 3,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "sourcebrand",
-                                                 "height": 22,
-                                                 "id": "incident-sourceBrand-field",
-                                                 "index": 5,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "sourceinstance",
-                                                 "height": 22,
-                                                 "id": "incident-sourceInstance-field",
-                                                 "index": 6,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "playbookid",
-                                                 "height": 22,
-                                                 "id": "incident-playbookId-field",
-                                                 "index": 7,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          }
-                                   ],
-                                   "moved": false,
-                                   "name": "Case Details",
-                                   "static": false,
-                                   "w": 1,
-                                   "x": 0,
-                                   "y": 0
+                                "endCol": 2,
+                                "fieldId": "type",
+                                "height": 22,
+                                "id": "incident-type-field",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "h": 2,
-                                   "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8",
-                                   "moved": false,
-                                   "name": "Notes",
-                                   "static": false,
-                                   "type": "notes",
-                                   "w": 1,
-                                   "x": 2,
-                                   "y": 5
+                                "endCol": 2,
+                                "fieldId": "severity",
+                                "height": 22,
+                                "id": "incident-severity-field",
+                                "index": 1,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8",
-                                   "moved": false,
-                                   "name": "Work Plan",
-                                   "static": false,
-                                   "type": "workplan",
-                                   "w": 1,
-                                   "x": 2,
-                                   "y": 0
+                                "endCol": 2,
+                                "fieldId": "owner",
+                                "height": 22,
+                                "id": "incident-owner-field",
+                                "index": 2,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8",
-                                   "isVisible": true,
-                                   "moved": false,
-                                   "name": "Linked Incidents",
-                                   "static": false,
-                                   "type": "linkedIncidents",
-                                   "w": 1,
-                                   "x": 0,
-                                   "y": 9
+                                "endCol": 2,
+                                "fieldId": "dbotsource",
+                                "height": 22,
+                                "id": "incident-source-field",
+                                "index": 3,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8",
-                                   "moved": false,
-                                   "name": "Child Incidents",
-                                   "static": false,
-                                   "type": "childInv",
-                                   "w": 1,
-                                   "x": 1,
-                                   "y": 9
+                                "endCol": 2,
+                                "fieldId": "sourcebrand",
+                                "height": 22,
+                                "id": "incident-sourceBrand-field",
+                                "index": 5,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "hideName": false,
-                                   "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260",
-                                   "moved": false,
-                                   "name": "Team Members",
-                                   "static": false,
-                                   "type": "team",
-                                   "w": 1,
-                                   "x": 2,
-                                   "y": 9
+                                "endCol": 2,
+                                "fieldId": "sourceinstance",
+                                "height": 22,
+                                "id": "incident-sourceInstance-field",
+                                "index": 6,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "CARD",
-                                   "h": 4,
-                                   "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289",
-                                   "items": [
-                                          {
-                                                 "endCol": 1,
-                                                 "fieldId": "occurred",
-                                                 "height": 55,
-                                                 "id": "incident-occurred-field",
-                                                 "index": 1,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 1,
-                                                 "fieldId": "dbotmodified",
-                                                 "height": 55,
-                                                 "id": "incident-modified-field",
-                                                 "index": 2,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "dbotduedate",
-                                                 "height": 55,
-                                                 "id": "incident-dueDate-field",
-                                                 "index": 3,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "dbotcreated",
-                                                 "height": 55,
-                                                 "id": "incident-created-field",
-                                                 "index": 1,
-                                                 "startCol": 1
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "dbotclosed",
-                                                 "height": 55,
-                                                 "id": "incident-closed-field",
-                                                 "index": 2,
-                                                 "startCol": 1
-                                          }
-                                   ],
-                                   "moved": false,
-                                   "name": "Timeline Information",
-                                   "static": false,
-                                   "w": 1,
-                                   "x": 0,
-                                   "y": 5
+                                "endCol": 2,
+                                "fieldId": "playbookid",
+                                "height": 22,
+                                "id": "incident-playbookId-field",
+                                "index": 7,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "moved": false,
+                        "name": "Case Details",
+                        "static": false,
+                        "w": 1,
+                        "x": 0,
+                        "y": 0
+                    },
+                    {
+                        "h": 2,
+                        "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8",
+                        "moved": false,
+                        "name": "Notes",
+                        "static": false,
+                        "type": "notes",
+                        "w": 1,
+                        "x": 2,
+                        "y": 5
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8",
+                        "moved": false,
+                        "name": "Work Plan",
+                        "static": false,
+                        "type": "workplan",
+                        "w": 1,
+                        "x": 2,
+                        "y": 0
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8",
+                        "isVisible": true,
+                        "moved": false,
+                        "name": "Linked Incidents",
+                        "static": false,
+                        "type": "linkedIncidents",
+                        "w": 1,
+                        "x": 0,
+                        "y": 9
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8",
+                        "moved": false,
+                        "name": "Child Incidents",
+                        "static": false,
+                        "type": "childInv",
+                        "w": 1,
+                        "x": 1,
+                        "y": 9
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "hideName": false,
+                        "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260",
+                        "moved": false,
+                        "name": "Team Members",
+                        "static": false,
+                        "type": "team",
+                        "w": 1,
+                        "x": 2,
+                        "y": 9
+                    },
+                    {
+                        "displayType": "CARD",
+                        "h": 4,
+                        "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289",
+                        "items": [
+                            {
+                                "endCol": 1,
+                                "fieldId": "occurred",
+                                "height": 55,
+                                "id": "incident-occurred-field",
+                                "index": 1,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 1,
+                                "fieldId": "dbotmodified",
+                                "height": 55,
+                                "id": "incident-modified-field",
+                                "index": 2,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "dbotduedate",
+                                "height": 55,
+                                "id": "incident-dueDate-field",
+                                "index": 3,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "dbotcreated",
