Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Code42 cloud environments.

Code42 Support

Install and manage the Code42 app for Demisto

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Code42 cloud environments.

Overview

This article describes how to install, manage, and use the Code42 app for Demisto. Demisto (now Cortex XSOAR) is a security orchestration, automation, and response (SOAR) solution. Using the Code42 app for Demisto, you can view and search Code42 data in Demisto, as well as manage Code42 Departing Employees from Demisto. 

Considerations

To use the Code42 app for Demisto, you must have:  

Code42 Platinum free trial
To upgrade to the Code42 Platinum product plan for a free trial, contact your Customer Success Manager (CSM). Code42 Platinum offers our most advanced risk detection, investigation, and response features.

If you're new to Code42, visit https://www.code42.com/trial to get started.

Create a user in Code42

Prepare a user account in your Code42 environment for configuring the Code42 app for Demisto. This user account is used to authenticate and access data in your Code42 environment.

  • Permissions: The Code42 app for Demisto returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. We recommend you assign the roles in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data.   
  • Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure the Code42 app for Demisto. Users without a Code42 app archive will not consume a license. 
  • Authentication: Your Code42 credentials must rely on local authentication. SSO or authentication through any third-party provider will not work.

Configure the Code42 app for Demisto 

  1. Sign in to your Demisto environment. 
  2. Select Settings
  3. Select Integrations > Servers & Services.
  4. Search for Code42. 
    Demisto app
  5. From the Code42 integration, click Add instance to create and configure a new integration instance. In the Code42 window: 
    1. Enter a name for your integration instance. 
    2. Enter the URL of your Code42 environment
    3. Enter the credentials for the user you created.
    4. Check Fetches incidents
    5. Select a Demisto incident type to which you'd like to map Code42 alerts. 
    6. Optional: Select one or more alert severity levels to limit the Code42 alerts you'd like to ingest.
    7. Enter the First fetch time range to determine how far back to go to retrieve alerts. 
    8. Enter the number of alerts to fetch and process per run. 
    9. Check Include the list of files in returned incidents to include the file events associated with the alert.
    10. Select Test to validate the connection.  
    11. Click Done

Fetched incidents data

  • ID
  • Occurred
  • Username
  • Name
  • Description
  • State
  • Type
  • Severity

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

code42-securitydata-search

Use code42-securitydata-search to search for a file by JSON query, hash, username, device hostname, exfiltration type, or a combination of parameters. You must pass at least one parameter to the command. If you pass a JSON parameter, any other parameters will be excluded. Otherwise, parameters will be combined with an AND clause.

Required Permissions

This command requires one of the following roles:

Base Command

code42-securitydata-search

Input

The following inputs are optional.

Argument name Description
json JSON query payload using Code42 query syntax
hash MD5 or SHA-256 hash of file to search for
username Code42 username to search for
hostname Device hostname to search for
exposure Exposure types to search for
results Number of results to return, default is 100

Context output

Path Type  Description
Code42.SecurityData.EventTimestamp date Timestamp for event
Code42.SecurityData.FileCreated date File creation date
Code42.SecurityData.EndpointID string Code42 device ID
Code42.SecurityData.DeviceUsername string Username that the device is associated with in Code42
Code42.SecurityData.EmailFrom string Sender email address for email exfiltration events
Code42.SecurityData.EmailTo string Recipient email address for email exfiltration events
Code42.SecurityData.EmailSubject string Email subject line for email exfiltration events
Code42.SecurityData.EventID string Security data event ID
Code42.SecurityData.EventType  string Type of security data event
Code42.SecurityData.FileCategory string Type of file as determined by Code42
Code42.SecurityData.FileOwner   string Owner of file
Code42.SecurityData.FileName    string File name
Code42.SecurityData.FilePath      string Path to file
Code42.SecurityData.FileSize number Size of file in bytes
Code42.SecurityData.FileModified date File modification date
Code42.SecurityData.FileMD5 string MD5 hash of file
Code42.SecurityData.FileHostname      string Hostname where file event was captured
Code42.SecurityData.DevicePrivateIPAddress         string Private IP addresses of device where event was captured
Code42.SecurityData.DevicePublicIPAddress         string Public IP address of device where event was captured
Code42.SecurityData.RemovableMediaType         string Type of removable media
Code42.SecurityData.RemovableMediaCapacity         number Total capacity of removable media in bytes
Code42.SecurityData.RemovableMediaMediaName         string Full name of removable media
Code42.SecurityData.RemovableMediaName     string  Name of removable media
Code42.SecurityData.RemovableMediaSerialNumber         string Serial number for removable medial device
Code42.SecurityData.RemovableMediaVendor         string Vendor name for removable device
Code42.SecurityData.FileSHA256         string SHA-256 hash of file
Code42.SecurityData.FileShared         boolean Whether file is shared using cloud file service
Code42.SecurityData.FileSharedWith string Accounts that file is shared with on cloud file service
Code42.SecurityData.Source         string Source of file event: cloud or endpoint
Code42.SecurityData.ApplicationTabURL         string URL associated with application read event
Code42.SecurityData.ProcessName    string Process name for application read event
Code42.SecurityData.ProcessOwner      string Process owner for application read event
Code42.SecurityData.WindowTitle       string Process name for application read event
Code42.SecurityData.FileURL         string URL of file on cloud file service
Code42.SecurityData.Exposure         string Exposure type for event
Code42.SecurityData.SharingTypeAdded      string Type of sharing added to file
File.Name         string File name
File.Path         string File path
File.Size         number File size in bytes
File.MD5       string MD5 hash of file
File.SHA256 string SHA-256 hash of file
File.Hostname         string Hostname where file event was captured

