Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Code42 Insider Threat app for Splunk reference

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This article describes the dashboards available in the Code42 Insider Threat app for Splunk. Splunk is a solution for data analytics monitoring and visualization. The Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show file exposure activity, which can help you identify insider risk. 

To install the app, see Install and manage the Code42 Insider Threat app for Splunk.

Considerations

To use the Code42 Insider Threat app for Splunk, you must have an existing Splunk Enterprise version 7.0 or later environment or a Splunk Cloud environment.

Access the Code42 Insider Threat app for Splunk

  1. Start Splunk Enterprise or start Splunk Cloud.
  2. On your Splunk home page, click the Code42 Insider Threat Add-On button:
    Splunk_app_tile
    The Risk Exposure Overview dashboard appears. 

Risk Exposure Overview dashboard

The Risk Exposure Overview dashboard provides a high-level look at file activity in your Code42 environment that could indicate risk. 

To access the Risk Exposure Overview dashboard, click Risk Exposure Overview on the menu bar.

Insider_Threat_Dashboard

Mouse over data to access Splunk search
Float your mouse over any pane in the dashboard and click the search icon Splunk search icon to perform a Splunk search on the data point. You can also click a segment in a chart to perform a search on that data. 
Item   Description
a Splunk menu bar Default menu bar in Splunk. For usage, see Splunk documentation.
b Risk Exposure Overview See a snapshot of potentially risk file activity in your Code42 environment, including the number of exposure events, file activity by file category, and cloud file shares.
c Exposure Dashboards See dashboards for specific exposure types.
d Inputs  View or create an input to confirgure what Code42 data appears in Splunk.
e Configuration View and add accounts for connecting to your Code42 environment and view or update logging levels. 
f Search Conduct a custom search.  
g Edit  Edit the layout of the dashboard.
h Export

Export data from the dashboard with the following options:

  • Export PDF
  • Print
i ...

Perform actions on the current dashboard.

Item Description
Edit Permissions Set who has permissions to the dashboard.
Convert to HTML Convert the dashboard to HTML.
Clone Clone the dashboard.
Set as Home Dashboard Set the current dashboard as the home dashboard in the Code42 for Splunk (Legacy) app.

 

j Index Select the index for which you want to view data. 
k File Category Optionally filter the data by file category.
l Exclude trusted domains?  Select to exclude events that occur within trusted domains
m Time Range

Select to view data from a specified time range. 

n Keyword Search Searches the file path, file name, tab URL, and window title by keyword.
o Hide Filters / Show Filters Hides or shows the filter options from view. 
p

Unique Users

Displays the number of unique users with file exfiltration activity. 
q Exposure Events Displays the total number of exposure events that meet the filter criteria.
r Browser Reads Displays the number of files uploaded to a web browser.
s Application Reads Displays the number of files opened in an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl.
t Cloud File Shares Displays the number of files where permissions were increased on a file in your cloud services. 
u Cloud Desktop Syncs Displays the number of files that exist in a folder on the device that is used for syncing with a cloud service, such as Box or Google Drive. 
v Removable Media Transfers Displays the number of files moved to an external device, such as a USB drive, memory card, or other external drive.
w File Activity Over Time Displays file exfiltration activity by file category over time. 
x File Activity by File Category Displays the total number of file events by file category. 
y Top 20 Users by File Category Displays the users with the highest number of file events. 

Exposure Dashboards

The Exposure Dashboards menu allows you to open the following dashboards about different types of file exposure: 

Read by browser or other app events are separated
In the Code42 console, browser and app reads are categorized as the same exposure type. In Splunk, web browser events and other application events (such as Slack, AirDrop, FTP, and curl) are displayed in separate dashboards for convenience. 

Removable Media Transfers

The Removable Media Transfers dashboard provides data about file activity that occurred on an external device, such as an external drive or memory card.

To access the Removable Media Transfers dashboard, click Exposure Dashboards > Removable Media Transfers on the menu bar.

Removable_Media_Transfers

Item   Description
a Unique Users Displays the number of unique users with removable media file exfiltration events. Click the value to view the details in a custom search. 
b Total Megabytes Exposed Displays the total size of the files exfiltrated via removable media. Click the value to view the details in a custom search. 
c Exposure Events Displays the number of file exfiltration events via removable media. Click the value to view the details in a custom search. 
d File Activity Over Time Displays the removable media file activity, by file category, over time. Click a line on the graph to filter by that file category. 
e File Activity by File Category Displays the total number of removable media file events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of removable media file events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Transferred to view the details in a custom search. 