+                                "height": 55,
+                                "id": "incident-created-field",
+                                "index": 1,
+                                "startCol": 1
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "dbotclosed",
+                                "height": 55,
+                                "id": "incident-closed-field",
+                                "index": 2,
+                                "startCol": 1
+                            }
+                        ],
+                        "moved": false,
+                        "name": "Timeline Information",
+                        "static": false,
+                        "w": 1,
+                        "x": 0,
+                        "y": 5
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289",
+                        "isVisible": true,
+                        "items": [
+                            {
+                                "endCol": 2,
+                                "fieldId": "dbotclosed",
+                                "height": 24,
+                                "id": "incident-dbotClosed-field",
+                                "index": 0,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "closereason",
+                                "height": 24,
+                                "id": "incident-closeReason-field",
+                                "index": 1,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "closenotes",
+                                "height": 48,
+                                "id": "incident-closeNotes-field",
+                                "index": 2,
+                                "startCol": 0
+                            }
+                        ],
+                        "moved": false,
+                        "name": "Closing Information",
+                        "static": false,
+                        "w": 1,
+                        "x": 2,
+                        "y": 7
+                    },
+                    {
+                        "displayType": "CARD",
+                        "h": 4,
+                        "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289",
+                        "isVisible": true,
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "name",
+                                "height": 55,
+                                "id": "f4316c20-598a-11ea-b904-997d555669cb",
+                                "index": 0,
+                                "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "details",
+                                "height": 110,
+                                "id": "incident-details-field",
+                                "index": 1,
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "code42alerttype",
+                                "height": 55,
+                                "id": "66a7ca60-598b-11ea-b904-997d555669cb",
+                                "index": 2,
+                                "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "employeedisplayname",
+                                "height": 55,
+                                "id": "9e36d450-5984-11ea-b904-997d555669cb",
+                                "index": 3,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "employeeemail",
+                                "height": 55,
+                                "id": "a3608bb0-5984-11ea-b904-997d555669cb",
+                                "index": 4,
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "employeemanageremail",
+                                "height": 55,
+                                "id": "a4bc7230-5984-11ea-b904-997d555669cb",
+                                "index": 5,
+                                "startCol": 0
+                            }
+                        ],
+                        "moved": false,
+                        "name": "Investigation Data",
+                        "static": false,
+                        "w": 1,
+                        "x": 1,
+                        "y": 5
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 3,
+                        "hideName": false,
+                        "i": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb",
+                        "items": [
+                            {
+                                "endCol": 6,
+                                "fieldId": "code42fileevents",
+                                "height": 106,
+                                "id": "484a0170-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 6,
+                                "fieldId": "exfiltratedfilelist",
+                                "height": 22,
+                                "id": "d857da20-5985-11ea-b904-997d555669cb",
+                                "index": 1,
+                                "listId": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "minW": 1,
+                        "moved": false,
+                        "name": "File Events",
+                        "static": false,
+                        "w": 3,
+                        "x": 0,
+                        "y": 2
+                    },
+                    {
+                        "displayType": "ROW",
+                        "h": 2,
+                        "hideName": false,
+                        "i": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a",
+                        "items": [
+                            {
+                                "endCol": 2,
+                                "fieldId": "code42alertname",
+                                "height": 22,
+                                "id": "d3760eb0-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "code42username",
+                                "height": 22,
+                                "id": "e7d311f0-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 1,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "code42alerttype",
+                                "height": 22,
+                                "id": "dcb30460-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 2,
+                                "listId": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "code42alertdescription",
+                                "height": 22,
+                                "id": "d4ac1db0-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 3,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289",
-                                   "isVisible": true,
-                                   "items": [
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "dbotclosed",
-                                                 "height": 24,
-                                                 "id": "incident-dbotClosed-field",
-                                                 "index": 0,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "closereason",
-                                                 "height": 24,
-                                                 "id": "incident-closeReason-field",
-                                                 "index": 1,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "closenotes",
-                                                 "height": 48,
-                                                 "id": "incident-closeNotes-field",
-                                                 "index": 2,
-                                                 "startCol": 0
-                                          }
-                                   ],
-                                   "moved": false,
-                                   "name": "Closing Information",
-                                   "static": false,
-                                   "w": 1,
-                                   "x": 2,
-                                   "y": 7
+                                "endCol": 2,
+                                "fieldId": "code42alertstate",
+                                "height": 22,
+                                "id": "d8f1b6a0-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 4,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "CARD",
-                                   "h": 4,
-                                   "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289",
-                                   "isVisible": true,
-                                   "items": [
-                                          {
-                                                 "dropEffect": "move",
-                                                 "endCol": 2,
-                                                 "fieldId": "name",
-                                                 "height": 55,
-                                                 "id": "f4316c20-598a-11ea-b904-997d555669cb",
-                                                 "index": 0,
-                                                 "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "details",
-                                                 "height": 110,
-                                                 "id": "incident-details-field",
-                                                 "index": 1,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "dropEffect": "move",
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alerttype",
-                                                 "height": 55,
-                                                 "id": "66a7ca60-598b-11ea-b904-997d555669cb",
-                                                 "index": 2,
-                                                 "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "employeedisplayname",
-                                                 "height": 55,
-                                                 "id": "9e36d450-5984-11ea-b904-997d555669cb",
-                                                 "index": 3,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "employeeemail",
-                                                 "height": 55,
-                                                 "id": "a3608bb0-5984-11ea-b904-997d555669cb",
-                                                 "index": 4,
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "employeemanageremail",
-                                                 "height": 55,
-                                                 "id": "a4bc7230-5984-11ea-b904-997d555669cb",
-                                                 "index": 5,
-                                                 "startCol": 0
-                                          }
-                                   ],
-                                   "moved": false,
-                                   "name": "Investigation Data",
-                                   "static": false,
