Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Code42 App for Splunk Phantom

Overview

This article explains how to install and use the Code42 Phantom App. Splunk Phantom (also known as Splunk SOAR) is a security orchestration, automation, and response (SOAR) solution that lets you automate tasks, coordinate workflows, and enable incident response. The Code42 Phantom App adds Code42-specific actions to your Splunk Phantom environment. 

Considerations

Before you begin

Prepare a user account in your Code42 environment for configuring the Code42 Phantom App. This user account is used to authenticate and access data in your Code42 environment.

  • Permissions: The Code42 Phantom App returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. Assign the roles shown in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data. 
  • Licensing: As a best practice, create a user in your Code42 environment that is exclusively used to configure your Code42 Phantom App. Users without a Code42 app archive will not consume a license.

Install the Code42 Phantom App

Step 1: Download the app

  1. Log in to your Splunk Phantom account.
  2. In the Splunk Phantom menu bar, select Apps > For Phantom.
  3. In the Search Apps box, enter "Code42".
  4. To the right of Code42 v2 (version 1.0.1), select Download.
    The phantom_code42v2-1.0.1.x86_64.rpm file is downloaded.

Step 2: Install the app and add assets

  1. Open your Splunk Phantom environment. 
  2. In the upper-left corner, click the main menu button (labeled Home by default) and select Apps.
  3. Click INSTALL APP.
  4. Drag the Code42 app file (phantom_code42v2-1.0.1.x86_64.rpm) into the Install App dialog.
  5. Click INSTALL.
  6. Type "Code42" in the Search app names box.
    The Code42 app appears in the Unconfigured Apps tab.
  7. To the right of the Code42 app, click CONFIGURE NEW ASSET. "Assets" are the Code42 environments you want to monitor.
    1. On the Asset Info tab, enter the asset name and description.
    2. On the Asset Settings tab, in the Cloud instance to connect to field, enter the full hostname or IP address of an instance of the Code42 cloud from which you want to gather data. If you don't know the URL for your Code42 environment, contact our Customer Champions for support.
    3. In the Username to connect with and Password to connect with fields, enter the credentials of the Code42 user that you want to use to authenticate.
    4. To change settings to poll for the last 30 days of alerts, enter values for the optional fields.
      To change additional polling settings, in the Ingest Settings tab click Edit. (After the asset is configured, click Poll Now to poll for alerts.)
    5. Select Save.
    6. On the Asset Settings tab, select TEST CONNECTIVITY.
      If the URL, username, and password are correct, you'll see that the connection to the asset was successful. If connection is not successful, check these settings.
  8. Add additional assets if needed. Enter information for each Code42 cloud instance from which you want to receive data.

Step 3: Access in-app documentation

  1. In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
  2. Type "Code42" in the Search app names box.
    The Code42 app appears in the Configured Apps tab.
  3. In the Code42 entry, click the Documentation link.
  4. Under the Supported Actions heading, see the documentation for Code42 actions that you can use in your Splunk Phantom environment.

Code42 actions

You can run the following Code42 actions in your Splunk Phantom environment. 

For detailed information about the action parameters and outputs, see the documentation in the Code42 app for Splunk. For more general information about actions, see the Splunk Phantom documentation.

Action Description
add case event Add a case.
add departing employee Add a departing employee to the Departing Employees list.
add highrisk employee Add a high risk employee to the High Risk Employees list.
add highrisk tag Add a risk factor to a user.
add legalhold custodian Add a user (custodian) to a legal hold matter.
block user Blocks a user from accessing their Code42 account.
close case  Close a case
create user Create a new Code42 user account.
deactivate user Deactivates user's Code42 account.
get alert details Get alert details.
get departing employee  Get a departing employee.
get highrisk employee Get a high risk employee.
get user profile  View a user profile.
hunt file Searches Code42 for a backed-up file with a matching file hash and downloads it.
list cases  Output a list of cases.
list departing employees Returns a list of users who are on the Departing Employees list.
list highrisk employees Returns a list of users who are on the High Risk Employees list.
on poll  Queries for the last 30 days of alerts. You can change polling settings when you configure an asset
reactivate user Reactivates a deactivated user's Code42 account.
remove departing employee Remove a departing employee from the Departing Employees list.
remove highrisk employee Remove a high risk employee from the High Risk Employees list.
remove highrisk tag Remove a risk factor from a user.
remove legalhold custodian Remove user (custodian) from a legal hold matter.
run advanced query

Run an advanced query using JSON.


For examples that show how to use JSON to perform searches with the  Forensic Search API, see Forensic Search API. 

run query Search for Code42 file events.
search alerts Search alerts.
set alert state Set the status of an alert.
test connectivity Validate the asset configuration for connectivity using supplied configuration.
unblock user Unblocks a user, allowing access to their Code42 account.
update case  Edit a case.

Code42 playbook

The Code42 playbook contains a flow for a sample investigation.

Install the Code42 playbook

  1. Log in to your Splunk Phantom account.
  2. In the Splunk Phantom menu bar, select Playbooks.
  3. In the Search Playbooks box, enter "Code42".
    The search returns the Code42 playbook.
  4. To the right of the Code42 playbook entry, select View Details.
  5. Click Get Playbook.
    For information about configuring a source control repository to get playbooks, see the Splunk Phantom documentation.
  6. Open your Splunk Phantom environment. 
  7. In the upper-left corner, click the main menu button (labeled Home by default) and select Playbooks.
  8. Click Update from Source Control to update your Splunk Phantom environment with playbooks.
    For information about viewing playbooks, see the Splunk Phantom documentation.
  9. In Search playbook names, enter "Code42". 
    The search returns the Code42 playbook.

Code42 playbook flow

The Code42 playbook flow begins with a Code42 alert and allows an analyst to investigate and respond to the event:

  1. Playbook is triggered from a Code42 alert.
  2. Retrieve alert details.
  3. Further investigation needed:
    • Yes: Retrieve all file events associated with the alert.
    • No: End playbook.
  4. Open a case.
  5. Add file events to the case.
  6. Hunt for files.
  7. Get user profile.
  8. Decide whether to send emails to the user and their manager.
  9. Decide whether a response is needed, and if so, choose response:
    • Add user to Legal Hold
    • Add user to High Risk Employees list
    • Block user
  10. Update case.
  11. Close case.

Uninstall the Code42 Phantom App

  1. In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
  2. Type "Code42" in the Search app names box.
    The Code42 app appears in the Configured Apps tab.
  3. Under Configured Apps, select Code42.
  4. Click the trash can buttonSplunk_Phantom_uninstall_icon.png to the right of the Code42 app.
    The Code42 app is uninstalled.

Release history

Following are release highlights. For complete release notes, see the in-app documentation

Code42 Phantom App

Version 1.0.1

February 8, 2022

Initial release of the Code42 Phantom App developed by by Code42. 

Code42 app for Splunk Phantom

Version 1.0.24

September 26, 2019

  • Fixes an issue that caused the lock device action to fail. 
  • Fixes the known issue in version 1.0.5 of requests going to a single Code42 cloud URL when performing the run query action.  

Version 1.0.5

November 2, 2018

Initial release of the Code42 app for Splunk Phantom developed by Splunk.

Known issue

For the run query action, requests go to a single Code42 cloud URL regardless of the URL entered when you configured the asset. Requests go to https://authority-east-lb.us.code42.com, the URL used by Code42 environments that access the Code42 console at https://console.us.code42.com.  

To resolve this issue, install the latest version of the Code42 app for Splunk Phantom.

This problem affects your installation if you use the run query action and you have a different Code42 cloud URL in your asset configuration:

  • Was this article helpful?