Code42

Overview


Code42 provides simple, fast detection and response to everyday data loss from insider threats by focusing on customer data on endpoints and the cloud to answer questions like:

  • Where is my data?
  • Where has my data been?
  • When did my data leave?
  • What data exactly left my organization?

This integration was integrated and tested with the fully-hosted SaaS implementation of Code42 and requires a Platinum level subscription.

Code42 Playbook


Use Cases


  • Ingesting File Exfiltration alerts from Code42
  • Management of Departing Employees within Code42
  • General file event and metadata search

Configure Code42 on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Code42.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • credentials
    • Code42 Console URL for the pod your Code42 instance is running in: This defaults to console.us.code42.com for U.S. SaaS Pod customers; replace with the domain that you use to log into your Code42 console if located in a different SaaS pod.
    • Fetch incidents: Check this box to enable fetching of incidents
    • Incident type: Select which Demisto incident type to map ingested Code42 alerts to
    • Alert severities to fetch when fetching incidents: If desired, select which Alert severities to ingest.
    • First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes): When first run, how long to go back to retrieve alerts.
    • Alerts to fetch per run; note that increasing this value may result in slow performance if too many results are returned at once: Alerts to fetch and process per run. Setting this value too high may have a negative impact on performance.
    • Include the list of files in returned incidents.: If checked, will also fetch the file events associated with the alert.
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


  • ID
  • Occurred
  • Username
  • Name
  • Description
  • State
  • Type
  • Severity

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. code42-securitydata-search
  2. code42-alert-get
  3. code42-departingemployee-add
  4. code42-departingemployee-remove
  5. code42-alert-resolve

1. code42-securitydata-search


Search for a file in Security Data by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. At least one parameter must be passed to the command. If a JSON parameter is passed, it will be used to the exclusion of other parameters, otherwise parameters will be combined with an AND clause.

Required Permissions

This command requires one of the following roles:

  • Security Center User
  • Customer Cloud Admin
Base Command

code42-securitydata-search

Input
Argument NameDescriptionRequired
jsonJSON query payload using Code42 query syntaxOptional
hashMD5 or SHA256 hash of file to search forOptional
usernameUsername to search forOptional
hostnameHostname to search forOptional
exposureExposure types to search forOptional
resultsNumber of results to return, default is 100Optional
Context Output
PathTypeDescription
Code42.SecurityData.EventTimestampdateTimestamp for event
Code42.SecurityData.FileCreateddateFile creation date
Code42.SecurityData.EndpointIDstringCode42 device ID
Code42.SecurityData.DeviceUsernamestringUsername that device is associated with in Code42
Code42.SecurityData.EmailFromstringSender email address for email exfiltration events
Code42.SecurityData.EmailTostringRecipient emial address for email exfiltration events
Code42.SecurityData.EmailSubjectstringEmail subject line for email exfiltration events
Code42.SecurityData.EventIDstringSecurity Data event ID
Code42.SecurityData.EventTypestringType of Security Data event
Code42.SecurityData.FileCategorystringType of file as determined by Code42 engine
Code42.SecurityData.FileOwnerstringOwner of file
Code42.SecurityData.FileNamestringFile name
Code42.SecurityData.FilePathstringPath to file
Code42.SecurityData.FileSizenumberSize of file in bytes
Code42.SecurityData.FileModifieddateFile modification date
Code42.SecurityData.FileMD5stringMD5 hash of file
Code42.SecurityData.FileHostnamestringHostname where file event was captured
Code42.SecurityData.DevicePrivateIPAddressstringPrivate IP addresses of device where event was captured
Code42.SecurityData.DevicePublicIPAddressstringPublic IP address of device where event was captured
Code42.SecurityData.RemovableMediaTypestringType of removate media
Code42.SecurityData.RemovableMediaCapacitynumberTotal capacity of removable media in bytes
Code42.SecurityData.RemovableMediaMediaNamestringFull name of removable media
Code42.SecurityData.RemovableMediaNamestringName of removable media
Code42.SecurityData.RemovableMediaSerialNumberstringSerial number for removable medial device
Code42.SecurityData.RemovableMediaVendorstringVendor name for removable device
Code42.SecurityData.FileSHA256stringSHA256 hash of file
Code42.SecurityData.FileSharedbooleanWhether file is shared using cloud file service
Code42.SecurityData.FileSharedWithstringAccounts that file is shared with on cloud file service
Code42.SecurityData.SourcestringSource of file event, Cloud or Endpoint
Code42.SecurityData.ApplicationTabURLstringURL associated with application read event
Code42.SecurityData.ProcessNamestringProcess name for application read event
Code42.SecurityData.ProcessOwnerstringProcess owner for application read event
Code42.SecurityData.WindowTitlestringProcess name for application read event
Code42.SecurityData.FileURLstringURL of file on cloud file service
Code42.SecurityData.ExposurestringExposure type for event
Code42.SecurityData.SharingTypeAddedstringType of sharing added to file
File.NamestringFile name
File.PathstringFile path
File.SizenumberFile size in bytes
File.MD5stringMD5 hash of file
File.SHA256stringFSHA256 hash of file
File.HostnamestringHostname where file event was captured
Command Example
!code42-securitydata-search hash=eef8b12d2ed0d6a69fe77699d5640c7b exposure=CloudStorage,ApplicationRead
Context Example
{
"SecurityData": [
{
"ApplicationTabURL": "https://mail.google.com/mail/u/0/?zx=78517y156trj#inbox",
"DevicePrivateIPAddress": [
"192.168.7.7",
"0:0:0:0:0:0:0:1",
"127.0.0.1"
],
"DeviceUsername": "john.user@123.org",
"EndpointID": "922302903141234234",
"EventID": "0_c346c59b-5ea1-4e5d-ac02-92079567a683_922302903141255753_939560749717017940_751",
"EventTimestamp": "2020-02-03T22:32:10.892Z",
"EventType": "READ_BY_APP",
"Exposure": [
"ApplicationRead"
],
"FileCategory": "IMAGE",
"FileCreated": "2019-10-07T21:46:09.281Z",
"FileHostname": "DESKTOP-0004",
"FileMD5": "eef8b12d2ed0d6a69fe77699d5640c7b",
"FileModified": "2019-10-07T21:46:09.889Z",
"FileName": "ProductPhoto.jpg",
"FileOwner": "john.user",
"FilePath": "C:/Users/john.user/Documents/",
"FileSHA256": "5e25e54e1cc43ed07c6e888464cb98e5f5343aa7aa485d174d9649be780a17b9",
"FileSize": 333114,
"ProcessName": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"ProcessOwner": "john.user",
"Source": "Endpoint",
"WindowTitle": [
"Inbox (1) - john.user@c123.org - 123 Org Mail - Google Chrome"
]
},
{
"DevicePrivateIPAddress": [
"192.168.7.7",
"0:0:0:0:0:0:0:1",
"127.0.0.1"
],
"DeviceUsername": "john.user@123.org",
"EndpointID": "922302903141234234",
"EventID": "0_a2e51c67-8719-4436-a3b5-c7c3724a3144_922302903141255753_939559658795324756_45",
"EventTimestamp": "2020-02-03T22:22:04.375Z",
"EventType": "READ_BY_APP",
"Exposure": [
"ApplicationRead"
],
"FileCategory": "IMAGE",
"FileCreated": "2019-10-07T21:46:09.281Z",
"FileHostname": "DESKTOP-0004",
"FileMD5": "eef8b12d2ed0d6a69fe77699d5640c7b",
"FileModified": "2019-10-07T21:46:09.889Z",
"FileName": "ProductPhoto.jpg",
"FileOwner": "john.user",
"FilePath": "C:/Users/john.user/Documents/",
"FileSHA256": "5e25e54e1cc43ed07c6e888464cb98e5f5343aa7aa485d174d9649be780a17b9",
"FileSize": 333114,
"ProcessName": "\\Device\\HarddiskVolume4\\Windows\\System32\\MicrosoftEdgeCP.exe",
"ProcessOwner": "michelle.goldberg",
"Source": "Endpoint",
"WindowTitle": [
"Inbox (7) - jju12431983@gmail.com - Gmail ‎- Microsoft Edge"
]
}
]
}
Human Readable Output
EventTypeFileNameFileSizeFileHostnameFileOwnerFileCategory
READ_BY_APPProductPhoto.jpg333114DESKTOP-001john.userIMAGE

2. code42-alert-get


Retrieve alert details by alert ID

Required Permissions

This command requires one of the following roles:

