Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Code42 for IBM Resilient

Overview

This article explains how to install and use Code42 for Resilient. IBM Resilient is a security orchestration, automation, and response (SOAR) solution for automating tasks, coordinating workflows, and enabling incident response. Code42 for Resilient adds Code42-specific functions, rules, and workflows to extend the capabilities of your IBM Resilient environment. 

Requirements

  • To use Code42 for Resilient, you must have:
    • An existing IBM Resilient environment version 32.0.4502 or later. For directions about how to install and configure an IBM Resilient environment, see IBM Resilient documentation.
    • Python version 2.7 or later. Python version 3 is not currently supported.
  • The system used to run IBM Resilient must have network access to the Code42 cloud on HTTPS. Non-secure HTTP access to the Code42 cloud is not supported.
  • Some functions in Code42 for Resilient require a Code42 product plan that includes Forensic File Search. Contact your Customer Success Manager (CSM) for assistance with licensing.
Where to go for help
Code42 Customer Champions can provide support for Code42 for Resilient. However, Code42 can't provide technical support for IBM Resilient itself. Contact IBM support for help with IBM Resilient.

Before you begin

  • Prepare a user account in your Code42 environment for configuring Code42 for Resilient. This user account is used to authenticate and access data in your Code42 environment.
    • Permissions: Code42 for Resilient returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. The Org Admin role has the permissions necessary to run all the Code42 functions. We recommend you test to confirm that the user can access the right data.
    • Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure Code42 for Resilient. Users without a Code42 app archive will not consume a license.
  • Review sections 1-4 of the IBM Resilient Incident Response Platform Function Developer Guide.

Download and install

Step 1: Download Code42 for Resilient

  1. Sign in to the IBM app exchange for Resilient and select Code42 for Resilient.
  2. Click the Download button to download the code42-for-resilient-<version>.zip file to your computer. 
  3. Copy the zip file from your computer to the system on which you're running Resilient Circuits. 

Step 2: Install the Code42 functions

  1. Extract the  code42-for-resilient-<version>.zip file. 
  2. Install the Code42 Python SDK: 
    pip install py42-<version>.tar.gz

  3. Install Code42 for Resilient:
    pip install code42_for_resilient-<version>.tar.gz

Step 3: Configure resilient-circuits

  1. Create or update the resilient-circuits configuration file.
    For example: resilient-circuits config -u

  2. Enter the configuration values in the configuration file required for Code42: 

[Code42 for Resilient]
# HTTP protocol, host, and port for the Code42 authority
url=
# Username for authenticating with the Code42 web API
username=
# Password for authenticating with the Code42 web API
# Securing this using the res-keyring utility in the resilient package is strongly recommended.
password=
# Controls whether to verify the server's certificate. Set to true (default), false, or a path to a CA bundle to use.
verify_ssl_certs=

We strongly recommend setting verify_ssl_certs to true and using the res-keyring utility in the Resilient package. See Chapter 6 in the Resilient Integration Server Guide for more information.

  1. Apply Code42 custom functions to the Resilient platform:
    resilient-circuits customize 
  2. Test the configuration
    resilient-circuits selftest
  3. Run Resilient circuits:
    resilient-circuits run 
    If you see an error stating the user is not authorized to read from Code42, try restarting the Resilient server. 

In your IBM Resilient environment, the custom Code42 rulesworkflows, and functions appear in Customization Settings.

Code42 rules:

Code42 rules

Code42 workflows:

Code42 workflows

Code42 functions: 

Code42 custom functions

Step 4: Add the Code42 File Events data table

To view the results of the Code42: Search file events function, add the Code42 File Events data table to a new or existing incident tab. The example below shows a new tab labeled "Code42".  

Resilient Layouts

Use cases

Investigate a departing employee

Scenario 

For employees leaving your organization, you can add the User Account artifact to an incident to look for file exposure events, providing visibility into how the user was moving files in the days and weeks leading up to the resignation. The results appear in the Code42 File Events data table, from which you can download a file and investigate its contents. 

Steps 

  1. Create an incident. 
  2. Add an artifact with the type User Account.
  3. Click the Actions menu for the artifact and select Code42: Search for file exposure events
  4. Enter an On or After Date. and click Execute
  5. Select the Notes tab to view the number of file exposure events matching the query, as well as the number of results added to the data table. 
    Up to 100 results appear in the data table. If the total count is over 100, use Code42 Forensic File Search to view all the results.
  6. Select the tab that contains the Code42 File Events data table to view the results.  
  7. (Optional) Click the action menu for one of the listed file events and select Code42: Download file from backup
    The downloaded file is attached to the incident. It appears appears under Attachments on the left side of the screen and on the Attachments tab. 

Find known malicious files

Scenario 

If you are concerned about malicious files existing on user devices (for example, a specific piece of known malware), use the Malware MD5 Hash artifact to search for where that malicious file may exist in your environment. The search results appear in the Code42 File Events data table, from which you can download the file and investigate its contents.

Steps 

  1. Create an incident. 
  2. Add an artifact with the type Malware MD5 Hash
  3. Click the Actions menu for the artifact and select Code42: Search file events by MD5.  
  4. Select the Notes tab to view the number of file exposure events matching the query, as well as the number of results added to the data table. 
    Up to 100 results appear in the data table. If the total count is over 100, use Code42 Forensic File Search to view all the results.
  5. Select the tab that contains the Code42 File Events data table to view the results.
  6. (Optional) Click the action menu for one of the listed file events and select Code42: Download file from backup
    The downloaded file is attached to the incident. It appears appears under Attachments on the left side of the screen and on the Attachments tab. 