Command example

!code42-securitydata-search hash=eef8b12d2ed0d6a69fe77699d5640c7b exposure=CloudStorage,ApplicationRead

Context example

{
    "SecurityData": [
        {
            "ApplicationTabURL": "https://mail.google.com/mail/u/0/?zx=78517y156trj#inbox",
            "DevicePrivateIPAddress": [
                "192.0.2.0",
                "0:0:0:0:0:0:0:1",
                "127.0.0.1"
            ],
            "DeviceUsername": "john.user@123.org",
            "EndpointID": "922302903141234234",
            "EventID": "0_c346c59b-5ea1-4e5d-ac02-92079567a683_922302903141255753_939560749717017940_751",
            "EventTimestamp": "2020-02-03T22:32:10.892Z",
            "EventType": "READ_BY_APP",
            "Exposure": [
                "ApplicationRead"
            ],
            "FileCategory": "IMAGE",
            "FileCreated": "2019-10-07T21:46:09.281Z",
            "FileHostname": "DESKTOP-0004",
            "FileMD5": "eef8b12d2ed0d6a69fe77699d5640c7b",
            "FileModified": "2019-10-07T21:46:09.889Z",
            "FileName": "ProductPhoto.jpg",
            "FileOwner": "john.user",
            "FilePath": "C:/Users/john.user/Documents/",
            "FileSHA256": "5e25e54e1cc43ed07c6e888464cb98e5f5343aa7aa485d174d9649be780a17b9",
            "FileSize": 333114,
            "ProcessName": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
            "ProcessOwner": "john.user",
            "Source": "Endpoint",
            "WindowTitle": [
                "Inbox (1) - john.user@c123.org - 123 Org Mail - Google Chrome"
            ]
        },
        {
            "DevicePrivateIPAddress": [
                "192.168.7.7",
                "0:0:0:0:0:0:0:1",
                "127.0.0.1"
            ],
            "DeviceUsername": "john.user@123.org",
            "EndpointID": "922302903141234234",
            "EventID": "0_a2e51c67-8719-4436-a3b5-c7c3724a3144_922302903141255753_939559658795324756_45",
            "EventTimestamp": "2020-02-03T22:22:04.375Z",
            "EventType": "READ_BY_APP",
            "Exposure": [
                "ApplicationRead"
            ],
            "FileCategory": "IMAGE",
            "FileCreated": "2019-10-07T21:46:09.281Z",
            "FileHostname": "DESKTOP-0004",
            "FileMD5": "eef8b12d2ed0d6a69fe77699d5640c7b",
            "FileModified": "2019-10-07T21:46:09.889Z",
            "FileName": "ProductPhoto.jpg",
            "FileOwner": "john.user",
            "FilePath": "C:/Users/john.user/Documents/",
            "FileSHA256": "5e25e54e1cc43ed07c6e888464cb98e5f5343aa7aa485d174d9649be780a17b9",
            "FileSize": 333114,
            "ProcessName": "\\Device\\HarddiskVolume4\\Windows\\System32\\MicrosoftEdgeCP.exe",
            "ProcessOwner": "michelle.goldberg",
            "Source": "Endpoint",
            "WindowTitle": [
                "Inbox (7) - jju12431983@gmail.com - Gmail ‎- Microsoft Edge"
            ]
        }
    ]
}

Human readable output

EventType FileName FileSize FileHostname FileOwner FileCategory
READ_BY_APP ProductPhoto.jpg 333114 DESKTOP-001 john.user IMAGE

code42-alert-get

Retrieve alert details by alert ID. 

