Customize applications monitored for file exfiltration
- Last updated
- Save as PDF
Who is this article for?
Incydr, no.
CrashPlan for Enterprise, yes.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
Overview
This article explains how to use the Code42 API to customize the list of applications monitored for file exfiltration. By default, Code42 monitors activity of applications typically used to upload and download files, such as web browsers, Slack, FileZilla, FTP, and cURL.
The steps to modify the list of applications changed in Code42 server and Code42 app version 8.2. Follow the steps below for your version.
The examples in this article use curl, but the concepts apply to any tool you choose to interact with the Code42 API.
Considerations
- Customizations added in version 7.x do not apply to version 8.2 and later. You must re-apply the customizations after upgrading to version 8.2.
- You must have credentials for a Code42 user with the Org Admin, All Org Admin, or SYSADMIN role.
- Activity monitoring is intended for applications typically used to move files over a network. Adding other types of applications may cause unexpected results.
Version 8.2 and later
Requires both Code42 server and Code42 app version 8.2 or later.
Adding customizations does not change the list of applications Code42 monitors by default.
API request details
- Request URL: https://<your Code42 authority server URL>/api
For example, https://authority-server.example.com:4285/api - Resource:
OrgSetting - Keys:
- Windows:
device_org_winAppActivity_binaryWhitelist - Mac:
device_org_macAppActivity_binaryWhitelist
- Windows:
- Methods:
GETto view your customizations;PUTto modify customizations;DELETEto remove customizations - Additional API documentation https://<your Code42 authority server URL>/apidocviewer
For example, https://authority-server.example.com:4285/apidocviewer/#OrgSetting
View and update monitored applications
Step 1: Find the numeric OrgID
To view and edit the list of monitored applications, you must first identify the numeric ID of the applicable organization.
- Sign in to the Code42 console.
- Select Administration > Organizations > Active.
- Select an organization:
- To apply the same values to your entire Code42 environment, select your top-level organization. This organization is at the top of the organizational hierarchy and is the parent for all other organizations.
- To apply different values based on organization, select each organization you want to modify and repeat the steps below for each organization individually.
- In the web browser's address bar, note the numeric ID in the URL after "organization" but before any query or token parameters. In this example, the OrgID is 123456: https://authority-server.example.com/console/#/organization/123456?t=78910
Step 2: View existing customizations
Use the GET method to view existing custom applications being monitored for file exfiltration. The OrgSetting resource also contains keys for numerous other Code42 settings. Therefore, to view only your customizations, you must include the device_org_winAppActivity_binaryWhitelist or device_org_macAppActivity_binaryWhitelist key as a query parameter.
The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:
curl -X GET \ '<request_url>/api/OrgSetting/<OrgID>?keys=device_org_winAppActivity_binaryWhitelist' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username'
- Replace
<request_url>with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamewith your Code42 username. - Execute the curl command in your command-line tool of choice. When prompted, enter your password.
The Code42 API returns the list of custom applications. If there are no custom applications, thedataparameter in the response is empty. - For Mac devices, repeat the steps above using the key
device_org_macAppActivity_binaryWhitelist.
Step 3: Update applications
Use the PUT method to update the existing list of custom applications. Before sending any updates, make sure to complete Step 2 above to obtain the list of customizations.
The
OrgSetting API resource does not automatically add to existing values. All PUT requests completely replace existing values. Therefore, to change existing customizations, you must first obtain a list of current values, make changes to the list, and then submit the changed list.The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:
curl -X PUT \ '<request_url>/api/OrgSetting/<OrgID>' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username' \ -d '{ "packets": [ { "key": "device_org_winAppActivity_binaryWhitelist", "value": "customProcess.exe,customProcess2.exe", "locked": true } ] }'
- Replace
<request_url>with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamewith your Code42 username. When prompted, enter your password. - Edit the list inside the quotation marks of the
valueparameter to include the names of the applications you want to monitor. - Execute the curl command in your command-line tool of choice.
- For Mac devices, repeat the steps above using the key
device_org_macAppActivity_binaryWhitelist. - To confirm the new settings are applied, re-submit the
GETrequest described in Step 2 above and review the list of custom applications.
Remove your customizations
Use the DELETE method to remove your customized list of monitored applications.
To test this request, submit it first as a
GET request described in Step 2 above and make sure the response includes only the device_org_winAppActivity_binaryWhitelist or device_org_macAppActivity_binaryWhitelist key. Then resubmit it as a DELETE request.The
OrgSetting resource also contains keys for numerous other Code42 settings. Therefore, it is essential to list the correct key as a query parameter in the request URL. Failure to specify only this key will cause other system settings to be deleted by this request.The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:
curl -X DELETE \ '<request_url>/api/OrgSetting/<OrgID>?keys=device_org_winAppActivity_binaryWhitelist' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username'
- Replace
<request_url>with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamewith your Code42 username. When prompted, enter your password. - Execute the curl command in your command-line tool of choice.
A 204 No Content response indicates the Code42 server received the request and deleted your custom list of monitored applications. - For Mac devices, repeat the steps above using the key
device_org_macAppActivity_binaryWhitelist. - To confirm your customizations are removed, re-submit the
GETrequest described in Step 2 above and review the list of monitored applications.
