Code42 App for Splunk Phantom
Overview
This article explains how to install and use the Code42 Phantom App. Splunk Phantom (also known as Splunk SOAR) is a security orchestration, automation, and response (SOAR) solution that lets you automate tasks, coordinate workflows, and enable incident response. The Code42 Phantom App adds Code42-specific actions to your Splunk Phantom environment.
Considerations
- To use the Code42 Phantom App, you must have an existing Splunk Phantom environment. For directions about how to install and configure a Splunk Phantom environment, log in to your Splunk Phantom account and see the documentation.
- Code42 Customer Champions can provide support for the Code42 Phantom App. However, Code42 can't provide technical support for Splunk Phantom itself. Contact Splunk support for help with Splunk Phantom.
- The devices used to run Splunk Phantom must have network access to the Code42 cloud on HTTPS. Non-secure HTTP access to the Code42 cloud is not supported by the Code42 Phantom App.
- To use some actions in the Code42 Phantom App, you must have a Code42 product plan that includes File Metadata Collection. Contact your Customer Success Manager (CSM) for assistance with licensing.
- The Code42 Phantom App is different from the Code42 Insider Threat App for Splunk. For more information about the Code42 Insider Threat App for Splunk, see the following articles:
Before you begin
Prepare a user account in your Code42 environment for configuring the Code42 Phantom App. This user account is used to authenticate and access data in your Code42 environment.
- Permissions: The Code42 Phantom App returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. Assign the roles shown in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data.
- Licensing: As a best practice, create a user in your Code42 environment that is exclusively used to configure your Code42 Phantom App. Users without a Code42 app archive will not consume a license.
Install the Code42 Phantom App
Step 1: Download the app
- Log in to your Splunk Phantom account.
- In the Splunk Phantom menu bar, select Apps > For Phantom.
- In the Search Apps box, enter "Code42".
- To the right of Code42 v2 (version 1.0.1), select Download.
The phantom_code42v2-1.0.1.x86_64.rpm file is downloaded.
Step 2: Install the app and add assets
- Open your Splunk Phantom environment.
- In the upper-left corner, click the main menu button (labeled Home by default) and select Apps.
- Click INSTALL APP.
- Drag the Code42 app file (phantom_code42v2-1.0.1.x86_64.rpm) into the Install App dialog.
- Click INSTALL.
- Type "Code42" in the Search app names box.
The Code42 app appears in the Unconfigured Apps tab. - To the right of the Code42 app, click CONFIGURE NEW ASSET. "Assets" are the Code42 environments you want to monitor.
- On the Asset Info tab, enter the asset name and description.
- On the Asset Settings tab, in the Cloud instance to connect to field, enter the full hostname or IP address of an instance of the Code42 cloud from which you want to gather data. If you don't know the URL for your Code42 environment, contact our Technical Support Engineers.
- If you sign in to the Code42 console at https://console.us.code42.com (US1), enter:
https://console.us.code42.com
- If you sign in to the Code42 console at https://console.us2.code42.com (US2), enter:
https://www.code42.com
- If you sign in to the Code42 console for the Code42 federal environment at https://console.gov.code42.com (US3), enter:
https://console.gov.code42.com
- If you sign in to the Code42 console for the Ireland Code42 cloud at https://console.ie.code42.com (EU1), enter:
https://console.ie.code42.com
- If you sign in to the Code42 console at https://console.us.code42.com (US1), enter:
- In the Username to connect with and Password to connect with fields, enter the credentials of the Code42 user that you want to use to authenticate.
- To change settings to poll for the last 30 days of alerts, enter values for the optional fields.
To change additional polling settings, in the Ingest Settings tab click Edit. (After the asset is configured, click Poll Now to poll for alerts.) - Select Save.
- On the Asset Settings tab, select TEST CONNECTIVITY.
If the URL, username, and password are correct, you'll see that the connection to the asset was successful. If connection is not successful, check these settings.
- Add additional assets if needed. Enter information for each Code42 cloud instance from which you want to receive data.
Step 3: Access in-app documentation
- In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
- Type "Code42" in the Search app names box.
The Code42 app appears in the Configured Apps tab. - In the Code42 entry, click the Documentation link.
- Under the Supported Actions heading, see the documentation for Code42 actions that you can use in your Splunk Phantom environment.
Code42 actions
You can run the following Code42 actions in your Splunk Phantom environment.
For detailed information about the action parameters and outputs, see the documentation in the Code42 app for Splunk. For more general information about actions, see the Splunk Phantom documentation.