-                                   "w": 1,
-                                   "x": 1,
-                                   "y": 5
+                                "endCol": 2,
+                                "fieldId": "code42alertid",
+                                "height": 22,
+                                "id": "d6de3ff0-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 5,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 3,
-                                   "hideName": false,
-                                   "i": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb",
-                                   "items": [
-                                          {
-                                                 "endCol": 6,
-                                                 "fieldId": "code42fileevents",
-                                                 "height": 106,
-                                                 "id": "484a0170-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 0,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "dropEffect": "move",
-                                                 "endCol": 6,
-                                                 "fieldId": "exfiltratedfilelist",
-                                                 "height": 22,
-                                                 "id": "d857da20-5985-11ea-b904-997d555669cb",
-                                                 "index": 1,
-                                                 "listId": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb",
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          }
-                                   ],
-                                   "maxW": 3,
-                                   "minH": 1,
-                                   "minW": 1,
-                                   "moved": false,
-                                   "name": "File Events",
-                                   "static": false,
-                                   "w": 3,
-                                   "x": 0,
-                                   "y": 2
+                                "endCol": 2,
+                                "fieldId": "code42alerttimestamp",
+                                "height": 22,
+                                "id": "dabdeb20-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 6,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             },
                             {
-                                   "displayType": "ROW",
-                                   "h": 2,
-                                   "hideName": false,
-                                   "i": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                   "items": [
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alertname",
-                                                 "height": 22,
-                                                 "id": "d3760eb0-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 0,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42username",
-                                                 "height": 22,
-                                                 "id": "e7d311f0-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 1,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "dropEffect": "move",
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alerttype",
-                                                 "height": 22,
-                                                 "id": "dcb30460-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 2,
-                                                 "listId": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alertdescription",
-                                                 "height": 22,
-                                                 "id": "d4ac1db0-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 3,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alertstate",
-                                                 "height": 22,
-                                                 "id": "d8f1b6a0-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 4,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alertid",
-                                                 "height": 22,
-                                                 "id": "d6de3ff0-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 5,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42alerttimestamp",
-                                                 "height": 22,
-                                                 "id": "dabdeb20-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 6,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          },
-                                          {
-                                                 "endCol": 2,
-                                                 "fieldId": "code42severity",
-                                                 "height": 22,
-                                                 "id": "e5bab940-b6ef-11ea-8e1b-f35e38fc5b4a",
-                                                 "index": 7,
-                                                 "sectionItemType": "field",
-                                                 "startCol": 0
-                                          }
-                                   ],
-                                   "maxW": 3,
-                                   "minH": 1,
-                                   "minW": 1,
-                                   "moved": false,
-                                   "name": "Code42 Alert Details",
-                                   "static": false,
-                                   "w": 1,
-                                   "x": 1,
-                                   "y": 0
+                                "endCol": 2,
+                                "fieldId": "code42severity",
+                                "height": 22,
+                                "id": "e5bab940-b6ef-11ea-8e1b-f35e38fc5b4a",
+                                "index": 7,
+                                "sectionItemType": "field",
+                                "startCol": 0
                             }
-                     ],
-                     "type": "custom"
-              },
-              {
-                     "id": "warRoom",
-                     "name": "War Room",
-                     "type": "warRoom"
-              },
-              {
-                     "id": "workPlan",
-                     "name": "Work Plan",
-                     "type": "workPlan"
-              },
-              {
-                     "id": "evidenceBoard",
-                     "name": "Evidence Board",
-                     "type": "evidenceBoard"
-              },
-              {
-                     "id": "relatedIncidents",
-                     "name": "Related Incidents",
-                     "type": "relatedIncidents"
-              },
-              {
-                     "id": "canvas",
-                     "name": "Canvas",
-                     "type": "canvas"
-              }
-       ],
-       "typeId": "Code42 Security Alert",
-       "fromVersion": "5.0.0",
-       "version": -1
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "minW": 1,
+                        "moved": false,
+                        "name": "Code42 Alert Details",
+                        "static": false,
+                        "w": 1,
+                        "x": 1,
+                        "y": 0
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "id": "warRoom",
+                "name": "War Room",
+                "type": "warRoom"
+            },
+            {
+                "id": "workPlan",
+                "name": "Work Plan",
+                "type": "workPlan"
+            },
+            {
+                "id": "evidenceBoard",
+                "name": "Evidence Board",
+                "type": "evidenceBoard"
+            },
+            {
+                "id": "relatedIncidents",
+                "name": "Related Incidents",
+                "type": "relatedIncidents"
+            },
+            {
+                "id": "canvas",
+                "name": "Canvas",
+                "type": "canvas"
+            }
+        ]
+    }
 }
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml
index bfdc6561a1a..9509d8b59e8 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml
+++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml
@@ -4,55 +4,57 @@ name: Code42 Exfiltration Playbook
 description: The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves
   file event data, and allows security teams to remediate file exfiltration events
   by revoking access rights to cloud files or containing endpoints.
-starttaskid: '0'
+starttaskid: "0"
 tasks:
-  '0':
-    id: '0'
-    taskid: ab4c0d6a-996e-415c-8f44-8a76d279ca15
+  "0":
+    id: "0"
+    taskid: 11508213-8fce-4682-8536-65ed426d2664
     type: start
     task:
-      id: ab4c0d6a-996e-415c-8f44-8a76d279ca15
+      id: 11508213-8fce-4682-8536-65ed426d2664
       version: -1
-      name: ''
+      name: ""
       iscommand: false
-      brand: ''
-      description: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '1'
+      - "1"
     separatecontext: false
     view: |-
       {
         "position": {
           "x": 520,
-          "y": -90
+          "y": 50
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '1':
-    id: '1'
-    taskid: e588a1bf-ad9e-4755-8e55-efba11ad1aff
+    skipunavailable: false
+    quietmode: 0
+  "1":
+    id: "1"
+    taskid: 77e2b71f-78fb-467e-8e87-416fd03967d7
     type: title
     task:
-      id: e588a1bf-ad9e-4755-8e55-efba11ad1aff
+      id: 77e2b71f-78fb-467e-8e87-416fd03967d7
       version: -1
       name: Start Remediation Timer
+      description: Starts a timer to track how long it takes to resolve the alert.
       type: title
       iscommand: false
-      brand: ''
-      description: ''
+      brand: ""
     nexttasks:
       '#none#':
-      - '24'
-      - '25'
+      - "25"
+      - "34"
     separatecontext: false
     view: |-
       {
         "position": {
           "x": 520,
-          "y": 75
+          "y": 195
         }
       }
     note: false
@@ -60,104 +62,112 @@ tasks:
     - fieldname: remediationsla
       action: start
     ignoreworker: false
-  '5':
-    id: '5'
-    taskid: e0da957a-46bb-44b9-8ea6-408e043cae88
+    skipunavailable: false
+    quietmode: 0
+  "5":
+    id: "5"
+    taskid: 64d02f6f-5a06-40f8-8552-c98b4b959286
     type: condition
     task:
-      id: e0da957a-46bb-44b9-8ea6-408e043cae88
+      id: 64d02f6f-5a06-40f8-8552-c98b4b959286
       version: -1
       name: Review Evidence for Malicious Behavior
-      description: ''
+      description: Searches the related files for malicious behavior.
