Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Install and manage the Code42 Insider Threat app for Splunk

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This tutorial explains how to install, manage, and uninstall the Code42 Insider Threat app for Splunk. Splunk is a solution for data analytics monitoring and visualization. The Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show file exposure activity, which can help you identify insider risk. 

For descriptions of dashboards in the Code42 Insider Threat app for Splunk, see Code42 Insider Threat app for Splunk reference.

Considerations

  • To use the Code42 Insider Threat app for Splunk, you must have an existing Splunk Enterprise version 7.0 or later environment or a Splunk Cloud environment.
  • The devices used to run Splunk and the Code42 Insider Threat app for Splunk must have network access to the Code42 cloud.
  • Code42 cannot provide technical support for Splunk. Contact Splunk support for help with Splunk.

Before you begin

Prepare a user account in your Code42 environment for configuring the Code42 Insider Threat app for Splunk. This user is used to authenticate and access data in your Code42 environment.

  • Permissions: The Code42 Insider Threat app for Splunk returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. We recommend you assign the Cross Org Security Viewer role. For additional roles, see our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the data that they need.
  • Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure the Code42 Insider Threat app for Splunk. Users without a Code42 app archive do not consume a license.

Install the Code42 Insider Threat app for Splunk

Available apps

The Code42 Insider Threat Add-On for Splunk adds Code42-specific dashboards that show file exposure activity, which can help you identify insider risk. You must have a Code42 Platinum or Diamond product plan to use this app. 

If you have a Code42 Gold, Silver, or Bronze product plan and are interested in Splunk, contact your Customer Success Manager (CSM). 

Step 1: Install the app 

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. Select Browse more apps.
  3. In the Browse More Apps panel, search for "Code42".
  4. Click Install on Code42 Insider Threat.
  5. On the Login dialog, enter your Splunk username and password and click Login and Install.
  6. On the Complete dialog, click Open the App.

Distributed Splunk environment

For instructions about deploying the Code42 Insider Threat app to a distributed Splunk environment, see the Splunk documentation.

Step 2: Configure the app

Create an index

A Splunk index acts as a data repository. Create a new index to specify where you want the Code42 data to go. 

  1. Go to Settings > Indexes.
  2. Click New Index.
  3. Configure the index. For additional details, see the Splunk documentation
  4. (Optional) To make Code42 data appear in the main Splunk interface (as opposed to only in the Code42 Insider Threat app dashboards), select Search and Reporting in the App field. 

Add an account

Add an account that you'll use to connect to your Code42 environment. 

  1. Navigate back to the Code42 Insider Threat Add-on app.
  2. Select Configuration.
    Account tab
  3. From the Account tab, select Add.
    The Add Account dialog appears. 
  4. Enter a unique Account name
  5. Enter the Authority domain you use to sign in to the Code42 console, without the protocol. For example:
  6. In the Username and Password fields, enter the credentials of the Code42 user that you want to use to authenticate.
    The username and password are added as an account on the Account tab. 

Create an input

Create a new input to configure what Code42 data appears in Splunk. 

  1. Select Inputs
  2. Click Create New Input.  
    The Add File Exposure dialog appears. 
    Add File Exposure dialog
  3. Enter a unique Name.
  4. Enter the time Interval, in seconds, for retrieving event data from the Code42 cloud instance. The default is the minimum of 300 seconds, or 5 minutes. 
  5. Select the Index you created earlier. 
  6. Select the Code42 Account you want to use. 
  7. Select a Search Behavior of All Exposure Events or Selected Exposure Types
    • If you choose All Exposure Events, all the types below are treated as selected.  
    • If you choose Selected Exposure Types, check one or more types below. 
  8. Click Add

Step 3: Test the app

  1. Start Splunk Enterprise or start Splunk Cloud.
  2. From the list of apps on the Splunk home page, click Code42 Insider Threat Add-On.
    The Risk Exposure Overview appears. 
  3. Explore the data generated by the panels.

Insider_Threat_Dashboard

Troubleshoot the app

Troubleshooting considerations

  • Data may not appear in the panels immediately. Rather, data updates at scheduled intervals. The scheduled intervals are configured to avoid overloading your Code42 cloud instance with requests.
  • If data for a panel is missing, confirm that the Code42 environment user account has the necessary permissions to view that data within your Code42 environment.

Logs within Splunk Enterprise

The Code42 Insider Threat app for Splunk updates log files that contain useful information for troubleshooting, including error messages and security warnings. For Splunk Enterprise installations, the log files are located at:

<path-to-splunk>/var/log/splunk/TA-code42-insider-threats-add-on

The path to your installation varies by operating system. See the Splunk Enterprise documentation for more information about installation and logging.

Support

If you need support for the Code42 for Splunk (Legacy) app, contact our Customer Champions​ for Code42 for Enterprise support.

Our Customer Champions cannot provide technical support for Splunk. Contact Splunk support for help with Splunk.

Splunk Answers

Splunk Answers is a community forum where Splunk users can post questions and get answers about Splunk usage. Go to the following URL for help with the Code42 Insider Threat app for Splunk: 
https://community.splunk.com/t5/All-Apps-and-Add-ons/bd-p/apps-add-ons-all

Upgrade the app

When a new version of the Code42 for Insider Threat app is released, perform the following steps to upgrade.

Splunk Enterprise

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for Code42 Insider Threat.
    If there is a later version of the app available, an Update link appears on the row. 
  3. Click Update.
  4. Select the option to acknowledge the terms and conditions.
  5. Click Accept and Continue
  6. Enter your Splunk username and password. 
  7. Click Login and Continue
  8. Click Restart Now to restart Splunk Enterprise and complete the upgrade.

Splunk Cloud

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for the Code42 for Insider Threat app.
    If there is a later version of the app available, an Update link appears on the row. 
  3. Click Update.

Uninstall the app

Splunk Enterprise

  1. Open a terminal window (Linux or Mac) or command prompt (Windows) on your Splunk Enterprise server.
  2. Run the following command to stop Splunk Enterprise:
    <path-to-splunk>/bin/splunk stop
  3. Run the following command to remove the Code42 Insider Threat app for Splunk:
    <path-to-splunk>/bin/splunk remove app TA-code42-insider-threats-add-on
  4. Restart Splunk.
    The Code42 for Splunk (Legacy) app no longer appears in the Splunk user interface.

Splunk Cloud

  1. From the Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for the Code42 for Splunk (Legacy) app.
  3. Click the Disable link.

Release history 

For release information about the Code42 Insider Threat app for Splunk, see the Release Notes in Splunkbase