Action | Description |
add case event | Add a case. |
add departing employee | Add a departing employee to the Departing Employees list. |
add highrisk employee | Add a high risk employee to the High Risk Employees list. |
add highrisk tag | Add a risk factor to a user. |
add legalhold custodian | Add a user (custodian) to a legal hold matter. |
block user | Blocks a user from accessing their Code42 account. |
close case | Close a case. |
create user | Create a new Code42 user account. |
deactivate user | Deactivates user's Code42 account. |
get alert details | Get alert details. |
get departing employee | Get a departing employee. |
get highrisk employee | Get a high risk employee. |
get user profile | View a user profile. |
hunt file | Searches Code42 for a backed-up file with a matching file hash and downloads it. |
list cases | Output a list of cases. |
list departing employees | Returns a list of users who are on the Departing Employees list. |
list highrisk employees | Returns a list of users who are on the High Risk Employees list. |
on poll | Queries for the last 30 days of alerts. You can change polling settings when you configure an asset. |
reactivate user | Reactivates a deactivated user's Code42 account. |
remove departing employee | Remove a departing employee from the Departing Employees list. |
remove highrisk employee | Remove a high risk employee from the High Risk Employees list. |
remove highrisk tag | Remove a risk factor from a user. |
remove legalhold custodian | Remove user (custodian) from a legal hold matter. |
run advanced query |
Run an advanced query using JSON.
|
run query | Search for Code42 file events. |
search alerts | Search alerts. |
set alert state | Set the status of an alert. |
test connectivity | Validate the asset configuration for connectivity using supplied configuration. |
unblock user | Unblocks a user, allowing access to their Code42 account. |
update case | Edit a case. |
Code42 playbook
The Code42 playbook contains a flow for a sample investigation.
Install the Code42 playbook
- Log in to your Splunk Phantom account.
- In the Splunk Phantom menu bar, select Playbooks.
- In the Search Playbooks box, enter "Code42".
The search returns the Code42 playbook. - To the right of the Code42 playbook entry, select View Details.
- Click Get Playbook.
For information about configuring a source control repository to get playbooks, see the Splunk Phantom documentation. - Open your Splunk Phantom environment.
- In the upper-left corner, click the main menu button (labeled Home by default) and select Playbooks.
- Click Update from Source Control to update your Splunk Phantom environment with playbooks.
For information about viewing playbooks, see the Splunk Phantom documentation. - In Search playbook names, enter "Code42".
The search returns the Code42 playbook.
Code42 playbook flow
The Code42 playbook flow begins with a Code42 alert and allows an analyst to investigate and respond to the event:
- Playbook is triggered from a Code42 alert.
- Retrieve alert details.
- Further investigation needed:
- Yes: Retrieve all file events associated with the alert.
- No: End playbook.
- Open a case.
- Add file events to the case.
- Hunt for files.
- Get user profile.
- Decide whether to send emails to the user and their manager.
- Decide whether a response is needed, and if so, choose response:
- Add user to Legal Hold
- Add user to High Risk Employees list
- Block user
- Update case.
- Close case.
Uninstall the Code42 Phantom App
- In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
- Type "Code42" in the Search app names box.
The Code42 app appears in the Configured Apps tab. - Under Configured Apps, select Code42.
- Click the trash can button
to the right of the Code42 app.
The Code42 app is uninstalled.
Release history
Following are release highlights. For complete release notes, see the in-app documentation.
Code42 Phantom App
Version 1.0.1
February 8, 2022
Initial release of the Code42 Phantom App developed by by Code42.
Code42 app for Splunk Phantom
Version 1.0.24
September 26, 2019
- Fixes an issue that caused the lock device action to fail.
- Fixes the known issue in version 1.0.5 of requests going to a single Code42 cloud URL when performing the run query action.
Version 1.0.5
November 2, 2018
Initial release of the Code42 app for Splunk Phantom developed by Splunk.
Known issue
For the run query action, requests go to a single Code42 cloud URL regardless of the URL entered when you configured the asset. Requests go to https://authority-east-lb.us.code42.com, the URL used by Code42 environments that access the Code42 console at https://console.us.code42.com.
To resolve this issue, install the latest version of the Code42 app for Splunk Phantom.
This problem affects your installation if you use the run query action and you have a different Code42 cloud URL in your asset configuration:
- Code42 environments that access the Code42 console at https://console.us2.code42.com use URL https://console.us2.code42.com
- Code42 environments connecting to the Ireland Code42 cloud and access the Code42 console at https://console.ie.code42.com use URL https://authority-default-lb.ie.code42.com