Integrate Code42 with LogRhythm

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

Incydr Professional and Enterprise

Incydr Basic and Advanced

CrashPlan Cloud

CrashPlan for Small Business

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

LogRhythm is a security information and event management (SIEM) tool that helps you detect and respond to threats. This tutorial explains how to ingest file exfiltration event data from Code42 into LogRhythm using the Code42 command-line interface (CLI).

Considerations

Python version 3.5 or later is required. For instructions on downloading and installing Python, see the Python documentation.
Your LogRhythm orchestration server must be able to connect via SSL (ports 80 and 443) to your Code42 console address.

Before you begin

Prepare a Code42 user account

To integrate with LogRhythm using the Code42 command-line interface, create a Code42 user service account. This must be a local (non-SSO) user assigned roles that provide the necessary permissions. We recommend you assign the roles in our use case for managing a security application integrated with Code42.

Install and configure the Code42 CLI

To integrate Code42 with LogRhythm, you must first install the Code42 command-line interface (CLI) and create a profile following the instructions in Introduction to the Code42 command-line interface.

Create an automated task for the Code42 CLI

After you've completed the steps of creating a user and setting up the Code42 CLI, create an automated task or cron job for running a query on a scheduled basis.

Linux cron job

Create a cron job for the user account on the Linux system. The script below is a static example. Modify it to meet the needs of your local environment.

crontab -e
 
*/15 * * * * dbus-run-session -- /home/exampledirectory/scriptname.sh

(Optional) To log the cron job, add the following at the end of the script:

>> /home/exampledirectory/<examplelogname.log> 2>&1

Ensure that the script is executable.
The script below is a dynamic example for the most recent file events.

#!/bin/bash 
eval "$(printf '\n' | gnome-keyring-daemon --unlock)"
/home/yourdirectory/.local/bin/code42 security-data write-to /home/yourdirectory/yourscript -b YYYY-MM-DD -f CEF --profile yourprofile -I

You can optionally add --include-non-exposure to your script. Use this command to get all forensics data in LogRhythm: exposure and non-exposure events. Consider, however, that including non-exposure events adds a large amount of data, which can impact storage and time to live.

Windows automated task

Step 1: Create a script

Create a script (for example, batch, Powershell, or other) to execute the Code42 CLI command with arguments required. The script makes it easy to perform adjustments or execute complex (compound) queries. In the example below, run.bat is used.

@echo off
 
code42 security-data write-to c:\logrhythm\c42\code42data.txt -f CEF -b 2020-04-27 -i --profile demo_profile
code42 additional queries here as needed

Step 2: Create a scheduled task

Use Task Scheduler to create a scheduled task to repeat as needed.

From the Triggers tab, create a new trigger.
Set the trigger to run Daily.
Set the trigger to Recur every: 1 days.
Select Repeat task every and choose a time frame.
Choose the duration of: Indefinitely.
(Optional) Select Stop task if it runs longer than: 30 minutes.
From the Actions tab, create the action to execute batch script (for example, run.bat).
(Optional) From the Settings tab, select the retry and force stop settings that match the recurring schedule.

Collect the flat file in LogRhythm

Upon completing the steps above, Code42 data is written to a flat file on the orchestration server. Set up a LogRhythm Collection Agent to collect and ingest the flat file.

Considerations

In the LogRhythm console, create:
- A new custom log source type
- MPE rules
- Log processing policy
- (Optional) Custom common events, to parse the Code42 data according to your needs
Please refer to the LogRhythm Community for instructions on how to create Custom MPE Rules, Log Processing Policy, and custom common events. You must have LogRhythm Community credentials to access those instructions.

Create a new custom log source type

In the LogRhythm console, select Deployment Manager.
Select Tools > Knowledge > Log Source Type Manager.
The Log Source Type Manager window opens.
Click the New (+) icon.
The Log Source Type Properties window opens.
Enter a Name.
Enter an Abbreviation.
Select a Log Format.
(Optional) Enter a Brief Description.
Click OK.

Create custom message processing engine rules

Create custom message processing engine (MPE) rules for parsing messages, pulling in fields, and making tags. The rules you create may vary depending on your use cases and deployment details.

