Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Integrate Code42 with LogRhythm

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

LogRhythm is a security information and event management (SIEM) tool that helps you detect and respond to threats. This tutorial explains how to ingest file exfiltration event data from Code42 into LogRhythm using the Code42 command-line interface (CLI). 

Considerations

  • Python version 3.5 or later is required. For instructions on downloading and installing Python, see the Python documentation
  • Your LogRhythm orchestration server must be able to connect via SSL (ports 80 and 443) to your Code42 console address. 

Before you begin

Prepare a Code42 user account

To integrate with LogRhythm using the Code42 command-line interface, create a Code42 user service account. This must be a local (non-SSO) user assigned roles that provide the necessary permissions. We recommend you assign the roles in our use case for managing a security application integrated with Code42

Install and configure the Code42 CLI

To integrate Code42 with LogRhythm, you must first install the Code42 command-line interface (CLI) and create a profile following the instructions in Introduction to the Code42 command-line interface

Create an automated task for the Code42 CLI

After you've completed the steps of creating a user and setting up the Code42 CLI, create an automated task or cron job for running a query on a scheduled basis

Linux cron job

Windows automated task

Collect the flat file in LogRhythm

Upon completing the steps above, Code42 data is written to a flat file on the orchestration server. Set up a LogRhythm Collection Agent to collect and ingest the flat file.

Considerations

  • In the LogRhythm console, create: 
    • A new custom log source type
    • MPE rules
    • Log processing policy
    • (Optional) Custom common events, to parse the Code42 data according to your needs
  • Please refer to the LogRhythm Community for instructions on how to create Custom MPE Rules, Log Processing Policy, and custom common events. You must have LogRhythm Community credentials to access those instructions. 

Create a new custom log source type

  1. In the LogRhythm console, select Deployment Manager.
  2. Select Tools > Knowledge > Log Source Type Manager
    The Log Source Type Manager window opens.
    Log_Source_Type_Manager
  3. Click the New (+) icon.
    The Log Source Type Properties window opens. 
  4. Enter a Name. 
  5. Enter an Abbreviation.
  6. Select a Log Format. 
  7. (Optional) Enter a Brief Description. 
    Log_Source_Type_Properties
  8. Click OK

Create custom message processing engine rules

Create custom message processing engine (MPE) rules for parsing messages, pulling in fields, and making tags. The rules you create may vary depending on your use cases and deployment details. 

  1. In the LogRhythm console, go to Tools > Knowledge > MPE Rule Builder.
  2. Click the Create a new rule (+) icon to create a new rule. 
  3. Enter the Rule Name. 
  4. Select a Common Event. 
  5. For the Rule Status, select Production
  6. Select an option from the Log Message Source Type Associations column.
  7. See the regex below to enter in the Base-rule Regular Expression field. 
    Create_new_rule
  8. Click the Save icon to save the rule. 
  9. (Optional) To create another rule, click the Create a new rule (+) icon. 
  10. Repeat the above steps to create as many rules as necessary. 

Create an MPE rule sort order

  1. In the LogRhythm console, go to Tools > Knowledge > MPE Rule Builder.
  2. Click the Open rule library folder icon. 
  3. From the Rule Browser window, search for the custom log source type you created. 
  4. Click Edit > Edit Base-rule Sorting
    The Rule Sorter window opens. 
    Rule_Sorter
  5. Select Auto-Sort for all exposure rules. 
  6. Using the arrow buttons on the left, sort non-exposure rules below exposure rules and leave auto-sort unchecked. 
  7. Move Catch all rules to the bottom of the list and leave auto-sort unchecked. 
  8. Click OK

Create a log processing policy 

  1. In the LogRhythm console, select Deployment Manager.
  2. Click Log Processing Policies
    Log_Processing_Policies
  3. Click the New (+) icon to create a new log processing policy. 
    The Log Source Type Selector window opens. 
  4. From the Record Type Filter column, select Custom
  5. Select the Log Source Type you created earlier. 
    Log_source_type_selector
  6. Click OK
    The MPE Policy Editor window opens. 
  7. Enter a Name. 
  8. Below the list of rules, right-click and select Check All
    MPE_Policy_editor
  9. Right-click the last row again and select Properties
    The MPE Policy Rule Editor window opens.
  10. Select Enabled
    MPE_Policy_Rule_editor
  11. Click OK
    The MPE Policy Rule Editor window closes. 
  12. Confirm that all rules are enabled.
  13. Click OK.