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
     nexttasks:
       '#default#':
-      - '7'
+      - "7"
       Malicious:
-      - '6'
+      - "6"
     separatecontext: false
     view: |-
       {
         "position": {
           "x": 520,
-          "y": 465
+          "y": 515
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '6':
-    id: '6'
-    taskid: b6a7b214-a52b-48cc-8c0b-bc966c11ff90
+    skipunavailable: false
+    quietmode: 0
+  "6":
+    id: "6"
+    taskid: 617588ed-c8d8-4b5a-87ed-ed84204058fc
     type: title
     task:
-      id: b6a7b214-a52b-48cc-8c0b-bc966c11ff90
+      id: 617588ed-c8d8-4b5a-87ed-ed84204058fc
       version: -1
       name: Malicious Behavior Determined
       type: title
       iscommand: false
-      brand: ''
-      description: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '19'
-      - '22'
-      - '23'
+      - "19"
+      - "22"
+      - "23"
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 1000,
-          "y": 670
+          "x": 960,
+          "y": 690
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '7':
-    id: '7'
-    taskid: 2c7eb57c-ee9b-4059-8b73-34bdb9963ca0
+    skipunavailable: false
+    quietmode: 0
+  "7":
+    id: "7"
+    taskid: 7187278b-d996-465a-8c9a-3ad518285299
     type: title
     task:
-      id: 2c7eb57c-ee9b-4059-8b73-34bdb9963ca0
+      id: 7187278b-d996-465a-8c9a-3ad518285299
       version: -1
       name: Benign Behavior Determined
       type: title
       iscommand: false
-      brand: ''
-      description: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '9'
+      - "9"
     separatecontext: false
     view: |-
       {
         "position": {
           "x": 50,
-          "y": 1900
+          "y": 1725
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '8':
-    id: '8'
-    taskid: b8a80acb-a2f7-4899-88e7-16382828b9b4
+    skipunavailable: false
+    quietmode: 0
+  "8":
+    id: "8"
+    taskid: f37b26ac-38c5-40c6-800d-4cfc9692c1a8
     type: regular
     task:
-      id: b8a80acb-a2f7-4899-88e7-16382828b9b4
+      id: f37b26ac-38c5-40c6-800d-4cfc9692c1a8
       version: -1
       name: Resolve Code42 Alert
-      description: ''
-      script: '|||code42-alert-resolve'
+      script: Code42|||code42-alert-resolve
       type: regular
       iscommand: true
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '26'
+      - "26"
     scriptarguments:
       id:
         simple: ${incident.labels.id}
@@ -165,34 +175,36 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 480,
-          "y": 2455
+          "x": 407.5,
+          "y": 2030
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '9':
-    id: '9'
-    taskid: 1905e906-499f-4c14-8ec1-9c02eb6ef22a
+    skipunavailable: false
+    quietmode: 0
+  "9":
+    id: "9"
+    taskid: 16012eb4-0937-44b0-833b-560ec34de44d
     type: title
     task:
-      id: 1905e906-499f-4c14-8ec1-9c02eb6ef22a
+      id: 16012eb4-0937-44b0-833b-560ec34de44d
       version: -1
       name: Stop Remediation Timer
       type: title
       iscommand: false
-      brand: ''
-      description: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '8'
+      - "8"
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 480,
-          "y": 2260
+          "x": 407.5,
+          "y": 1885
         }
       }
     note: false
@@ -200,45 +212,49 @@ tasks:
     - fieldname: remediationsla
       action: stop
     ignoreworker: false
-  '10':
-    id: '10'
-    taskid: 2b0168b7-3d35-470d-8902-5517dc8e9164
+    skipunavailable: false
+    quietmode: 0
+  "10":
+    id: "10"
+    taskid: 51669a43-475a-44d1-81fe-20207c26598e
     type: title
     task:
-      id: 2b0168b7-3d35-470d-8902-5517dc8e9164
+      id: 51669a43-475a-44d1-81fe-20207c26598e
       version: -1
       name: Done
       type: title
       iscommand: false
-      brand: ''
-      description: ''
+      brand: ""
+      description: ""
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 480,
-          "y": 2905
+          "x": 407.5,
+          "y": 2380
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '11':
-    id: '11'
-    taskid: 99490d9a-6acf-41de-8d77-1266f5d63d7f
+    skipunavailable: false
+    quietmode: 0
+  "11":
+    id: "11"
+    taskid: d03df5b6-28c0-4df7-85ae-aa6b74d2b5dd
     type: regular
     task:
-      id: 99490d9a-6acf-41de-8d77-1266f5d63d7f
+      id: d03df5b6-28c0-4df7-85ae-aa6b74d2b5dd
       version: -1
       name: Locate CrowdStrike Host
-      description: ''
       script: CrowdstrikeFalcon|||cs-falcon-search-device
       type: regular
       iscommand: true
       brand: CrowdstrikeFalcon
+      description: ""
     nexttasks:
       '#none#':
-      - '31'
+      - "31"
     scriptarguments:
       filter: {}
       hostname:
@@ -257,32 +273,34 @@ tasks:
       {
         "position": {
           "x": 990,
-          "y": 1195
+          "y": 1010
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '19':
-    id: '19'
-    taskid: 9bfcad2c-62a7-4c59-8140-1e5ba45199bd
+    skipunavailable: false
+    quietmode: 0
+  "19":
+    id: "19"
+    taskid: 434d094a-f26e-4e94-81df-fa5227beacf7
     type: condition
     task:
-      id: 9bfcad2c-62a7-4c59-8140-1e5ba45199bd
+      id: 434d094a-f26e-4e94-81df-fa5227beacf7
       version: -1
       name: Is Jira Enabled?