Required Permissions

This command requires one of the following roles:

Base Command

code42-alert-get

Input

This input is required. 

Argument name Description
id Alert ID to retrieve 

Context output

Path Type Description
Code42.SecurityAlert.Username string Username associated with alert
Code42.SecurityAlert.Occurred date Alert timestamp
Code42.SecurityAlert.Description string Description of alert
Code42.SecurityAlert.ID string Alert ID
Code42.SecurityAlert.Name string Alert rule name that generated alert
Code42.SecurityAlert.State string Alert state
Code42.SecurityAlert.Type string Type of alert
Code42.SecurityAlert.Severity string Severity of alert

Command example

!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"

Context example

{
    "SecurityAlert": [
        {
            "ID": "a23557a7-8ca9-4ec6-803f-6a46a2aeca62",
            "Name": "Google Drive - Public via Direct Link",
            "Occurred": "2019-10-08T17:38:19.0801650Z",
            "Severity": "LOW",
            "State": "OPEN",
            "Type": "FED_CLOUD_SHARE_PERMISSIONS",
            "Username": "john.user@123.org"
        }
    ]
}

Human readable output

  • Type: FED_CLOUD_SHARE_PERMISSIONS
  • Occurred: 2019-10-08T17:38:19.0801650Z
  • Username: john.user@123.org
  • Name: Google Drive - Public via Direct Link
  • Description: Alert for public Google Drive files
  • State: OPEN
  • ID: a23557a7-8ca9-4ec6-803f-6a46a2aeca62

code42-departing-employee-add

Add a user to Departing Employees

Required Permissions

This command requires one of the following roles:

Base Command

code42-departingemployee-add

Input

Argument name Description Required
username Username to add to Departing Employees Required 
departure date Departure date for the employee in YYYY-MM-DD format Optional
note  Note to attach to departing employee Optional

Context output

Path Type Description
Code42.DepartingEmployee.CaseID string Internal Code42 case ID for departing employee
Code42.DepartingEmployee.Username string Username for departing employee
Code42.DepartingEmployee.Note string Note associated with departing employee
Code42.DepartingEmployee.DepartureDate unknown Departure date for departing employee

Command example

!code42-departingemployee-add username="john.user@123.org" departuredate="2020-02-28" note="Leaving for competitor"

Context example

{
    "DepartingEmployee": {
        "CaseID": "892",
        "DepartureDate": "2020-02-28",
        "Note": "Leaving for competitor",
        "Username": "john.user@123.org"
    }
}

Human readable output

CaseID Departure date Note Username
123 2020-02-28 Leaving for competitor john.user@123.org 

code42-departingemployee-remove

Remove a user from Departing Employees

Required Permissions

This command requires one of the following roles:

Base Command

code42-departingemployee-remove

Input

This input is optional. 

Argument name Description
username Username to remove from Departing Employees

Context output

Path Type Description
Code42.DepartingEmployee.CaseID string Internal Code42 Case ID for departing employee
Code42.DepartingEmployee.Username string Username for departing employee

Command example

!code42-departingemployee-remove username="john.user@123.org"

Context example

{
    "DepartingEmployee": {
        "CaseID": "892",
        "Username": "john.user@123.org"
    }
}

Human readable output

CaseID Username
123 john.user@123.org 

code42-alert-resolve

Resolve Code42 security alert

Required Permissions

This command requires one of the following roles:

Base Command

code42-alert-resolve

Input

This input is required. 

Argument name Description
id Alert ID to resolve

Context output

Path Type Description
Code42.SecurityAlert.ID string Alert ID

Command example

!code42-alert-resolve id="eb272d18-bc82-4680-b570-ac5d61c6cca6"

Context example

{
    "SecurityAlert": {
        "ID": "eb272d18-bc82-4680-b570-ac5d61c6cca6"
    }
}

Human readable output

ID: eb272d18-bc82-4680-b570-ac5d61c6cca6

External resources

Demisto integrations

  • Was this article helpful?