Add the newly created log source to be collected by a LogRhythm system monitor agent

  1. In the LogRhythm console, select Deployment Manager.
  2. Select System Monitors.
  3. Right-click on the System Monitor Agent you want to use to collect the log source you created previously. 
    System_Monitors
  4. Click Properties
    The System Monitor Agent Properties window opens. 
  5.  Right-click on the bottom box and select New
    System Monitor Agent Properties
    The Log Message Source Properties window opens.
  6. Enter the necessary information on the Basic Configuration tab.
    Log_Message_Source_properties
  7. For the Log Message Source Name choose the log source you just created.
  8. In the Log Message Processing Settings section, Log Message Processing Engine (MPE) Policy option, choose the policy you just created.
  9. Select the Flat File Settings tab.
    Log_Message_Source_properties_flat_file_settings
  10. In the File Path field, enter the file path where you configured the Code42 CLI to saving the flat file.  
  11. Select the Date Parsing Format ... icon.
    The Date Format Manager window opens. 
  12. Right-click in the window and select New
    Date Format Manager
    The Date Format Properties window opens. 
  13. Enter a Name. 
  14. Enter the following Regex: CEF:0.*?end=<UTC><unix>
    Date_format_Properties
  15. Click OK
  16. (Optional):
    1. Click the Additional Settings tab.
    2. Select Start Collection from beginning of the log
  17. Click OK

Base-rule regex 

See below for example strings to enter in the Base-Rule Regular Expression field when creating MPE rules, along with guidance on sort order position.  

App read exposure

Shared via cloud storage exposure 

Shared via link exposure

Shared via removable media exposure

Shared via email

Endpoint non-exposure

Cloud non-exposure

Catch all

Test regex rule matching and performance

  1. From the custom MPE rule you created, click the Test Center tab. 
  2. Right-click in the bottom Test Center section.
  3. Select Import Log Messages Manually
    Import_Log_messages_Manually
    The Test Log Importer window opens. 
    Test_log_importer
  4. Paste in the sample logs from the flat file on the orchestration server. 
  5. Click OK
  6. Click Test All
    The Rule Builder Test Results window opens. 
    Rule_builder_test_results
  7. Review the results. 
  8. Click Close

(Optional) Create a Global Long Processing Rule 

You may need to create a global long processing rule (GLPR) to forward all Code42 exposures as events. 

  1. From the LogRhythm console, select Tools > Administration > Global Long Processing Rule Manager.
    The Global Long Processing Rule Manager window opens. 
    Global_log_processing_rule_manager
  2. Click the New Rule + button. 
    The Global Log Processing Rule Wizard window opens.
  3. Select the Include Filters tab.
    GLPR_wizard
  4. Click the New + button. 
    The Log Message Filter window opens. 
  5. From the Add New Field Filter list, select Log Source Type. 
    Log_Message_Filter
  6. Click Edit Values.
    The Field Filter Values window opens. 
    Field_filter_values
  7. Click Add Item
    The Log Source Type Selector window opens. 
  8. Select the Log Source Type you created. 
    Log_source_type_selector
  9. Click OK. 
    The Field Filter Values window appears with the item you added.
    Field_filter_values_list
  10. Click OK.  
  11. From the Add New Field Filter list, select Common Event.
  12. Click Edit Values.
    The Field Filter Values window opens. 
    Field_filter_values
  13. Click Add Item
    The Common Event Selector window opens. 
  14. For the Classification Filter, select Security : Suspicious
  15. For the Common Event, select Suspicious Activity
    Common_Event_Selector
  16. Click OK
  17. Click Add Item
    The Common Event Selector window opens. 
  18. For the Classification Filter, select Security : Suspicious,
  19. For the Common Event, select Suspicious E-Mail Activity
  20. Click OK
  21. From the Field Filter Values window, click OK
  22. From the Log Message Filter window, click OK
    Log_Message_Filter
  23. From the Global Log Processing Rule Wizard window, select the Settings tab. 
    GLPR_wizard_settings
  24. In the Event Management Settings section, select Override Event Forwarding.
  25. Select Forward as Event
  26. Click Next
  27. Enter a Name for the global long processing rule.  
  28. Click OK
  29. On the Global Long Processing Rule Manager window, click the Action box for the global long processing rule you just created. 
  30. Right-click in the row for your new global long processing rule and select Action > Enable
    Global_log_processing_rule_manager_enable

Related topics

  • Was this article helpful?