-      description: ''
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#default#':
-      - '30'
-      'yes':
-      - '21'
+      - "30"
+      "yes":
+      - "21"
     separatecontext: false
     conditions:
-    - label: 'yes'
+    - label: "yes"
       condition:
       - - operator: isExists
           left:
@@ -312,28 +330,30 @@ tasks:
       {
         "position": {
           "x": 295,
-          "y": 1535
+          "y": 1360
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '21':
-    id: '21'
-    taskid: 47b1400e-6d83-483c-875f-7cac4b335481
+    skipunavailable: false
+    quietmode: 0
+  "21":
+    id: "21"
+    taskid: e109fde4-4b66-4e1f-8734-fadd49886a5e
     type: regular
     task:
-      id: 47b1400e-6d83-483c-875f-7cac4b335481
+      id: e109fde4-4b66-4e1f-8734-fadd49886a5e
       version: -1
       name: Create Jira Incident Ticket
-      description: ''
       script: jira-v2|||jira-create-issue
       type: regular
       iscommand: true
       brand: jira-v2
+      description: ""
     nexttasks:
       '#none#':
-      - '30'
+      - "30"
     scriptarguments:
       assignee: {}
       description: {}
@@ -356,33 +376,35 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 295,
-          "y": 1780
+          "x": 397.5,
+          "y": 1535
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '22':
-    id: '22'
-    taskid: 86aaec3f-7f38-4d4d-800b-406ca59605bd
+    skipunavailable: false
+    quietmode: 0
+  "22":
+    id: "22"
+    taskid: f04b92f6-4e78-460e-8aab-6445d3c500c9
     type: condition
     task:
-      id: 86aaec3f-7f38-4d4d-800b-406ca59605bd
+      id: f04b92f6-4e78-460e-8aab-6445d3c500c9
       version: -1
       name: Can host be contained?
-      description: ''
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#default#':
-      - '30'
-      'yes':
-      - '11'
+      - "30"
+      "yes":
+      - "11"
     separatecontext: false
     conditions:
-    - label: 'yes'
+    - label: "yes"
       condition:
       - - operator: isExists
           left:
@@ -415,33 +437,35 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 990,
-          "y": 810
+          "x": 960,
+          "y": 835
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '23':
-    id: '23'
-    taskid: ce5fa797-bd44-48ba-8ebe-62cbe6f986e5
+    skipunavailable: false
+    quietmode: 0
+  "23":
+    id: "23"
+    taskid: 278d6243-3d8c-4d31-8491-b6168ebffb99
     type: condition
     task:
-      id: ce5fa797-bd44-48ba-8ebe-62cbe6f986e5
+      id: 278d6243-3d8c-4d31-8491-b6168ebffb99
       version: -1
       name: Does Manager Email Exist?
-      description: ''
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#default#':
-      - '30'
-      'yes':
-      - '33'
+      - "30"
+      "yes":
+      - "33"
     separatecontext: false
     conditions:
-    - label: 'yes'
+    - label: "yes"
       condition:
       - - operator: isExists
           left:
@@ -451,55 +475,31 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1570,
-          "y": 1195
+          "x": 1420,
+          "y": 1185
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '24':
-    id: '24'
-    taskid: 50db689b-2583-4a22-844c-868914c79e80
-    type: regular
-    task:
-      id: 50db689b-2583-4a22-844c-868914c79e80
-      version: -1
-      name: Retrieve File Contents
-      description: ''
-      type: regular
-      iscommand: false
-      brand: ''
-    nexttasks:
-      '#none#':
-      - '5'
-    separatecontext: false
-    view: |-
-      {
-        "position": {
-          "x": 310,
-          "y": 260
-        }
-      }
-    note: false
-    timertriggers: []
-    ignoreworker: false
-  '25':
-    id: '25'
-    taskid: 9bccb9d7-118b-4a63-8e1d-288a4fe993a2
+    skipunavailable: false
+    quietmode: 0
+  "25":
+    id: "25"
+    taskid: eccca7ff-aaa7-4864-8345-fc65108a2230
     type: playbook
     task:
-      id: 9bccb9d7-118b-4a63-8e1d-288a4fe993a2
+      id: eccca7ff-aaa7-4864-8345-fc65108a2230
       version: -1
       name: Active Directory - Get User Manager Details
-      description: ''
       playbookName: Active Directory - Get User Manager Details
       type: playbook
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '5'
+      - "5"
     scriptarguments:
       UserEmail:
         simple: ${incident.employeeemail}
@@ -507,34 +507,37 @@ tasks:
     separatecontext: true
     loop:
       iscommand: false
-      exitCondition: ''
+      exitCondition: ""
       wait: 1
+      max: 0
     view: |-
       {
         "position": {
-          "x": 735,
-          "y": 260
+          "x": 305,
+          "y": 340
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '26':
-    id: '26'
-    taskid: 335b248d-7a04-4514-8890-57e3913dcdfa
+    skipunavailable: false
+    quietmode: 0
+  "26":
+    id: "26"
+    taskid: 5db26724-aad0-4316-82f2-c2a6635d5200
     type: regular
     task:
-      id: 335b248d-7a04-4514-8890-57e3913dcdfa
+      id: 5db26724-aad0-4316-82f2-c2a6635d5200
       version: -1
       name: Close Incident
-      description: ''
       script: Builtin|||closeInvestigation
       type: regular
       iscommand: true
       brand: Builtin
+      description: ""
     nexttasks:
       '#none#':
-      - '10'
+      - "10"
     scriptarguments:
       assetid: {}
       closeNotes: {}
@@ -547,57 +550,61 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 480,
-          "y": 2680
+          "x": 407.5,
+          "y": 2205
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '27':
-    id: '27'
-    taskid: 10331857-eb12-46fa-8f1d-6f6239d4ac61
+    skipunavailable: false
+    quietmode: 0
+  "27":
+    id: "27"
+    taskid: ab9f4c32-a0e4-41e9-8228-22724cecae76
     type: condition
     task:
-      id: 10331857-eb12-46fa-8f1d-6f6239d4ac61
+      id: ab9f4c32-a0e4-41e9-8228-22724cecae76
       version: -1
       name: Confirm Network Contain
-      description: ''
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#default#':
-      - '30'
-      'Yes':
-      - '32'
+      - "30"
+      "Yes":
+      - "32"
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 1115,
-          "y": 1580
+          "x": 857.5,
+          "y": 1360
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '29':
-    id: '29'
-    taskid: 7387a45c-92d3-44ca-8f63-f66ec2b6ebaa
+    skipunavailable: false
+    quietmode: 0
+  "29":
+    id: "29"
+    taskid: 136c085e-aa37-4bc5-807c-5b7ff981c140
     type: regular
     task:
-      id: 7387a45c-92d3-44ca-8f63-f66ec2b6ebaa
+      id: 136c085e-aa37-4bc5-807c-5b7ff981c140