In the LogRhythm console, go to Tools > Knowledge > MPE Rule Builder.
Click the Create a new rule (+) icon to create a new rule.
Enter the Rule Name.
Select a Common Event.
For the Rule Status, select Production.
Select an option from the Log Message Source Type Associations column.
See the regex below to enter in the Base-rule Regular Expression field.
Click the Save icon to save the rule.
(Optional) To create another rule, click the Create a new rule (+) icon.
Repeat the above steps to create as many rules as necessary.

Create an MPE rule sort order

In the LogRhythm console, go to Tools > Knowledge > MPE Rule Builder.
Click the Open rule library folder icon.
From the Rule Browser window, search for the custom log source type you created.
Click Edit > Edit Base-rule Sorting.
The Rule Sorter window opens.
Select Auto-Sort for all exposure rules.
Using the arrow buttons on the left, sort non-exposure rules below exposure rules and leave auto-sort unchecked.
Move Catch all rules to the bottom of the list and leave auto-sort unchecked.
Click OK.

Create a log processing policy

In the LogRhythm console, select Deployment Manager.
Click Log Processing Policies.
Click the New (+) icon to create a new log processing policy.
The Log Source Type Selector window opens.
From the Record Type Filter column, select Custom.
Select the Log Source Type you created earlier.
Click OK.
The MPE Policy Editor window opens.
Enter a Name.
Below the list of rules, right-click and select Check All.
Right-click the last row again and select Properties.
The MPE Policy Rule Editor window opens.
Select Enabled.
Click OK.
The MPE Policy Rule Editor window closes.
Confirm that all rules are enabled.
Click OK.

Add the newly created log source to be collected by a LogRhythm system monitor agent

In the LogRhythm console, select Deployment Manager.
Select System Monitors.
Right-click on the System Monitor Agent you want to use to collect the log source you created previously.
Click Properties.
The System Monitor Agent Properties window opens.
Right-click on the bottom box and select New.

The Log Message Source Properties window opens.
Enter the necessary information on the Basic Configuration tab.
For the Log Message Source Name choose the log source you just created.
In the Log Message Processing Settings section, Log Message Processing Engine (MPE) Policy option, choose the policy you just created.
Select the Flat File Settings tab.
In the File Path field, enter the file path where you configured the Code42 CLI to saving the flat file.
Select the Date Parsing Format ... icon.
The Date Format Manager window opens.
Right-click in the window and select New.

The Date Format Properties window opens.
Enter a Name.
Enter the following Regex: CEF:0.*?end=<UTC><unix>
Click OK.
(Optional):
1. Click the Additional Settings tab.
2. Select Start Collection from beginning of the log.
Click OK.

Base-rule regex

See below for example strings to enter in the Base-Rule Regular Expression field when creating MPE rules, along with guidance on sort order position.

App read exposure

Sort order position: 1
Auto Sort: True
Common Event: Suspicious Activity

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?filePath=(?<objectname>(?:(?!fname).)*)\sfname=(?<object>(?:(?!filetype).)*)\sfiletype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+)\s.*?suser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\sshost=(?<sname>[^\s]+)\sdvchost=(?<sip>[^\s]+)\ssrc=(?<snatip>[^\s]+).*?sourceServiceName=(?<session>\w+)\sreason=(?<reason>\w+).*?sproc=(?<parentprocesspath>(?:(?!request).)*)\srequestClientApplication=(?<processname>(?:(?!request).)*)\srequest=(?<url>[^\s]+)

Shared via cloud storage exposure

Sort order position: 2
Auto Sort: True
Common Event: Suspicious Activity

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?filePath=(?<objectname>(?:(?!fname).)*)\sfname=(?<object>(?:(?!filetype).)*)filetype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+)\s.*?suser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\sshost=(?<sname>[^\s]+)\sdvchost=(?<sip>[^\s]+)\ssrc=(?<snatip>[^\s]+).*?sourceServiceName=(?<threatname>\w+)\sreason=(?<reason>\w+).*?destinationServiceName=(?<dname>\w+)

Shared via link exposure

Sort order position: 3
Auto Sort: True
Common Event: Suspicious Activity

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?fname=(?<object>(?:(?!filetype).)*)filetype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+).*?suser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\ssourceServiceName=(?<threatname>\w+)\sfilePath=(?<objectname>(?:(?!fname).)*)reason=(?<reason>\w+