Code42 workflows

Code42 for Resilient includes three workflows, triggered by the Code42 rules. These workflows execute Code42 custom functions.   

Code42: Download file from backup

The Code42: Download file from backup workflow downloads the most recently backed-up version of the file related to the file event in the Code42 File Events data table, then attaches the file to the incident. This workflow uses the Code42: Get user by username, Code42: Search devices, and Code42: Download file from backup functions.

Code42 Download file from backup workflow

Code42: Search file events by MD5 

The Code42: Search file events by MD5 workflow searches Code42 file events for those matching the MD5 hash provided in the Malware MD5 Hash artifact and adds the results to the Code42 File Events data table, using the Code42: Search file events function. 

Code42 Search file events by MD5 workflow

Code42: Search for file exposure events

The Code42: Search for file exposure events workflow searches Code42 for file exposure events from the devices of the user provided in the User Account artifact. This workflow then adds the file exposure events to the Code42 File Events data table, using the Code42: Search file events function.  

Code42 Search File Exposure Events workflow

Code42 functions

A function in IBM Resilient is an object that performs an action. Code42 custom workflows call these functions. You can also call these functions in workflows you build. Code42 functions perform actions in the Code42 environment you defined in your resilient-circuits configuration file. The available Code42 custom functions appear below, including input parameters and example outputs. Input parameters are required unless noted. 

Code42: Download file from backup

This function downloads a file stored in a backup archive and attaches it to the IBM Resilient incident.

Input parameters 
  • code42_path (Text):  File path for the file you want to download
    • Case insensitive 
    • Requires forward slashes "/" (including for Windows)
    • Enter only one path (file or directory) 
    • Windows examples: 
      • C:/Documents/Newsletters/Summer2018.pdf
      • C:/Users/cbarrett/Documents/Receipts
    • Mac examples:
      • /Users/marlena.pawlak/Documents/315Notes.docx
      • /Users/thomas.black/Desktop
  • code42_device_guid (Text): Globally unique identifier for the device from which you want to download the file
    • See the guid property of the device details returned by the Search devices function. 
    • See the deviceUid property of the device details returned by the Search file events function. 
  • incident_id (Number): Identification number of the IBM Resilient incident  
  • Optional: code42_destination_guid (Text):  Globally unique identifier of the storage destination. See the targetComputerGuid  property in the device details returned by the Search devices function. 
Output 
  • result (bool): True if the file was successfully attached to the incident, False if otherwise
  • error (str): Information on the failure, or None
​​​​​​Raises

Exception if the function cannot connect to Code42. ​

Code42: Get user by username

This function obtains the user details from a given username. 

Input parameters

code42_username  (Text): The Code42 login name for the user.

Output
  • result (dict): User details. See the Example Response Body in the API Documentation for output syntax. 
  • error (str): If result is None, information on the cause of the error.
​​​​​​Raises

Exception if the function cannot connect to Code42. ​

Code42: Search devices

This function searches for a device by a given user ID and/or hostname.

Input parameters
  • code42_device_user_uid  (Optional, Text): The user's unique identifier.  See the user_uid in the user details returned by the Get user by username function. 
  • code42_hostname (Optional, Text): Either the name assigned to a device by Code42, the name of the device as reported by the operating system, or the globally unique identifier of the device. 
Output
  • result  (list): List of devices. See the Example Response Body in the API Documentation for syntax. 
  • error (str): If result is None, information on the cause of the error.
​​​​​​Raises

Exception if the function cannot connect to Code42.

Code42: Search file events

This function runs a file event query using Code42 Forensic File Search, for example based on filename, file hash, and/or username. This function facilitates requests with "AND" conditions.

Input parameters
Output
  • result (dict):
    • file_events (list): File events (up to 100*) matching the query. See the Example Value in the API Documentation for syntax. 
    • total_count (int): Number of file events matching the query.  
  • error (str): If result is None, information on the cause of the error.
Raises

Exception if the function cannot connect to Code42.

*If the total count is over 100, use Code42 Forensic File Search to view all the results.

Code42 rules

Code42 for Resilient includes three rules, which trigger the Code42 workflows.  

Code42: Download file from backup

The Code42: Download file from backup rule dictates that in the Code42 File Events data table, the action menu option Code42: Download file from backup appears when hostname, file name, and/or file path has a value. This action menu option runs the Code42: Download file from backup workflow.

Code42 Download file from backup rule

Code42: Search file events by MD5

The Code42: Search file events by MD5 rule dictates that when you have an artifact with the type Malware MD5 Hash, the action menu option Code42: Search file events by MD5 appears. This action menu option runs the Code42: Search file events by MD5 workflow.

Code42 Search file events by MD5 rule

Code42: Search for file exposure events 

The Code42: Search for file exposure events rule dictates that when you have an artifact with the type User Account, the action menu option Code42: Search for file exposure events appears. This action menu option runs the Code42: Search for file exposure events workflowCode42 Search File Exposure Events rule

Upgrade

To upgrade to a newer version of Code42 for Resilient, complete the same download, install, and configure process described above. Review the configuration file and update any values, as necessary. 

Uninstall

To uninstall Code42 for Resilient: 

  1. Uninstall the the Code42 Python SDK functions: 
    pip uninstall py42
    pip uninstall code42-for-resilient
  2. Manually delete the Code42 functions from the Functions screen in the Resilient user interface.
    This may require deleting rules and workflows that use the functions.   

Known issues

In the Code42: Download file from backup workflow and function, if the filename contains Unicode characters, a known issue in IBM Resilient may prevent the downloaded file from being attached to the incident.  

  • Was this article helpful?