       version: -1
       name: Send email to manager
-      description: ''
       script: '|||send-mail'
       type: regular
       iscommand: true
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '30'
+      - "30"
     scriptarguments:
       additionalHeader: {}
       attachCIDs: {}
@@ -635,59 +642,63 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1570,
-          "y": 1805
+          "x": 1645,
+          "y": 1535
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '30':
-    id: '30'
-    taskid: ea60127b-366c-4a94-85db-339b32ca66c5
+    skipunavailable: false
+    quietmode: 0
+  "30":
+    id: "30"
+    taskid: 877d11e9-c080-4db3-87ec-76bab3b69cd8
     type: regular
     task:
-      id: ea60127b-366c-4a94-85db-339b32ca66c5
+      id: 877d11e9-c080-4db3-87ec-76bab3b69cd8
       version: -1
       name: Confirm Remediation Is Complete
-      description: ''
       type: regular
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '9'
+      - "9"
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 710,
-          "y": 2080
+          "x": 970,
+          "y": 1710
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '31':
-    id: '31'
-    taskid: a7815436-cc18-4236-8833-318204036b2a
+    skipunavailable: false
+    quietmode: 0
+  "31":
+    id: "31"
+    taskid: 4f1b2a83-bf99-4f7b-8ac1-58fff1dd8e73
     type: condition
     task:
-      id: a7815436-cc18-4236-8833-318204036b2a
+      id: 4f1b2a83-bf99-4f7b-8ac1-58fff1dd8e73
       version: -1
       name: Determine if network contain should be bypassed based on host count
-      description: ''
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#default#':
-      - '27'
-      'yes':
-      - '30'
+      - "27"
+      "yes":
+      - "30"
     separatecontext: false
     conditions:
-    - label: 'yes'
+    - label: "yes"
       condition:
       - - operator: greaterThan
           left:
@@ -711,28 +722,30 @@ tasks:
       {
         "position": {
           "x": 990,
-          "y": 1360
+          "y": 1185
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '32':
-    id: '32'
-    taskid: 9e908ce6-7623-4a06-865b-3725d5bab3e1
+    skipunavailable: false
+    quietmode: 0
+  "32":
+    id: "32"
+    taskid: d515a4bf-42b6-4aa4-89ea-33125635ca98
     type: regular
     task:
-      id: 9e908ce6-7623-4a06-865b-3725d5bab3e1
+      id: d515a4bf-42b6-4aa4-89ea-33125635ca98
       version: -1
       name: CrowdStrike Network Contain
-      description: ''
       script: '|||cs-falcon-contain-host'
       type: regular
       iscommand: true
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#none#':
-      - '30'
+      - "30"
     scriptarguments:
       ids:
         simple: ${CrowdStrike.Device.ID}
@@ -741,33 +754,35 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1115,
-          "y": 1805
+          "x": 970,
+          "y": 1535
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
-  '33':
-    id: '33'
-    taskid: df73e338-6ae3-4d35-8d01-76e97fc62866
+    skipunavailable: false
+    quietmode: 0
+  "33":
+    id: "33"
+    taskid: 44c4cdc8-8740-456e-8559-3e3c35286d83
     type: condition
     task:
-      id: df73e338-6ae3-4d35-8d01-76e97fc62866
+      id: 44c4cdc8-8740-456e-8559-3e3c35286d83
       version: -1
       name: Is email integration enabled?
-      description: ''
       type: condition
       iscommand: false
-      brand: ''
+      brand: ""
+      description: ""
     nexttasks:
       '#default#':
-      - '30'
-      'yes':
-      - '29'
+      - "30"
+      "yes":
+      - "29"
     separatecontext: false
     conditions:
-    - label: 'yes'
+    - label: "yes"
       condition:
       - - operator: isExists
           left:
@@ -841,22 +856,82 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1570,
+          "x": 1532.5,
           "y": 1360
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+  "34":
+    id: "34"
+    taskid: 8ef0e565-aa9b-4866-8cae-ec8dcc9a15c9
+    type: playbook
+    task:
+      id: 8ef0e565-aa9b-4866-8cae-ec8dcc9a15c9
+      version: -1
+      name: Code42 File Download
+      playbookName: Code42 File Download
+      type: playbook
+      iscommand: false
+      brand: ""
+      description: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      MD5:
+        complex:
+          root: incident
+          accessor: code42fileevents
+          transformers:
+          - operator: uniq
+          - operator: getField
+            args:
+              field:
+                value:
+                  simple: md5checksum
+      SHA256:
+        complex:
+          root: incident
+          accessor: code42fileevents
+          transformers:
+          - operator: uniq
+          - operator: getField
+            args:
+              field:
+                value:
+                  simple: sha256checksum
+    separatecontext: true
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 735,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+system: true
 view: |-
   {
     "linkLabelsPosition": {},
     "paper": {
       "dimensions": {
-        "height": 3060,
-        "width": 1900,
+        "height": 2395,
+        "width": 1975,
         "x": 50,
-        "y": -90
+        "y": 50
       }
     }
   }
@@ -866,27 +941,32 @@ inputs:
     simple: Security
   required: false
   description: Jira Project for created incident ticket
+  playbookInputQuery: null
 - key: JiraType
   value:
     simple: Investigation
   required: false
   description: Type of Jira ticket to create
+  playbookInputQuery: null
 - key: JiraSummary
   value:
     simple: Code42 Security Alert for Demisto Incident ${incident.id}
   required: false
   description: Summary to use with Jira ticket creation
+  playbookInputQuery: null
 - key: ContainHostsMax
   value:
-    simple: '2'
+    simple: "2"
   required: false
   description: Maximum number of network hosts to contain.
+  playbookInputQuery: null
 - key: DemistoInstanceURL
   value:
     simple: https://example.com/
   required: false
   description: URL of Demisto instance for emails.
-outputs: []
-fromversion: 5.0.0
+  playbookInputQuery: null
+fromversion: "5.0.0"
 tests:
 - No Test
+outputs: []
diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md
index a6efe385e6d..82508df7afe 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md
+++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md
@@ -1,4 +1,5 @@
 ## [Unreleased]
+Automated the manual step of retrieving file contents using the Code42 File Download playbook.
