Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Code42 cloud environments.

Code42 Support

Integrate with a SIEM tool using the Code42 command-line interface

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Code42 cloud environments.

Overview

The Code42 command-line interface (CLI) tool offers a way to interact with your Code42 environment without using the Code42 console or making API calls directly. This article provides instructions on using the CLI to extract Code42 data for use in a security information and event management (SIEM) tool like LogRhythm, Sumo Logic, or IBM QRadar. 

You can also use the Code42 CLI to bulk-add or remove users from the High Risk Employees list or Departing Employees list. For more information, see Manage detection list users with the Code42 command-line interface

Considerations

To integrate with a SIEM tool using the Code42 command-line interface, the Code42 user account running the integration must be assigned roles that provide the necessary permissions. We recommend you assign the roles in our use case for managing a security application integrated with Code42.

Before you begin

To integrate Code42 with a SIEM tool, you must first install and configure the Code42 CLI following the instructions in Set up the Code42 command-line interface

Commands and query parameters 

You can get security events in either a JSON or CEF format for use by your SIEM tool. You can query the data as a scheduled job or run ad-hoc queries. Use the following commands to get and query security event information using the Code42 CLI.

See the next section for additional examples.  

code42 security-data  

Command Description
print

Writes to the terminal window, in JSON format. Begin date is required for initial queries. 

-b

Begin date: the beginning of the date range in which to look for events.

 

Use YYYY-MM-DD (UTC) or YYYY-MM-DD HH:MM:SS (UTC + 24-hour time) format, or shorthand date-range strings for days, hours, and minute intervals going back from the current time (for example, 30d, 24h, 15m). 

 

Begin date is required. Example: 

code42 security-data print -b 2020-04-28 

-e

End date: the end of the date range in which to look for events.

 

Use YYYY-MM-DD (UTC) or YYYY-MM-DD HH:MM:SS (UTC + 24-hour time) format, or shorthand date-range strings for days, hours, and minute intervals going back from the current time (for example, 30d, 24h, 15m).

send-to Send to a server address, for example, "https://syslog.example.com:514" -p TCP
-p

Protocol for the server specified in send-to. Options include: UDP (the default) and TCP

write-to

Write the output to a file, for example, /Users/sangita.maskey/Documents/securitydata.txt

 

If the filename includes spaces, enclose in quotation marks. 

-f

Output format:

  • CEF 
  • JSON
  • RAW-JSON (includes null fields)
--profile Specify the profile you want to use. For more information about profiles, see Set up the Code42 command-line interface
-i

Incremental: only shows data since last run.

 

Use -i with a begin date to set a checkpoint from which to start basing incremental runs. Example:
code42 security-data write-to /Users/sangita.maskey/Downloads/c42cli_output.txt -b 2020-04-28 -i

clear-checkpoint Clears the date and time stored that determines when the last incremental run was completed. 
-t

Exposure types: limits security events to those with the specified exposure types. 

 

Enter one or more of the following options, space delimited. If you do not specify an exposure type, all exposure events are included.

  • SharedViaLink : Public via direct link
  • SharedToDomain : Shared with corporate domain
  • ApplicationRead : Read by browser or other app
  • CloudStorage: Synced to cloud service
  • RemovableMedia : Activity on removable media 
  • IsPublic : Public on the web
--c42-username

Limits results to endpoint events for one or more listed users. 

--actor  Limits events to only those enacted by the cloud service user of the person who caused the event.
--md5  Limits events to file events where the file has this MD5 hash.
--sha256  Limits events to file events where the file has this SHA-256 hash.
--source 

Limits events to only those from this source:

  • Endpoint
  • GoogleDrive
  • OneDrive
  • Box
  • Gmail
  • Office365
--file-name  Limits events to those that have this file name.
--file-path Limits events to file events where the file is located at this path.
--process-owner

Limits events to exposure events where this user owns the process behind the exposure.

 

Applies only to ApplicationRead exposure events.

--tab-url

Limits events to be exposure events with this destination tab URL. 

 

Applies only to ApplicationRead exposure events.

--advanced-query 

A raw JSON file event query. This option is useful if the provided query parameters do not satisfy your requirements.

 

Using advanced queries ignores all other query parameters. 

--include-non-exposure Get all events, including non-exposure events.   

Run a query as a scheduled job

Use your favorite scheduling tool, such as cron or Windows Task Scheduler, to run a query on a regular basis. Specify the profile to use by including --profile. For example:  

code42 security-data send-to "https://syslog.example.com:514" -p TCP --profile profile1 -i

This query will send to the syslog server only the new security event data since the previous request. 