Cloud File Shares

The Cloud File Shares dashboard provides detailed data about files exposed in a cloud service.
Data only appears here if you're licensed for one or more cloud service data sources. 

To access the Cloud File Shares dashboard, click Exposure Dashboards > Cloud File Shares on the menu bar.

Cloud_File_Shares

Item   Description
a Unique Users Displays the number of unique users with file events where one or more users were granted explicit access to the file. Click the value to view the details in a custom search. 
b Exposure Events Displays the number of cloud share file exfiltration events. Click the value to view the details in a custom search. 
c File Activity Over Time Displays the cloud share file activity, by file category, over time. Click a line on the graph to filter by that file category. 
d Exfiltration Breakdown by Exposure Type Lists the cloud share exposure types, along with the number of those events and the unique users. 
e File Activity by File Category Displays the total number of cloud share file events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of cloud share file events. Click a username or number of Events to view the details in a custom search. 

Cloud Desktop Syncs

The Cloud Desktop Syncs dashboard provides data about files that exist in a folder on the device used for syncing with a cloud service, such as Box or Google Drive.  

To access the Cloud Desktop Syncs dashboard, click Exposure Dashboards > Cloud Desktop Syncs on the menu bar.

Cloud_Desktop_Syncs

Item   Description
a Unique Users Displays the number of unique users with synced to cloud service exfiltration events. Click the value to view the details in a custom search. 
b Exposure Events Displays the number of synced to cloud service exfiltration events. Click the value to view the details in a custom search. 
c File Activity Over Time Displays the synced to cloud service exfiltration events, by file category, over time. Click a line on the graph to filter by that file category. 
d File Activity by File Category Displays the total number of synced to cloud service exfiltration events, by file category. Click a bar on the graph to filter by that file category. 
e Top 20 Users by File Activity Displays the users with the highest number of synced to cloud service exfiltration events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Transferred to view the details in a custom search. 
f Most Popular Desktop File Sync Destinations Lists the sync destinations with the highest number of file events, along with the number of unique users associated with those events. 

Browser Reads

The Browser Reads dashboard provides data about files that were opened in a web browser

To access the Browser Reads dashboard, click Exposure Dashboards > Browser Reads on the menu bar.

Browser_Reads

Item   Description
a Unique Users Displays the number of unique users who have file exposure events where the file was read by a web browser. Click the value to view the details in a custom search. 
b Total Megabytes Exposed Displays the total size of the files read by browser. Click the value to view the details in a custom search. 
c Exposure Events Displays the number of file exfiltration events with the read by browser exposure type. Click the value to view the details in a custom search. 
d File Activity Over Time Displays the read by browser file activity, by file category, over time. Click a line on the graph to filter by that file category. 
e File Activity by File Category Displays the total number of read by browser exposure events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of read by browser exposure events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Read to view the details in a custom search. 
g Browser Reads by Domain Lists the domains with the highest number of read by browser file events, along with the number of events, unique users, and bytes read associated with those events. 

App Reads 

The App Reads dashboard provides data about files that were opened in an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl. 

To access the App Reads dashboard, click Exposure Dashboards > App Reads on the menu bar.

App_Reads dashboard

Item   Description
a Unique Users Displays the number of unique users who have exposure events where the file was read by an app commonly used for uploading files. Click the value to view the details in a custom search. 
b Total Megabytes Exposed Displays the total size of the files read by an app. Click the value to view the details in a custom search. 
c Exposure Events Displays the number of file exfiltration events with the read by app exposure type. Click the value to view the details in a custom search. 
d File Activity Over Time Displays the read by app file activity, by file category, over time. Click a line on the graph to filter by that file category. 
e File Activity by File Category Displays the total number of read by app exposure events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of read by app exposure events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Read to view the details in a custom search. 
g App Reads by Process Name Lists the domains with the highest number of read by app file events, along with the number of events, unique users, and bytes read associated with those events. Click a value in the row to filter by that process name. 
  • Was this article helpful?