Code42 app for Splunk Phantom
Overview
This article explains how to install and use the Code42 app for Splunk Phantom. Splunk Phantom is a security orchestration, automation, and response (SOAR) solution that lets you automate tasks, coordinate workflows, and enable incident response. The Code42 app for Splunk Phantom adds Code42-specific actions to your Splunk Phantom environment.
Considerations
- To use the Code42 app for Splunk Phantom, you must have an existing Splunk Phantom environment. For directions about how to install and configure a Splunk Phantom environment, log in to your Splunk Phantom account and see the documentation.
- Code42 Customer Champions can provide support for the Code42 app for Splunk Phantom. However, Code42 can't provide technical support for Splunk Phantom itself. Contact Splunk support for help with Splunk Phantom.
- The devices used to run Splunk Phantom must have network access to the Code42 cloud on HTTPS. Non-secure HTTP access to the Code42 cloud is not supported by the Code42 app for Splunk Phantom.
- To use some actions in the Code42 app for Splunk Phantom, you must have a Code42 product plan that includes File Metadata Collection. Contact your Customer Success Manager (CSM) for assistance with licensing.
- The Code42 app for Splunk Phantom is different from the Code42 Insider Threat App for Splunk. For more information about the Code42 Insider Threat App for Splunk, see the following articles:
Before you begin
Prepare a user account in your Code42 environment for configuring the Code42 app for Splunk Phantom. This user account is used to authenticate and access data in your Code42 environment.
- Permissions: The Code42 app for Splunk Phantom returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. We recommend you assign the roles in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data.
- Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure your Code42 app for Splunk Phantom. Users without a Code42 app archive will not consume a license.
Install the Code42 app for Splunk Phantom
Step 1: Download the app
- Log in to your Splunk Phantom account.
- In the Splunk Phantom menu bar, select Apps > For Phantom.
- In the Search Apps box, enter "Code42".
The search returns the Code42 app. - To the right of Code42, select Download.
The phantom_code42-<version>.rpm file is downloaded.
Step 2: Install the app and add assets
- Open your Splunk Phantom environment.
- In the upper-left corner, click the main menu button (labeled Home by default) and select Apps.
- Click INSTALL APP.
- Drag the Code42 app file (phantom_code42-<version>.rpm) into the Install App dialog.
- Click INSTALL.
- Type "Code42" in the Search app names box.
The Code42 app appears in the Unconfigured Apps tab. - To the right of the Code42 app, click CONFIGURE NEW ASSET. "Assets" are the Code42 environments you want to monitor.
- On the Asset Info tab, enter the asset name and description.
- On the Asset Settings tab, in the Server URL field, enter the full hostname or IP address of an instance of the Code42 cloud from which you want to gather data. If you don't know the URL for your Code42 environment, contact our Customer Champions for support.
- If you sign in to the Code42 console at https://www.crashplan.com/console, enter:
https://www.crashplan.com
- If you sign in to the Code42 console at https://console.us.code42.com/console, enter:
https://authority-east-lb.us.code42.com
- If you sign in to the Code42 console for the Ireland Code42 cloud at https://console.ie.code42.com/console, enter:
https://authority-default-lb.ie.code42.com
- If you sign in to the Code42 console for the Code42 federal environment at https://console.gov.code42.com/console, enter:
https://console.gov.code42.com
- If you sign in to the Code42 console at https://www.crashplan.com/console, enter:
- In the Username and Password fields, enter the credentials of the Code42 user that you want to use to authenticate.
- Select Save.
- On the Asset Settings tab, select TEST CONNECTIVITY.
If the URL, username, and password are correct, you'll see that the connection to the asset was successful. If connection is not successful, check these settings. - Add additional assets if needed. Enter information for each Code42 cloud instance from which you want to receive data.
Access in-app documentation
- In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
- Type "Code42" in the Search app names box.
The Code42 app appears in the Configured Apps tab. - In the Code42 entry, click the Documentation link.
- Under the Supported Actions heading, see the documentation for Code42 actions that you can use in your Splunk Phantom environment.
Code42 actions
You can run the following Code42 actions in your Splunk Phantom environment. The following table shows the parameters to enter for each action.
For more detailed information about the action parameters and outputs, see the documentation in the Code42 app for Splunk. For more general information about actions, see the Splunk Phantom documentation.
Action | Description | Parameters to supply to the action |
activate device | Activates a device. |
Device ID (computerId attribute) |
activate user | Activates a user. |
User ID (userId attribute) |
change organization | Moves a user to a specific organization. |
User ID (userId attribute)
Organization ID (OrgId attribute) |
deactivate device |
Deactivates a device. For Code42 environments that use customized Code42 app installers configured to auto-register users, Code42 recommends you run the quarantine device action to block the device before deactivating. Without first blocking the device, it may reactivate automatically. |
Device ID (computerId attribute) |
deactivate user | Deactivates a user. |
User ID (userId attribute) |
deauthorize device | Deauthorizes a device. |
Device ID (computerId attribute) |
hunt file |
Searches for a file using Forensic Search. |
MD5 of the file |
list devices | Lists all devices on the asset. | None |
list organizations | Lists all organizations on the asset. | None |
list users | Lists all users on the asset. | None |
lock device |
Deprecated Invokes an access lock on a specified device. |
Device ID (computerId attribute) |
quarantine device | Blocks a device. |
Device ID (computerId attribute) |
run query |
Runs a query using Forensic Search.
|
Forensic Search parameters:
|
unlock device |
Deactivates an access lock on a specified device. |
Device ID (computerId attribute) |
unquarantine device |
Unblocks a device. |
Device ID (computerId attribute) |
test connectivity | Validates the asset configuration for connectivity using the supplied configuration. | NA |
1 Use UNIX Epoch time for start time and end time. Start time and end time fields are required if the Query field is not used; if the Query field is used, all other fields are ignored.
Uninstall the Code42 app for Splunk Phantom
- In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
- Type "Code42" in the Search app names box.
The Code42 app appears in the Configured Apps tab. - Under Configured Apps, select Code42.
- Click the uninstall button
to the right of the Code42 app.
The Code42 app is uninstalled.
Release history for the Code42 app for Splunk Phantom
Following are release highlights. For complete release notes, see the in-app documentation.
Version 1.0.24
September 26, 2019
- Fixes an issue that caused the lock device action to fail.
- Fixes the known issue in version 1.0.5 of requests going to a single Code42 cloud URL when performing the run query action.
Version 1.0.5
November 2, 2018
Initial release of the Code42 app for Splunk Phantom.
Known issue
For the run query action, requests go to a single Code42 cloud URL regardless of the URL entered when you configured the asset. Requests go to https://authority-east-lb.us.code42.com, the URL used by Code42 environments that access the Code42 console at https://console.us.code42.com/console.
To resolve this issue, install the latest version of the Code42 app for Splunk Phantom.
This problem affects your installation if you use the run query action and you have a different Code42 cloud URL in your asset configuration:
- Code42 environments that access the Code42 console at https://www.crashplan.com/console use URL https://www.crashplan.com
- Code42 environments connecting to the Ireland Code42 cloud and access the Code42 console at https://console.ie.code42.com/console use URL https://authority-default-lb.ie.code42.com