Run an ad-hoc query

Examples of ad-hoc queries you can run are as follows. 

  • Print security data since March 5 for a user in raw JSON format: 
    code42 security-data print -f RAW-JSON -b 2020-03-05 --c42-username 'sean.cassidy@example.com'
  • Print security events since March 5 where a file was synced to a cloud service: 
    code42 security-data print -t  CloudStorage -b 2020-03-05 
  • Write to a text file security events in raw JSON format where a file was read by browser or other app for a user since March 5: 
    code42 security-data write-to /Users/sangita.maskey/Downloads/c42cli_output.txt -f RAW-JSON -b 2020-03-05 -t ApplicationRead --c42-username 'sean.cassidy@example.com'

Example output for a single exposure event (in default JSON format): 

{"eventId": "0_c4b5e830-824a-40a3-a6d9-345664cfbb33_942704829036142720_944009394534374185_342", 
"eventType": "CREATED", "eventTimestamp": "2020-03-05T14:45:49.662Z", 
"insertionTimestamp": "2020-03-05T15:10:47.930Z", 
"filePath": "C:/Users/sean.cassidy/Google Drive/", 
"fileName": "1582938269_Longfellow_Cloud_Arch_Redesign.drawio", 
"fileType": "FILE", "fileCategory": "DOCUMENT", "fileSize": 6025, 
"fileOwner": "Administrators", "md5Checksum": "9ab754c9133afbf2f70d5fe64cde1110", 
"sha256Checksum": "8c6ba142065373ae5277ecf9f0f68ab8f9360f42a82eb1dec2e1816d93d6b1b7", 
"createTimestamp": "2020-03-05T14:29:33.455Z", 
"modifyTimestamp": "2020-02-29T01:04:31Z", 
"deviceUserName": "sean.cassidy@example.com", 
"osHostName": "LAPTOP-091", 
"domainName": "192.168.65.129", 
"publicIpAddress": "71.34.10.80", 
"privateIpAddresses": ["fe80:0:0:0:8d61:ec3f:9e32:2efc%eth2", "192.168.65.129", "0:0:0:0:0:0:0:1", "127.0.0.1"], 
"deviceUid": "942704829036142720", 
"userUid": "887050325252344565", 
"source": "Endpoint", 
"exposure": ["CloudStorage"], 
"syncDestination": "GoogleBackupAndSync"}

CEF mapping 

The following tables map the data from the Code42 CLI to common event format (CEF).  

Attribute mapping

The table below maps JSON fields, CEF fields, and Forensic Search fields to one another. 

JSON field CEF field Forensic Search field
actor suser

Actor

cloudDriveId aid

n/a

createTimestamp fileCreateTime File Created Date
deviceUid deviceExternalId n/a
deviceUserName suser Username (Code42)
domainName dvchost Fully Qualified Domain Name
eventId externalID n/a
eventTimestamp end Date Observed
exposure reason Exposure Type
fileCategory fileType File Category
fileName fname Filename
filePath filePath

File Path

fileSize fsize File Size
insertionTimestamp rt n/a
md5Checksum fileHash MD5 Hash
modifyTimesamp fileModificationTime File Modified Date
osHostName shost Hostname
processName sproc Executable Name (Browser or Other App) 
processOwner spriv Process User (Browser or Other App) 
publiclpAddress src IP Address (public) 
removableMediaBusType

cs1

 

Custom CEF label: Code42AEDRemovableMediaBusType 

Device Bus Type (Removable Media) 
removableMediaCapacity

cn1

 

Custom CEF label: 

Code42AEDRemovableMediaCapacity

Device Capacity (Removable Media)
removableMediaName

cs3

 

Custom CEF label: 

Code42AEDRemovableMediaName

Device Media Name (Removable Media)
removableMediaSerialNumber cs4 Device Serial Number (Removable Media)
removableMediaVendor

cs2

 

Custom CEF label:

Code42AEDRemovableMediaVendor

Device Vendor (Removable Media)
sharedWith duser Shared With
syncDestination destinationServiceName Sync Destination (Cloud)
url filePath URL
userUid suid n/a
windowTitle requestClientApplication Tab/Window Title
tabUrl request Tab URL
emailSender suser Sender
emailRecipients duser Recipients

Event mapping

See the table below to map exfiltration events to CEF signature IDs. 

Exfiltration event CEF signature ID
CREATED C42200
MODIFIED C42201
DELETED C42202
READ_BY_APP C42203
EMAILED C42204
  • Was this article helpful?