 
 
 ## [20.3.3] - 2020-03-18
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml
new file mode 100644
index 00000000000..e93c2e3fd23
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml
@@ -0,0 +1,300 @@
+description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash.
+id: Code42 File Download
+inputs:
+- description: MD5 hash to search for
+  key: MD5
+  playbookInputQuery:
+  required: false
+  value:
+    complex:
+      accessor: MD5
+      root: File
+      transformers:
+      - operator: uniq
+- description: SHA256 hash to search for
+  key: SHA256
+  playbookInputQuery:
+  required: false
+  value:
+    complex:
+      accessor: SHA256
+      root: File
+      transformers:
+      - operator: uniq
+name: Code42 File Download
+outputs: []
+sourceplaybookid: Code42 File Search
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "1"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: d045a003-2e7f-4f47-80c7-3882baf399b6
+      iscommand: false
+      name: ""
+      description: ""
+      version: -1
+    taskid: d045a003-2e7f-4f47-80c7-3882baf399b6
+    timertriggers: []
+    type: start
+    view: |-
+      {
+        "position": {
+          "x": 377.5,
+          "y": 50
+        }
+      }
+  "1":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              complex:
+                filters:
+                - - left:
+                      iscontext: true
+                      value:
+                        simple: brand
+                    operator: isEqualString
+                    right:
+                      value:
+                        simple: Code42
+                - - left:
+                      iscontext: true
+                      value:
+                        simple: state
+                    operator: isEqualString
+                    right:
+                      value:
+                        simple: active
+                root: modules
+          operator: isExists
+      label: "yes"
+    id: "1"
+    ignoreworker: false
+    nexttasks:
+      "yes":
+      - "3"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 746c1a4e-7084-45f1-86e6-e9764ffbbf5c
+      iscommand: false
+      name: Is Code42 Integration Active?
+      description: "Checks to see if a Code42 Integration is active."
+      type: condition
+      version: -1
+    taskid: 746c1a4e-7084-45f1-86e6-e9764ffbbf5c
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 377.5,
+          "y": 195
+        }
+      }
+  "2":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              simple: inputs.SHA256
+          operator: isNotEmpty
+      label: "yes"
+    id: "2"
+    ignoreworker: false
+    nexttasks:
+      '#default#':
+      - "7"
+      "yes":
+      - "5"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 935cb1d6-e328-4a8e-888f-347c3b33ce11
+      iscommand: false
+      name: Does SHA256 Exist?
+      description: "Checks to see if a SHA256 hash exists in the inputs."
+      type: condition
+      version: -1
+    taskid: 935cb1d6-e328-4a8e-888f-347c3b33ce11
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 592.5,
+          "y": 545
+        }
+      }
+  "3":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              simple: inputs.MD5
+          operator: isNotEmpty
+      label: "yes"
+    id: "3"
+    ignoreworker: false
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "6"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 1d0dfb1f-6874-41e9-8593-fca2a96c58c4
+      iscommand: false
+      name: Does MD5 Exist?
+      description: "Checks to see if a MD5 hash exists in the inputs."
+      type: condition
+      version: -1
+    taskid: 1d0dfb1f-6874-41e9-8593-fca2a96c58c4
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 377.5,
+          "y": 370
+        }
+      }
+  "5":
+    continueonerror: true
+    evidencedata:
+      customfields: {}
+      description:
+        simple: The file that caused the alert.
+    id: "5"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "7"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      hash:
+        simple: ${inputs.SHA256}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Downloads a file from Code42 servers.
+      id: c83baa5d-207c-44de-868c-8b131dc0357b
+      iscommand: true
+      name: Code42 Download by SHA256
+      script: Code42|||code42-download-file
+      type: regular
+      version: -1
+    taskid: c83baa5d-207c-44de-868c-8b131dc0357b
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 720
+        }
+      }
+  "6":
+    continueonerror: true
+    evidencedata:
+      customfields: {}
+      description:
+        simple: The file that caused the alert.
+    id: "6"
+    ignoreworker: false
+    nexttasks:
+      '#none#':
+      - "7"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      hash:
+        simple: ${inputs.MD5}
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: Code42
+      description: Downloads a file from Code42 servers.
+      id: 687edce2-d09d-4ad1-845e-a3ed7b7b7d4a
+      iscommand: true
+      name: Code42 Download by MD5
+      script: Code42|||code42-download-file
+      type: regular
+      version: -1
+    taskid: 687edce2-d09d-4ad1-845e-a3ed7b7b7d4a
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 720
+        }
+      }
+  "7":
+    id: "7"
+    ignoreworker: false
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: 7f03d6ab-3bb8-4bd5-867b-fe853fa38684
+      iscommand: false
+      name: Complete
+      description: ""
+      type: title
+      version: -1
+    taskid: 7f03d6ab-3bb8-4bd5-867b-fe853fa38684
+    timertriggers: []
+    type: title
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 895
+        }
+      }
+version: -1
+fromversion: 5.0.0
+tests:
+- No Test
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 910,
+        "width": 922.5,
+        "x": 50,
+        "y": 50
+      }
+    }
+  }
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md
new file mode 100644
index 00000000000..044101fc496
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md
@@ -0,0 +1,2 @@
+## [Unreleased]
+New playbook for downloading files by MD5 or SHA256 hash.
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md b/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md
new file mode 100644
index 00000000000..2e6b6513046
--- /dev/null
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md
@@ -0,0 +1,79 @@
+This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use.
+
+## Dependencies
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+This playbook does not use any sub-playbooks.
+
+### Integrations
+* Code42
+
+### Scripts
+This playbook does not use any scripts.
