Skip to main content
Contact Support

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Other available versions:

Version 6Link: What version am I on?

Code42 Support

Code42 app for Splunk Phantom

  1. Last updated
  2. Save as PDF

Overview

This article explains how to install use the Code42 app for Splunk Phantom. Splunk Phantom is a security orchestration, automation, and response (SOAR) solution that lets you automate tasks, coordinate workflows, and enable incident response. The Code42 app for Splunk Phantom adds Code42-specific actions to your Splunk Phantom environment. 

Considerations

  • To use the Code42 app for Splunk Phantom, you must have an existing Splunk Phantom environment. For directions about how to install and configure a Splunk Phantom environment, log in to your Splunk Phantom account and see the documentation.
  • Code42 Customer Champions can provide support for the Code42 app for Splunk Phantom. However, Code42 can't provide technical support for Splunk Phantom itself. Contact Splunk support for help with Splunk Phantom.
  • The devices used to run Splunk Phantom must have network access to the Code42 cloud on HTTPS. Non-secure HTTP access to the Code42 cloud is not supported by the Code42 app for Splunk Phantom.
  • To use some actions in the Code42 app for Splunk Phantom, you must have a Code42 product plan that includes Forensic File Search. Contact your  Customer Success Manager (CSM) for assistance with licensing.
  • The Code42 app for Splunk Phantom is different from the Code42 app for Splunk. For more information about the Code42 app for Splunk, see the following articles:

Before you begin

Prepare a user account in your Code42 environment for configuring the Code42 app for Splunk Phantom. This user account is used to authenticate and access data in your Code42 environment.

  • Permissions: The Code42 app for Splunk Phantom returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. We recommend you test to confirm that the user can access the right data.
  • Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure your Code42 app for Splunk Phantom. This way, configuration of your Code42 app for Splunk Phantom isn’t tied to a particular individual. Users without a Code42 app archive will not consume a license.

Install the Code42 app for Splunk Phantom

Step 1: Download the app

  1. Log in to your Splunk Phantom account.
  2. In the Splunk Phantom menu bar, select Apps > For Phantom.
  3. In the Search Apps box, enter "Code42".
    The search returns the Code42 app.
  4. To the right of Code42, select Download.
    The phantom_code42-<version>.rpm file is downloaded.

Step 2: Install the app and add assets

  1. Open your Splunk Phantom environment. 
  2. In the upper-left corner, click the main menu button (labeled Home by default) and select Apps.
  3. Click INSTALL APP.
  4. Drag the Code42 app file (phantom_code42-<version>.rpm) into the Install App dialog.
  5. Click INSTALL.
  6. Type "Code42" in the Search app names box.
    The Code42 app appears in the Unconfigured Apps tab.
  7. To the right of the Code42 app, click CONFIGURE NEW ASSET. "Assets" are the Code42 environments you want to monitor.
    1. On the Asset Info tab, enter the asset name and description.
    2. On the Asset Settings tab, in the Server URL field, enter the full hostname or IP address of an instance of the Code42 cloud from which you want to gather data. 
    3. In the Username and Password fields, enter the credentials of the Code42 user that you want to use to authenticate.
    4. Select Save.
    5. On the Asset Settings tab, select TEST CONNECTIVITY.
      If the URL, username, and password are correct, you'll see that the connection to the asset was successful. If connection is not successful, check these settings.
    6. Add additional assets if needed. Enter information for each Code42 cloud instance from which you want to receive data.

Access in-app documentation

  1. In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
  2. Type "Code42" in the Search app names box.
    The Code42 app appears in the Configured Apps tab.
  3. In the Code42 app entry, click the Documentation link.
  4. Under the Supported Actions heading, see the documentation for Code42 actions that you can use in your Splunk Phantom environment.

Code42 actions

You can run the following Code42 actions in your Splunk Phantom environment. The following table shows the parameters to enter for each action.

For more detailed information about the action parameters and outputs, see the documentation in the Code42 app for Splunk. For more general information about actions, see the Splunk Phantom documentation.

Action Description Parameters to supply to the action
activate device  Activates a device. 

Device ID 

(computerId attribute)
activate user Activates a user.

User ID 

(userId attribute)
change organization Moves a user to a specific organization.

User ID 

(userId attribute)

 

Organization ID

(OrgId attribute)
deactivate device

Deactivates a device.
 

For Code42 environments that use customized Code42 app installers configured to auto-register users, Code42 recommends you run the quarantine device action to block the device before deactivating. Without first blocking the device, it may reactivate automatically.

Device ID 

(computerId attribute)
deactivate user Deactivates a user.

User ID 

(userId attribute)
deauthorize device Deauthorizes a device.

Device ID 

(computerId attribute)
hunt file

Searches for a file using Forensic File Search.

 MD5 of the file
list devices Lists all devices on the asset. None
list organizations Lists all organizations on the asset. None
list users Lists all users on the asset. None
lock device Invokes an access lock on a specified device.

Device ID 

(computerId attribute)
quarantine device Blocks a device.

Device ID 

(computerId attribute)

run query

Runs a query using Forensic File Search.


For use cases on how to employ this query to alert on a multitude of security issues such as malware or file exfiltration, see Forensic File Search use cases.

Forensic File Search parameters:

  • Start time1
  • End time1 
  • File event:
    • New file
    • Modified
    • No longer observed
  • File hash
  • Filename
  • File path
  • Hostname
  • Username
  • IP address (private)
  • IP address (public)
  • Query (in JSON format)

unlock device

 Deactivates an access lock on a specified device.

Device ID 

(computerId attribute)

unquarantine device

 Unblocks a device.

Device ID 

(computerId attribute)
test connectivity Validates the asset configuration for connectivity using the supplied configuration.  NA

1 Use UNIX Epoch time for start time and end time. Start time and end time fields are required if the Query field is not used; if the Query field is used, all other fields are ignored.

Uninstall the Code42 app for Splunk Phantom

  1. In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
  2. Type "Code42" in the Search app names box.
    The Code42 app appears in the Configured Apps tab.
  3. Under Configured Apps, select Code42.
  4. Click the uninstall button Uninstall button to the right of the Code42 app.
    The Code42 app is uninstalled.

Release history for the Code42 app for Splunk Phantom

Version 1.0.5

January 2019

Initial release of the Code42 app for Splunk Phantom. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. There are no recommended articles.
  1. Article type
    Topic
    Available in Code42 for Enterprise
    Yes
    Available in Code42 CrashPlan Premium
    Yes
    Available in Code42 CrashPlan Standard
    Yes
    Available in CrashPlan for Small Business
    No
    Stage
    Draft
  2. Tags
    1. Phantom
    2. Splunk