Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Customize applications monitored for file exfiltration

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

Overview

This article explains how to use the Code42 API to customize the list of applications monitored for file exfiltration. By default, Code42 monitors activity of applications typically used to upload and download files, such as web browsers, Slack, AirDrop, FileZilla, FTP, and cURL. Follow the steps below to add to the default list of monitored applications.

The examples in this article use curl, but the concepts apply to any tool you choose to interact with the Code42 API.

Considerations

  • You must have credentials for a Code42 user with the Customer Cloud Admin, Org Admin, or Cross Org Admin role.
  • Activity monitoring is intended for applications typically used to move files over a network. Adding other types of applications may cause unexpected results.
  • Adding customizations does not change the list of applications Code42 monitors by default.
  • On Mac devices, we recommend granting full disk access to Code42 to ensure we have the necessary permissions to monitor applications for file exfiltration. See Grant Code42 permissions to macOS devices for more details.
  • The steps below apply to Code42 app version 8.0 and later.

API request details

View and update monitored applications

Step 1: Find the numeric OrgID

To view and edit the list of monitored applications, you must first identify the numeric ID of the applicable organization.

  1. Sign in to the Code42 console.
  2. Select Administration > Organizations > Active.
  3. Select an organization:
    • To apply the same values to your entire Code42 environment, select ​​​​your top-level organization. This organization is at the top of the organizational hierarchy and is the parent for all other organizations.
    • To apply different values based on organization, select each organization you want to modify and repeat the steps below for each organization individually.
  4. In the web browser's address bar, note the numeric ID in the URL after "organization" but before any query or token parameters. In this example, the OrgID is 123456: https://console.us.code42.com/console/#/organization/123456?t=78910

Step 2: View existing customizations

Use the GET method to view existing custom applications being monitored for file exfiltration. The OrgSettings resource also contains keys for numerous other Code42 settings. Therefore, to view only your customizations, you must include the device_org_winAppActivity_binaryWhitelist or device_org_macAppActivity_binaryWhitelist key as a query parameter.

The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:

curl -X GET \
  '<request_url>/api/OrgSettings/<OrgID>?keys=device_org_winAppActivity_binaryWhitelist' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -u 'username'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <OrgID> with the number identified in Step 1 above (do not include the brackets in your request).
  3. Replace username with your Code42 username.
  4. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
    The Code42 API returns the list of custom applications. If there are no custom applications, the data parameter in the response is empty. 
  5. For Mac devices, repeat the steps above using the key device_org_macAppActivity_binaryWhitelist

Step 3: Update applications

Use the PUT method to update the existing list of custom applications. Before sending any updates, make sure to complete Step 2 above to obtain the list of customizations.

Updates overwrite existing values
The OrgSettings API resource does not automatically add to existing values. All PUT requests completely replace existing values. Therefore, to change existing customizations, you must first obtain a list of current values, make changes to the list, and then submit the changed list.

The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:

curl -X PUT \
  '<request_url>/api/OrgSettings/<OrgID>' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -u 'username' \
  -d '{ 
    "packets": [
        {
            "key": "device_org_winAppActivity_binaryWhitelist",
            "value": "customProcess.exe,customProcess2.exe",
            "locked": true
        }
    ]
}'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <OrgID> with the number identified in Step 1 above (do not include the brackets in your request).
  3. Replace username with your Code42 username. When prompted, enter your password.
  4. Edit the list inside the quotation marks  of the value parameter to include the names of the applications you want to monitor.
  5. Execute the curl command in your command-line tool of choice.
  6. For Mac devices, repeat the steps above using the key device_org_macAppActivity_binaryWhitelist
  7. To confirm the new settings are applied, re-submit the GET request described in Step 2 above and review the list of custom applications.

Remove your customizations

Use the DELETE method to remove your customized list of monitored applications.

Include key parameter to prevent removal of other system settings
To test this request, submit it first as a GET request described in Step 2 above and make sure the response includes only the device_org_winAppActivity_binaryWhitelist or device_org_macAppActivity_binaryWhitelist key. Then resubmit it as a DELETE request.

The OrgSetting resource also contains keys for numerous other Code42 settings. Therefore, it is very important to list the correct key as a query parameter in the request URL. Failure to specify only this key will cause other system settings to be deleted by this request.

The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:

curl -X DELETE \
  '<request_url>/api/OrgSettings/<OrgID>?keys=device_org_winAppActivity_binaryWhitelist' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -u 'username'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <OrgID> with the number identified in Step 1 above (do not include the brackets in your request).
  3. Replace username with your Code42 username. When prompted, enter your password.
  4. Execute the curl command in your command-line tool of choice.
    A 204 No Content response indicates the Code42 cloud received the request and deleted your custom list of monitored applications.
  5. For Mac devices, repeat the steps above using the key device_org_macAppActivity_binaryWhitelist.
  6. To confirm your customizations are removed, re-submit the GET request described in Step 2 above and review the list of monitored applications.

View Code42 defaults

By default, Code42 monitors activity of applications typically used to upload and download files, such as web browsers, Slack, AirDrop, FileZilla, FTP, and cURL. Reviewing the defaults can help you determine if customizations are necessary (if the application is already being monitored, you do not need to add it to your customized list).

To view the Code42 defaults, use the steps above to submit a GET request, but use the org_securityTools_win_binary_whitelist (Windows) or org_securityTools_mac_binary_whitelist (Mac) key instead. For example:

curl -X GET \
  '<request_url>/api/OrgSettings/<OrgID>?keys=org_securityTools_win_binary_whitelist' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -u 'username'

These are read-only keys; you can view the default values but you cannot change them. Also note that Code42 may update these defaults as necessary to improve exfiltration detection. 

External resources

  • Was this article helpful?