Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Integrate security alerts with a SIEM tool using the Code42 command-line interface

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

The Code42 command-line interface (CLI) tool offers a way to interact with your Code42 environment without using the Code42 console or making API calls directly. For example, you can use it to ingest alerts into your security incident and event management (SIEM) or security orchestration, automation and response (SOAR) tool. This article provides instructions for using the Code42 CLI to poll for alerts to ingest them in your SIEM or SOAR tool. 

You can also use the Code42 CLI to manage users associated with alert rules. For more information, see Manage alert rules users with the Code42 command-line interface.

Before you begin

To manage users associated with alert rules using the Code42 CLI, you must first install and configure the Code42 CLI following the instructions in Set up the Code42 command-line interface

Alerts commands and query parameters

Use the alerts commands to get alerts in a flat file or send them to a syslog server in order to ingest them into your SIEM or SOAR tool.

In the below example, you'd get alerts triggered by the rule called "Departing employee endpoint exfiltration" for April 14, 2020, in a raw JSON file: 

code42 alerts write-to “DE_alerts_raw.json” -f RAW-JSON -b 2020-04-14 -e 2020-04-14 --rule-name “Departing employee endpoint exfiltration” 

Command Description
print Writes to the terminal window, in JSON format. Begin date is also required for initial queries. 
send-to Send to a server address, for example, "https://syslog.example.com:514" -p TCP
write-to

Write the output to a file, for example, /Users/sangita.maskey/Documents/security_alerts.txt

 

If the filename includes spaces, enclose in quotation marks. 

--profile Specify the profile you want to use. If you do not specify a profile, the default profile is used. For more information about profiles, see Set up the Code42 command-line interface
-b 

Begin date: the beginning of the date range in which to look for alerts.

 

Use yyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC + 24-hour time) format. The time portion of the string can be partial (e.g. '2020-01-01 12' or '2020-01-01 01:15'). Or, enter shorthand date-range strings for days (30d), hours (24h) or minutes (15m) from current time. 

 

Begin date is required. Example: 

code42 alerts print -b 2020-05-18 

-f

Output format:

  • JSON
  • RAW-JSON
-i Incremental: only shows data since last run.

 

Use -i with a begin date to set a checkpoint from which to start basing incremental runs. Example:
code42 alerts write-to /Users/sangita.maskey/Downloads/c42cli_output.txt -b 2020-05-18 -i

clear-checkpoint Clears the date and time stored that determines when the last incremental run was completed. 
-e

End date: the end of the date range in which to look for alerts.

 

Use yyy-MM-dd (UTC) or yyy-MM-dd HH:MM:SS (UTC + 24-hour time) format. The time portion of the string can be partial (e.g. '2020-01-01 12' or '2020-01-01 01:15'). Or, enter shorthand date-range strings for days (30d), hours (24h) or minutes (15m) from current time. 

--severity

Filter alerts by severity: 

  • HIGH
  • MEDIUM
  • LOW

Alerts of all severity levels are returned by default. 

--state

Filter alerts by state:  

--actor

Filter alerts by including the given username or actor(s) who triggered the alert. Must match the user's username or cloud alias exactly. 

--actor-contains

Filter alerts by including actor(s) whose username or cloud alias contains the given string.

--exclude-actor-contains

Filter alerts by excluding the given actor(s) who triggered the alert. Must match actor username or cloud alias exactly.

--rule-name Filter alerts by the given rule name(s).
--exclude-rule-name Filter alerts by excluding the given rule name(s). 
--description Filter alerts by description. Does fuzzy search by default. For searches with multiple word strings, enclose in quotation marks. 
--rule-id Filter alerts by the given rule ID(s). To find the rule ID, run the command code42 alert-rules list.
--exclude-rule-id Filter alerts by excluding the given rule ID(s). To find the rule ID, run the command code42 alert-rules list.
--rule-type

Filter alerts by including the given rule type(s):

  • FedEndpointExfiltration (Exposure on an endpoint) 
  • FedCloudSharePermissions  (Cloud share permissions) 
  • FedFileTypeMismatch (Suspicious file mismatch)
--exclude-rule-type

Filter alerts by excluding the given rule type(s):

  • FedEndpointExfiltration (Exposure on an endpoint) 
  • FedCloudSharePermissions  (Cloud share permissions) 
  • FedFileTypeMismatch (Suspicious file mismatch)
--advanced-query

A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements.

WARNING: Using advanced queries is incompatible with other query-building arguments.

Run a query as a scheduled job

Use your favorite scheduling tool, such as cron or Windows Task Scheduler, to run a query on a regular basis. Specify the profile to use by including --profile. For example:  

code42 alerts send-to "https://syslog.example.com:514" -p UDP --profile profile1 --rule-name “Source code exfiltration” --state OPEN -i

This query will send to the syslog server only the new alerts that meet the filter criteria since the previous request. 

Contact us for more help
For additional help configuring your environment to run queries on a regular basis, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team. 

Query examples 

Examples of ad-hoc queries you can run are as follows. 

  • Print alerts since March 1 for a user: code42 alerts print -b 2020-05-01 --actor 'peggy.tran@example.com'
  • Print security events since May 5 where a file's cloud share permissions changed: code42 alerts print -b 2020-05-05 --rule-type FedCloudSharePermissions 

Example output for a single alert (in default JSON format):

{"type$": "ALERT_DETAILS", 
"tenantId": "c4b5e830-824a-40a3-a6d9-345664cfbb33", 
"type": "FED_CLOUD_SHARE_PERMISSIONS", 
"name": "Cloud Share", 
"description": "Alert Rule for data exfiltration via Cloud Share", 
"actor": "leland.stewart@example.com", 
"target": "N/A", 
"severity": "HIGH", 
"ruleId": "408eb1ae-587e-421a-9444-f75d5399eacb", 
"ruleSource": "Alerting", 
"id": "7d936d0d-e783-4b24-817d-f19f625e0965", 
"createdAt": "2020-05-22T09:47:33.8863230Z", 
"state": "OPEN", 
"observations": [{"type$": "OBSERVATION", 
"id": "4bc378e6-bfbd-40f0-9572-6ed605ea9f6c", 
"observedAt": "2020-05-22T09:40:00.0000000Z", 
"type": "FedCloudSharePermissions", 
"data": {"type$": "OBSERVED_CLOUD_SHARE_ACTIVITY", 
"id": "4bc378e6-bfbd-40f0-9572-6ed605ea9f6c", 
"sources": ["GoogleDrive"], 
"exposureTypes": ["PublicLinkShare"], 
"firstActivityAt": "2020-05-22T09:40:00.0000000Z", 
"lastActivityAt": "2020-05-22T09:45:00.0000000Z", 
"fileCount": 1, 
"totalFileSize": 6025, 
"fileCategories": [{"type$": "OBSERVED_FILE_CATEGORY", "category": "Document", "fileCount": 1, "totalFileSize": 6025, "isSignificant": false}], 
"files": [{"type$": "OBSERVED_FILE", "eventId": "1hHdK6Qe6hez4vNCtS-UimDf-sbaFd-D7_3_baac33d0-a1d3-4e0a-9957-25632819eda7", "name": "1590140395_Longfellow_Cloud_Arch_Redesign.drawio", "category": "Document", "size": 6025}], 
"outsideTrustedDomainsEmailsCount": 0, "outsideTrustedDomainsTotalDomainCount": 0, "outsideTrustedDomainsTotalDomainCountTruncated": false}}]}
  • Was this article helpful?