  • Security Center User
  • Customer Cloud Admin
Base Command

code42-alert-get

Input
Argument NameDescriptionRequired
idAlert ID to retrieveRequired
Context Output
PathTypeDescription
Code42.SecurityAlert.UsernamestringUsername associated with alert
Code42.SecurityAlert.OccurreddateAlert timestamp
Code42.SecurityAlert.DescriptionstringDescription of alert
Code42.SecurityAlert.IDstringAlert ID
Code42.SecurityAlert.NamestringAlert rule name that generated alert
Code42.SecurityAlert.StatestringAlert state
Code42.SecurityAlert.TypestringType of alert
Code42.SecurityAlert.SeveritystringSeverity of alert
Command Example
!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"
Context Example
{
"SecurityAlert": [
{
"ID": "a23557a7-8ca9-4ec6-803f-6a46a2aeca62",
"Name": "Google Drive - Public via Direct Link",
"Occurred": "2019-10-08T17:38:19.0801650Z",
"Severity": "LOW",
"State": "OPEN",
"Type": "FED_CLOUD_SHARE_PERMISSIONS",
"Username": "john.user@123.org"
}
]
}
Human Readable Output
TypeOccurredUsernameNameDescriptionStateID
FED_CLOUD_SHARE_PERMISSIONS2019-10-08T17:38:19.0801650Zjohn.user@123.orgGoogle Drive - Public via Direct LinkAlert for public Google Drive filesOPENa23557a7-8ca9-4ec6-803f-6a46a2aeca62

3. code42-departingemployee-add


Add a user to the Departing Employee Lens

Required Permissions

This command requires one of the following roles:

  • Customer Cloud Admin
  • Security Center User + (Org Security Viewer or Cross Org Security Viewer)
Base Command

code42-departingemployee-add

Input
Argument NameDescriptionRequired
usernameUsername to add to the Departing Employee LensRequired
departuredateDeparture date for the employee in YYYY-MM-DD formatOptional
noteNote to attach to Departing EmployeeOptional
Context Output
PathTypeDescription
Code42.DepartingEmployee.CaseIDstringInternal Code42 Case ID for Departing Employee
Code42.DepartingEmployee.UsernamestringUsername for Departing Employee
Code42.DepartingEmployee.NotestringNote associated with Departing Employee
Code42.DepartingEmployee.DepartureDateunknownDeparture date for Departing Employee
Command Example
!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"
Context Example
{
"DepartingEmployee": {
"CaseID": "892",
"DepartureDate": "2020-02-28",
"Note": "Leaving for competitor",
"Username": "john.user@123.org"
}
}
Human Readable Output
CaseIDDepartureDateNoteUsername
1232020-02-28Leaving for competitorjohn.user@123.org

4. code42-departingemployee-remove


Remove a user from the Departing Employee Lens

Required Permissions

This command requires one of the following roles:

  • Customer Cloud Admin
  • Security Center User + (Org Security Viewer or Cross Org Security Viewer)
Base Command

code42-departingemployee-remove

Input
Argument NameDescriptionRequired
usernameUsername to remove from the Departing Employee LensOptional
Context Output
PathTypeDescription
Code42.DepartingEmployee.CaseIDunknownInternal Code42 Case ID for Departing Employee
Code42.DepartingEmployee.UsernameunknownUsername for Departing Employee
Command Example
!code42-departingemployee-remove username="john.user@123.org"
Context Example
{
"DepartingEmployee": {
"CaseID": "892",
"Username": "john.user@123.org"
}
}
Human Readable Output
CaseIDUsername
123john.user@123.org

5. code42-alert-resolve


Resolve a Code42 Security alert

Required Permissions

This command requires one of the following roles:

  • Security Center User
  • Customer Cloud Admin
Base Command

code42-alert-resolve

Input
Argument NameDescriptionRequired
idAlert ID to resolveRequired
Context Output
PathTypeDescription
Code42.SecurityAlert.IDstringAlert ID
Command Example
!code42-alert-resolve id="eb272d18-bc82-4680-b570-ac5d61c6cca6"
Context Example
{
"SecurityAlert": {
"ID": "eb272d18-bc82-4680-b570-ac5d61c6cca6"
}
}
Human Readable Output
ID
eb272d18-bc82-4680-b570-ac5d61c6cca6

Additional Information


For additional infromation on Code42 features and functionality please visit https://support.code42.com/Administrator/Cloud/Monitoring_and_managing

Known Limitations


Troubleshooting