Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Integrate Code42 with Sumo Logic

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Sumo Logic is a security information and event management (SIEM) tool that helps you detect and respond to threats. This tutorial explains how to automatically import file exfiltration event data from Code42 into Sumo Logic using the Code42 command-line interface (CLI). 

Considerations

  • Python version 3.5 or later is required. For instructions on downloading and installing Python, see the Python documentation
  • Your orchestration server must be able to connect via SSL (ports 80 and 443) to your Code42 console address. 

Before you begin

Prepare a Code42 user account

To integrate with Sumo Logic using the Code42 command-line interface, create a Code42 user service account. This must be a local (non-SSO) user assigned roles that provide the necessary permissions. We recommend you assign the roles in our use case for managing a security application integrated with Code42

Install and configure the Code42 CLI

To integrate Code42 with Sumo Logic, you must first install the Code42 command-line interface (CLI) and create a profile following the instructions in https://clidocs.code42.com.

For an overview of the CLI, see Introduction to the Code42 command-line interface

Step 1: Create an automated task for the Code42 CLI

After you've completed the steps of creating a user and setting up the Code42 CLI, create an automated task or cron job for running a query on a scheduled basis

Linux cron job

Windows automated task

Step 2: Configure log collection into Sumo Logic 

Download, install, and configure the Sumo Logic collector either on the orchestration server you are using for the Code42 CLI or on another system. 

  1. Sign in to the Sumo Logic console. 
  2. Click Manage Data > Collection from the left navigation bar.
  3. Click Add Collector.  
    Add_Collector
    The Select Collector Type dialog opens. 
    Select_Collector_Type
  4. Select either Installed Collector or Hosted Collector
    The Add Installed Collector or Add Hosted Collector dialog opens. 
    Add_Installed_Collector
  5. Click the link for the platform on which you want to install the collector. 
    The installer package downloads. 
  6. Follow the installation instructions for the platform you chose: 
  7. Once installed, the collector appears on the Collection tab. 

Step 3: Configure the Code42 source for collection by the agent

  1. Click Manage Data > Collection from the left navigation bar.
  2. Locate the collector you added in the previous steps. 
  3. Click Add > Add Source
    Collection_add_source
    The File Sources window opens. 
    File_Sources
  4. Select a source.
    The configuration options appear (for Syslog in this example). 
    Configure_syslog_source
  5. Enter a Name for the source. 
  6. Select your Protocol and Port
  7. Click Save
    The source is configured and logs now flow from the orchestration server to your Sumo Logic environment. 

Code42 dashboard configuration 

To visualize the Code42 data being collected, you can optionally create a Code42 dashboard in Sumo Logic. The following queries may help in creating this kind of dashboard.   

Code42_dashboard

Cloud exposures

Copied!
_sourceCategory="Your Code42 Source Here"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "deviceUserName" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize)
| where !(source_type="Endpoint")
| count by source_type | sort by _count

Endpoint exposures

Copied!
_sourceCategory="Your Code42 Source Here"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "deviceUserName" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize)
| where source_type="Endpoint"
| count by exposure_type | sort by _count

Removeable media exposure by user

Copied!
_sourceCategory="Code42"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "deviceUserName" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize) 
| parse field=UserName "*@*" as User, UserDomain 
| json field=_raw "filePath" | if(filePath matches "*:/*", substring(filePath,0,1),"") as driveletter
| timeslice 1d
|where exposure_type matches "RemovableMedia"
|count by _timeslice, User | transpose row _timeslice column User

Exposure by location (map)

Copied!
_sourceCategory="Code42"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "deviceUserName" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize) 
| lookup latitude, longitude from geo://location on ip= publicIpAddress
| json field=_raw "filePath" | if(filePath matches "*:/*", substring(filePath,0,1),"") as driveletter
| count(exposure_type) as _count by latitude, longitude
| sort by _count

Top 10 files exposed

This dashboard includes links to the Code42 console for more details. 

Copied!
_sourceCategory="Your Code42 Source Here"
| json field=_raw "fileName" AS fileName
| json field=_raw "md5Checksum" AS MD5
| if (isNull(MD5), "NA", MD5) as MD5
| urlencode (fileName) as URLName
| tourl(concat("https://console.us.code42.com/app/#/forensic-search/search/?t0=fileName&q0=IS&v0=", URLName, "&t1=eventTimestamp&q1=WITHIN_THE_LAST&v1=P30D"), fileName) as fileName
| tourl(concat("https://console.us.code42.com/app/#/forensic-search/search/?t0=md5Checksum&q0=IS&v0=", MD5, "&t1=eventTimestamp&q1=WITHIN_THE_LAST&v1=P30D"), MD5) as MD5
| count by fileName, MD5 | sort by fileName
| top 10 fileName, MD5 by _count

Exposure by filename

Copied!
_sourceCategory="Your Code42 Source Here"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "deviceUserName" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize)
| count by filename | sort by _count

Top 10 endpoint users by exposure type

This dashboard includes links to the Code42 console for more details. 

Copied!
_sourceCategory="Code42"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "deviceUserName" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize)
| json field=_raw "filePath" | if(filePath matches "*:/*", substring(filePath,0,1),"") as driveletter
| urlencode (UserName) as URLName
| tourl(concat("https://console.us.code42.com/app/#/forensic-search/search/?t0=deviceUserName&q0=IS&v0=", URLName, "&t1=exposureType&q1=IS_EITHER&v1%5B0%5D=RemovableMedia&v1%5B1%5D=ApplicationRead&v1%5B2%5D=CloudStorage&v1%5B3%5D=OutsideTrustedDomains&v1%5B4%5D=SharedToDomain&v1%5B5%5D=SharedViaLink&v1%5B6%5D=IsPublic&t2=eventTimestamp&q2=WITHIN_THE_LAST&v2=P30D"), UserName) as UserName
| count by exposure_type, UserName | sort by exposure_type
| top 10 UserName, exposure_type by _count

Top 10 cloud users by exposure type

This dashboard includes links to the Code42 console for more details.

Copied!
_sourceCategory="Code42"
| json field=_raw "osHostName" AS User_endpoint |json field=_raw "source" AS source_type | json field=_raw "actor" AS UserName
| json field=_raw "exposure[0]" as exposure_type | json field=_raw "privateIpAddresses[0]" 
| json auto keys "eventType","fileOwner","fileType","fileName","publicIpAddress", "sha256Checksum", "filePath", "fileSize","fileCategory","md5Checksum", "actor", "processName", "processOwner" , "removableMediaSerialNumber", "removableMediaName", "removableMediaVendor", "syncDestination", "url", "userUid" | number(fileSize)
| urlencode (UserName) as URLName
| tourl(concat("https://console.us.code42.com/app/#/forensic-search/search/?t0=actor&q0=IS&v0=", URLName, "&t1=exposureType&q1=EXISTS&v1%5B0%5D=IsPublic&v1%5B1%5D=SharedViaLink&v1%5B2%5D=SharedToDomain&v1%5B3%5D=OutsideTrustedDomains&v1%5B4%5D=RemovableMedia&v1%5B5%5D=ApplicationRead&v1%5B6%5D=CloudStorage&t2=eventTimestamp&q2=WITHIN_THE_LAST&v2=P30D"), UserName) as UserName
| where !(source_type="Endpoint")
| count by exposure_type, UserName | sort by exposure_type
| top 10 UserName, exposure_type by _count

Related topics

  • Was this article helpful?