Shared via removable media exposure

Sort order position: 4
Auto Sort: True
Common Event: Suspicious Activity

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?filePath=(?<objectname>(?:(?!fname).)*)\sfname=(?<object>(?:(?!filetype).)*)filetype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+)\s.*?suser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\sshost=(?<sname>[^\s]+)\sdvchost=(?<sip>[^\s]+)\ssrc=(?<snatip>[^\s]+).*?sourceServiceName=(?<session>\w+)\sreason=(?<reason>\w+).*?cs2=(?<vendorinfo>(?:(?!cs2Label).)*).*?cs3=(?<version>(?:(?!cs3Label).)*).*?cs4=(?<serialnumber>\w+).*?cn1=(?<rate>\d+).*?cs1=(?<vmid>\w+)

Shared via email

Sort order position: 5
Auto Sort: True
Common Event: Suspicious E-mail Activity

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?fname=(?<object>(?:(?!filetype).)*)filetype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+).*?\ssourceServiceName=(?<threatname>\w+)\ssuser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\sduser=(?<account>.*)

Endpoint non-exposure

Sort order position: 6
Auto Sort: True
Common Event: Filestream Information

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?filePath=(?<objectname>(?:(?!fname).)*)\sfname=(?<object>(?:(?!filetype).)*)\sfiletype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+)\s.*?suser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\sshost=(?<sname>[^\s]+)\sdvchost=(?<sip>[^\s]+)\ssrc=(?<snatip>[^\s]+).*?sourceServiceName=(?<session>\w+)

Cloud non-exposure

Sort order position: 7
Auto Sort: True
Common Event: Filestream Information

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?fname=(?<object>(?:(?!filetype).)*)filetype=(?<objecttype>[^\s]+)\sfsize=(?<size>\d+)\sfilehash=(?<hash>\w+).*?suser=(?<login>[^\s]+(?<domain>(?<=@)[^\s]+))\ssourceservicename=(?<session>\w+)\sfilepath=(?<objectname>[^\n]+)

Catch all

Sort order position: 8
Auto Sort: True
Common Event: General Information

CEF:0\|Code42\|Advanced.*?\|\d+\|.*?\|(?<action>\w+)\|(?<severity>\d+).*?reason=(?<reason>\w+)

Test regex rule matching and performance

From the custom MPE rule you created, click the Test Center tab.
Right-click in the bottom Test Center section.
Select Import Log Messages Manually.

The Test Log Importer window opens.
Paste in the sample logs from the flat file on the orchestration server.
Click OK.
Click Test All.
The Rule Builder Test Results window opens.
Review the results.
Click Close.

(Optional) Create a Global Long Processing Rule

You may need to create a global long processing rule (GLPR) to forward all Code42 exposures as events.

From the LogRhythm console, select Tools > Administration > Global Long Processing Rule Manager.
The Global Long Processing Rule Manager window opens.
Click the New Rule + button.
The Global Log Processing Rule Wizard window opens.
Select the Include Filters tab.
Click the New + button.
The Log Message Filter window opens.
From the Add New Field Filter list, select Log Source Type.
Click Edit Values.
The Field Filter Values window opens.
Click Add Item.
The Log Source Type Selector window opens.
Select the Log Source Type you created.
Click OK.
The Field Filter Values window appears with the item you added.
Click OK.
From the Add New Field Filter list, select Common Event.
Click Edit Values.
The Field Filter Values window opens.
Click Add Item.
The Common Event Selector window opens.
For the Classification Filter, select Security : Suspicious
For the Common Event, select Suspicious Activity.
Click OK.
Click Add Item.
The Common Event Selector window opens.
For the Classification Filter, select Security : Suspicious,
For the Common Event, select Suspicious E-Mail Activity.
Click OK.
From the Field Filter Values window, click OK.
From the Log Message Filter window, click OK.
From the Global Log Processing Rule Wizard window, select the Settings tab.
In the Event Management Settings section, select Override Event Forwarding.
Select Forward as Event.
Click Next.
Enter a Name for the global long processing rule.
Click OK.
On the Global Long Processing Rule Manager window, click the Action box for the global long processing rule you just created.
Right-click in the row for your new global long processing rule and select Action > Enable.