Integrate Code42 with LogRhythm
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
LogRhythm is a security information and event management (SIEM) tool that helps you detect and respond to threats. This tutorial explains how to ingest file exfiltration event data from Code42 into LogRhythm using the Code42 command-line interface (CLI).
Considerations
- Python version 3.5 or later is required. For instructions on downloading and installing Python, see the Python documentation.
- Your LogRhythm orchestration server must be able to connect via SSL (ports 80 and 443) to your Code42 console address.
Before you begin
Prepare a Code42 user account
To integrate with LogRhythm using the Code42 command-line interface, create a Code42 user service account. This must be a local (non-SSO) user assigned roles that provide the necessary permissions. We recommend you assign the roles in our use case for managing a security application integrated with Code42.
Install and configure the Code42 CLI
To integrate Code42 with LogRhythm, you must first install the Code42 command-line interface (CLI) and create a profile following the instructions in Introduction to the Code42 command-line interface.
Create an automated task for the Code42 CLI
After you've completed the steps of creating a user and setting up the Code42 CLI, create an automated task or cron job for running a query on a scheduled basis.
Linux cron job
Windows automated task
Collect the flat file in LogRhythm
Upon completing the steps above, Code42 data is written to a flat file on the orchestration server. Set up a LogRhythm Collection Agent to collect and ingest the flat file.
Considerations
- In the LogRhythm console, create:
- A new custom log source type
- MPE rules
- Log processing policy
- (Optional) Custom common events, to parse the Code42 data according to your needs
- Please refer to the LogRhythm Community for instructions on how to create Custom MPE Rules, Log Processing Policy, and custom common events. You must have LogRhythm Community credentials to access those instructions.
Create a new custom log source type
- In the LogRhythm console, select Deployment Manager.
- Select Tools > Knowledge > Log Source Type Manager.
The Log Source Type Manager window opens.
- Click the New (+) icon.
The Log Source Type Properties window opens. - Enter a Name.
- Enter an Abbreviation.
- Select a Log Format.
- (Optional) Enter a Brief Description.
- Click OK.
Create custom message processing engine rules
Create custom message processing engine (MPE) rules for parsing messages, pulling in fields, and making tags. The rules you create may vary depending on your use cases and deployment details.
- In the LogRhythm console, go to Tools > Knowledge > MPE Rule Builder.
- Click the Create a new rule (+) icon to create a new rule.
- Enter the Rule Name.
- Select a Common Event.
- For the Rule Status, select Production.
- Select an option from the Log Message Source Type Associations column.
- See the regex below to enter in the Base-rule Regular Expression field.
- Click the Save icon to save the rule.
- (Optional) To create another rule, click the Create a new rule (+) icon.
- Repeat the above steps to create as many rules as necessary.
Create an MPE rule sort order
- In the LogRhythm console, go to Tools > Knowledge > MPE Rule Builder.
- Click the Open rule library folder icon.
- From the Rule Browser window, search for the custom log source type you created.
- Click Edit > Edit Base-rule Sorting.
The Rule Sorter window opens.
- Select Auto-Sort for all exposure rules.
- Using the arrow buttons on the left, sort non-exposure rules below exposure rules and leave auto-sort unchecked.
- Move Catch all rules to the bottom of the list and leave auto-sort unchecked.
- Click OK.
Create a log processing policy
- In the LogRhythm console, select Deployment Manager.
- Click Log Processing Policies.
- Click the New (+) icon to create a new log processing policy.
The Log Source Type Selector window opens. - From the Record Type Filter column, select Custom.
- Select the Log Source Type you created earlier.
- Click OK.
The MPE Policy Editor window opens. - Enter a Name.
- Below the list of rules, right-click and select Check All.
- Right-click the last row again and select Properties.
The MPE Policy Rule Editor window opens. - Select Enabled.
- Click OK.
The MPE Policy Rule Editor window closes. - Confirm that all rules are enabled.
- Click OK.
Add the newly created log source to be collected by a LogRhythm system monitor agent
- In the LogRhythm console, select Deployment Manager.
- Select System Monitors.
- Right-click on the System Monitor Agent you want to use to collect the log source you created previously.
- Click Properties.
The System Monitor Agent Properties window opens. - Right-click on the bottom box and select New.
The Log Message Source Properties window opens. - Enter the necessary information on the Basic Configuration tab.
- For the Log Message Source Name choose the log source you just created.
- In the Log Message Processing Settings section, Log Message Processing Engine (MPE) Policy option, choose the policy you just created.
- Select the Flat File Settings tab.
- In the File Path field, enter the file path where you configured the Code42 CLI to saving the flat file.
- Select the Date Parsing Format ... icon.
The Date Format Manager window opens. - Right-click in the window and select New.
The Date Format Properties window opens. - Enter a Name.
- Enter the following Regex:
CEF:0.*?end=<UTC><unix>
- Click OK.
- (Optional):
- Click the Additional Settings tab.
- Select Start Collection from beginning of the log.
- Click OK.
Base-rule regex
See below for example strings to enter in the Base-Rule Regular Expression field when creating MPE rules, along with guidance on sort order position.
App read exposure
Shared via cloud storage exposure
Shared via link exposure
Shared via removable media exposure
Shared via email
Endpoint non-exposure
Cloud non-exposure
Catch all
Test regex rule matching and performance
- From the custom MPE rule you created, click the Test Center tab.
- Right-click in the bottom Test Center section.
- Select Import Log Messages Manually.
The Test Log Importer window opens.
- Paste in the sample logs from the flat file on the orchestration server.
- Click OK.
- Click Test All.
The Rule Builder Test Results window opens.
- Review the results.
- Click Close.
(Optional) Create a Global Long Processing Rule
You may need to create a global long processing rule (GLPR) to forward all Code42 exposures as events.
- From the LogRhythm console, select Tools > Administration > Global Long Processing Rule Manager.
The Global Long Processing Rule Manager window opens.
- Click the New Rule + button.
The Global Log Processing Rule Wizard window opens. - Select the Include Filters tab.
- Click the New + button.
The Log Message Filter window opens. - From the Add New Field Filter list, select Log Source Type.
- Click Edit Values.
The Field Filter Values window opens.
- Click Add Item.
The Log Source Type Selector window opens. - Select the Log Source Type you created.
- Click OK.
The Field Filter Values window appears with the item you added.
- Click OK.
- From the Add New Field Filter list, select Common Event.
- Click Edit Values.
The Field Filter Values window opens.
- Click Add Item.
The Common Event Selector window opens. - For the Classification Filter, select Security : Suspicious
- For the Common Event, select Suspicious Activity.
- Click OK.
- Click Add Item.
The Common Event Selector window opens. - For the Classification Filter, select Security : Suspicious,
- For the Common Event, select Suspicious E-Mail Activity.
- Click OK.
- From the Field Filter Values window, click OK.
- From the Log Message Filter window, click OK.
- From the Global Log Processing Rule Wizard window, select the Settings tab.
- In the Event Management Settings section, select Override Event Forwarding.
- Select Forward as Event.
- Click Next.
- Enter a Name for the global long processing rule.
- Click OK.
- On the Global Long Processing Rule Manager window, click the Action box for the global long processing rule you just created.
- Right-click in the row for your new global long processing rule and select Action > Enable.