+
+### Commands
+* code42-securitydata-search
+* code42-download-file
+
+## Playbook Inputs
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| MD5 | MD5 hash to search for | File.MD5 | Optional |
+| SHA256 | SHA256 hash to search for | File.SHA256 | Optional |
+
+## Playbook Outputs
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| Code42.SecurityData | Returned File Results | unknown |
+| Code42.SecurityData.EventTimestamp | Timestamp for event | unknown |
+| Code42.SecurityData.FileCreated | File creation date | unknown |
+| Code42.SecurityData.EndpointID | Code42 device ID | unknown |
+| Code42.SecurityData.DeviceUsername | Username that device is associated with in Code42 | unknown |
+| Code42.SecurityData.EmailFrom | Sender email address for email exfiltration events | unknown |
+| Code42.SecurityData.EmailTo | Recipient emial address for email exfiltration events | unknown |
+| Code42.SecurityData.EmailSubject | Email subject line for email exfiltration events | unknown |
+| Code42.SecurityData.EventID | Security Data event ID | unknown |
+| Code42.SecurityData.EventType | Type of Security Data event | unknown |
+| Code42.SecurityData.FileCategory | Type of file as determined by Code42 engine | unknown |
+| Code42.SecurityData.FileOwner | Owner of file | unknown |
+| Code42.SecurityData.FileName | File name | unknown |
+| Code42.SecurityData.FilePath | Path to file | unknown |
+| Code42.SecurityData.FileSize | Size of file in bytes | unknown |
+| Code42.SecurityData.FileModified | File modification date | unknown |
+| Code42.SecurityData.FileMD5 | MD5 hash of file | unknown |
+| Code42.SecurityData.FileHostname | Hostname where file event was captured | unknown |
+| Code42.SecurityData.DevicePrivateIPAddress | Private IP addresses of device where event was captured | unknown |
+| Code42.SecurityData.DevicePublicIPAddress | Public IP address of device where event was captured | unknown |
+| Code42.SecurityData.RemovableMediaType | Type of removate media | unknown |
+| Code42.SecurityData.RemovableMediaCapacity | Total capacity of removable media in bytes | unknown |
+| Code42.SecurityData.RemovableMediaMediaName | Full name of removable media | unknown |
+| Code42.SecurityData.RemovableMediaName | Name of removable media | unknown |
+| Code42.SecurityData.RemovableMediaSerialNumber | Serial number for removable medial device | unknown |
+| Code42.SecurityData.RemovableMediaVendor | Vendor name for removable device | unknown |
+| Code42.SecurityData.FileSHA256 | SHA256 hash of file | unknown |
+| Code42.SecurityData.FileShared | Whether file is shared using cloud file service | unknown |
+| Code42.SecurityData.FileSharedWith | Accounts that file is shared with on cloud file service | unknown |
+| Code42.SecurityData.Source | Source of file event, Cloud or Endpoint | unknown |
+| Code42.SecurityData.ApplicationTabURL | URL associated with application read event | unknown |
+| Code42.SecurityData.ProcessName | Process name for application read event | unknown |
+| Code42.SecurityData.ProcessOwner | Process owner for application read event | unknown |
+| Code42.SecurityData.WindowTitle | Process name for application read event | unknown |
+| Code42.SecurityData.FileURL | URL of file on cloud file service | unknown |
+| Code42.SecurityData.Exposure | Exposure type for event | unknown |
+| Code42.SecurityData.SharingTypeAdded | Type of sharing added to file | unknown |
+| File | The file object. | unknown |
+| File.Name | File name | unknown |
+| File.Path | File path | unknown |
+| File.Size | File size in bytes | unknown |
+| File.MD5 | MD5 hash of file | unknown |
+| File.SHA256 | SHA256 hash of file | unknown |
+| File.Hostname | Hostname where file event was captured | unknown |
+
+## Playbook Image
+---
+![Code42 Exfiltration Playbook](../Integrations/Code42/Code42_image.png)
\ No newline at end of file
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml
index 50f5c72dfe4..e6a8b3bb6aa 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml
@@ -369,7 +369,7 @@ outputs:
 - contextPath: File.MD5
   description: MD5 hash of file
 - contextPath: File.SHA256
-  description: FSHA256 hash of file
+  description: SHA256 hash of file
 - contextPath: File.Hostname
   description: Hostname where file event was captured
 sourceplaybookid: Code42 File Search
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md b/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md
index 4c7201673fe..ea136d3de4c 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md
@@ -70,7 +70,7 @@ This playbook does not use any scripts.
 | File.Path | File path | unknown |
 | File.Size | File size in bytes | unknown |
 | File.MD5 | MD5 hash of file | unknown |
-| File.SHA256 | FSHA256 hash of file | unknown |
+| File.SHA256 | SHA256 hash of file | unknown |
 | File.Hostname | Hostname where file event was captured | unknown |
 
 ## Playbook Image
diff --git a/Packs/Code42/ReleaseNotes/2_0_0.md b/Packs/Code42/ReleaseNotes/2_0_0.md
new file mode 100644
index 00000000000..8b2b76d3b58
--- /dev/null
+++ b/Packs/Code42/ReleaseNotes/2_0_0.md
@@ -0,0 +1,36 @@
+
+#### Integrations
+##### Code42
+- Internal code improvements.
+- Added new commands:
+    - **code42-departingemployee-get-all**
+    - **code42-highriskemployee-add**
+    - **code42-highriskemployee-remove**
+    - **code42-highriskemployee-get-all**
+    - **code42-highriskemployee-add-risk-tags**
+    - **code42-highriskemployee-remove-risk-tags**
+    - **code42-user-deactivate**
+    - **code42-user-reactivate**
+    - **code42-user-block**
+    - **code42-user-unblock**
+    - **code42-user-create**
+    - **code42-file-download**
+- Improve error messages for all Commands to include exception detail.
+- **Code42 Exfiltration Playbook** now downloads the file in replace of a manual step for retrieving file contents.
+- Added new IncidentFields
+    - **Code42 SecurityAlert Description**
+    - **Code42 SecurityAlert Name**
+    - **Code42 SecurityAlert Timestamp**
+    - **Code42 SecurityAlert State**
+    - **Code42 SecurityAlert ID**
+    - **Code42 Severity**
+    - **Code42 Username**
+- Updated **Code42 Security Alert** layout to include Code42 Alert Details.
+- Added new playbooks
+    - **Code42 Change Blocked Status**
+    - **Code42 Create User Playbook**
+    - **Code42 File Download**
+    - **Code42 Change User Activation**
+- Fixed bug in Fetch where errors occurred when `FileCategory` was set to include only one category.
+- Fixed bug in Fetch to handle new Code42 exposure type **Outside trusted domains**.
+- Improved Fetch to handle unsupported exposure types better.