View Code42 defaults
By default, Code42 monitors activity of applications typically used to upload and download files, such as web browsers, Slack, AirDrop, FileZilla, FTP, and cURL. Reviewing the defaults can help you determine if customizations are necessary. For example, if the application is already being monitored, you do not need to add it to your customized list.
To view the Code42 defaults, use the steps above to submit a GET request, but use the org_securityTools_win_binary_whitelist (Windows) or org_securityTools_mac_binary_whitelist (Mac) key instead. For example:
curl -X GET \ '<request_url>/api/OrgSetting/<OrgID>?keys=org_securityTools_win_binary_whitelist' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username'
These are read-only keys; you can view the default values but you cannot change them. Also note that Code42 may update these defaults in future releases as necessary to improve exfiltration detection.
Version 7.x
Requires both Code42 server and Code42 app version 7.x.
If you follow the steps below to customize the list of monitored applications, you are responsible for ongoing maintenance of this list. Your customizations override Code42's defaults, so the list is no longer updated or maintained by Code42. To return to the Code42 defaults, see Remove your customizations.
API request details
- Request URL: https://<your Code42 authority server URL>/api
For example, https://authority-server.example.com:4285/api - Resource:
OrgSetting - Keys:
- Windows:
org_securityTools_win_binary_whitelist - Mac:
org_securityTools_mac_binary_whitelist
- Windows:
- Methods:
GETto view existing monitored applicationsPUTto modify existing monitored applicationsDELETEto completely remove your customized list of monitored applications
- Additional API documentation: https://<your Code42 authority server URL>/apidocviewer
For example, https://authority-server.example.com:4285/apidocviewer/#OrgSetting
View and update monitored applications
Step 1: Find the numeric OrgID
To view and edit the list of monitored applications, you must first identify the numeric ID of the applicable organization.
- Sign in to the Code42 console.
- Select Administration > Organizations > Active.
- Select an organization:
- To apply the same values to your entire Code42 environment, select your top-level organization. This organization is at the top of the organizational hierarchy and is the parent for all other organizations.
- To apply different values based on organization, select each organization you want to modify and repeat the steps below for each organization individually.
- In the web browser's address bar, note the numeric ID at the end of the URL. In this example, the OrgID is 123456: https://authority-server.example.com:4285/console/#/organization/123456
Step 2: View existing applications
Use the GET method to view existing applications being monitored for file exfiltration. The OrgSetting resource also contains keys for numerous other Code42 settings. Therefore, to view only the applications being monitored, you must include the org_securityTools_win_binary_whitelist or org_securityTools_mac_binary_whitelist key as a query parameter.
The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:
curl -X GET \ '<request_url>/api/OrgSetting/<OrgID>?keys=org_securityTools_win_binary_whitelist' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username'
- Replace
<request_url>with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamewith your Code42 username. - Execute the curl command in your command-line tool of choice. When prompted, enter your password.
The Code42 API returns the list of monitored applications. - For Mac devices, repeat the steps above using the key
org_securityTools_mac_binary_whitelist.
Step 3: Add or remove applications
Use the PUT method to add or remove applications. Before sending any updates, make sure to complete Step 2 above to obtain the list of monitored applications.
The
OrgSetting API resource does not automatically add to existing values. All PUT requests completely replace existing values. Therefore, to add to monitored applications, you must first obtain a list of current values and re-submit that entire list with your new additions.The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:
curl -X PUT \ '<request_url>/api/OrgSetting/<OrgID>' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username' \ -d '{ "packets": [ { "key": "org_securityTools_win_binary_whitelist", "value": { "binaryFileNames":[ chrome.exe,chromium.exe,iexplore.exe,firefox.exe,opera.exe,microsoftedge.exe,microsoftedgecp.exe,runtimebroker.exe,browser_broker.exe,sftp.exe,curl.exe,winscp.exe,scp.exe,filezilla.exe,fzsftp.exe,slack.exe ] }, "locked": true } ] }'
- Replace
<request_url>with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamewith your Code42 username. - Edit the list inside the square brackets of the
binaryFileNamesvalue to include only the names of the applications you want to monitor. - Execute the curl command in your command-line tool of choice. When prompted, enter your password.
- For Mac devices, repeat the steps above using the key
org_securityTools_mac_binary_whitelist. - To confirm the new settings are applied, re-submit the
GETrequest described in Step 2 above and review the list of monitored applications.
Remove your customizations
Use the DELETE method to completely remove your customized list of monitored applications and return to using the Code42 defaults.
To test this request, submit it first as a
GET request described in Step 2 above and make sure the response includes only the org_securityTools_win_binary_whitelist or org_securityTools_mac_binary_whitelist key. Then resubmit it as a DELETE request.The
OrgSetting resource also contains keys for numerous other Code42 settings. Therefore, it is essential to list the correct key as a query parameter in the request URL. Failure to specify only this key will cause other system settings to be deleted by this request.The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:
curl -X DELETE \ '<request_url>/api/OrgSetting/<OrgID>?keys=org_securityTools_win_binary_whitelist' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username'
- Replace
<request_url>with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamewith your Code42 username. - Execute the curl command in your command-line tool of choice. When prompted, enter your password.
A 204 No Content response indicates the authority server received the request and deleted your custom list of monitored applications. - For Mac devices, repeat the steps above using the key
org_securityTools_mac_binary_whitelist. - To confirm your customizations are removed, re-submit the
GETrequest described in Step 2 above and review the list of monitored applications.