Code42 app for Splunk Phantom

Overview

This article explains how to install and use the Code42 app for Splunk Phantom. Splunk Phantom is a security orchestration, automation, and response (SOAR) solution that lets you automate tasks, coordinate workflows, and enable incident response. The Code42 app for Splunk Phantom adds Code42-specific actions to your Splunk Phantom environment.

Considerations

To use the Code42 app for Splunk Phantom, you must have an existing Splunk Phantom environment. For directions about how to install and configure a Splunk Phantom environment, log in to your Splunk Phantom account and see the documentation.
Code42 Customer Champions can provide support for the Code42 app for Splunk Phantom. However, Code42 can't provide technical support for Splunk Phantom itself. Contact Splunk support for help with Splunk Phantom.
The devices used to run Splunk Phantom must have network access to the Code42 cloud on HTTPS. Non-secure HTTP access to the Code42 cloud is not supported by the Code42 app for Splunk Phantom.
To use some actions in the Code42 app for Splunk Phantom, you must have a Code42 product plan that includes File Metadata Collection. Contact your Customer Success Manager (CSM) for assistance with licensing.
The Code42 app for Splunk Phantom is different from the Code42 Insider Threat App for Splunk. For more information about the Code42 Insider Threat App for Splunk, see the following articles:
- Install and manage the Code42 Insider Threat app for Splunk
- Code42 Insider Threat app for Splunk reference

Before you begin

Prepare a user account in your Code42 environment for configuring the Code42 app for Splunk Phantom. This user account is used to authenticate and access data in your Code42 environment.

Permissions: The Code42 app for Splunk Phantom returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. We recommend you assign the roles in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data.
Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure your Code42 app for Splunk Phantom. Users without a Code42 app archive will not consume a license.

Install the Code42 app for Splunk Phantom

Step 1: Download the app

Log in to your Splunk Phantom account.
In the Splunk Phantom menu bar, select Apps > For Phantom.
In the Search Apps box, enter "Code42".
The search returns the Code42 app.
To the right of Code42, select Download.
The phantom_code42-<version>.rpm file is downloaded.

Step 2: Install the app and add assets

Open your Splunk Phantom environment.
In the upper-left corner, click the main menu button (labeled Home by default) and select Apps.
Click INSTALL APP.
Drag the Code42 app file (phantom_code42-<version>.rpm) into the Install App dialog.
Click INSTALL.
Type "Code42" in the Search app names box.
The Code42 app appears in the Unconfigured Apps tab.
To the right of the Code42 app, click CONFIGURE NEW ASSET. "Assets" are the Code42 environments you want to monitor.
1. On the Asset Info tab, enter the asset name and description.
2. On the Asset Settings tab, in the Server URL field, enter the full hostname or IP address of an instance of the Code42 cloud from which you want to gather data. If you don't know the URL for your Code42 environment, contact our Customer Champions for support.
  - If you sign in to the Code42 console at https://console.us2.code42.com, enter: https://console.use.code42.com
  - If you sign in to the Code42 console at https://console.us.code42.com, enter: https://authority-east-lb.us.code42.com
  - If you sign in to the Code42 console for the Ireland Code42 cloud at https://console.ie.code42.com, enter: https://authority-default-lb.ie.code42.com
  - If you sign in to the Code42 console for the Code42 federal environment at https://console.gov.code42.com, enter:
    https://console.gov.code42.com
3. In the Username and Password fields, enter the credentials of the Code42 user that you want to use to authenticate.
4. Select Save.
5. On the Asset Settings tab, select TEST CONNECTIVITY.
  If the URL, username, and password are correct, you'll see that the connection to the asset was successful. If connection is not successful, check these settings.
6. Add additional assets if needed. Enter information for each Code42 cloud instance from which you want to receive data.

Access in-app documentation

In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
Type "Code42" in the Search app names box.
The Code42 app appears in the Configured Apps tab.
In the Code42 entry, click the Documentation link.
Under the Supported Actions heading, see the documentation for Code42 actions that you can use in your Splunk Phantom environment.

Code42 actions

You can run the following Code42 actions in your Splunk Phantom environment. The following table shows the parameters to enter for each action.

For more detailed information about the action parameters and outputs, see the documentation in the Code42 app for Splunk. For more general information about actions, see the Splunk Phantom documentation.

Action	Description	Parameters to supply to the action
activate device	Activates a device.	Device ID (computerId attribute)
activate user	Activates a user.	User ID (userId attribute)
change organization	Moves a user to a specific organization.	User ID (userId attribute) Organization ID (OrgId attribute)
deactivate device	Deactivates a device. For Code42 environments that use customized Code42 app installers configured to auto-register users, Code42 recommends you run the quarantine device action to block the device before deactivating. Without first blocking the device, it may reactivate automatically.	Device ID (computerId attribute)
deactivate user	Deactivates a user.	User ID (userId attribute)
deauthorize device	Deauthorizes a device.	Device ID (computerId attribute)
hunt file	Searches for a file using Forensic Search.	MD5 of the file
list devices	Lists all devices on the asset.	None
list organizations	Lists all organizations on the asset.	None
list users	Lists all users on the asset.	None
lock device	Deprecated Invokes an access lock on a specified device.	Device ID (computerId attribute)
quarantine device	Blocks a device.	Device ID (computerId attribute)
run query	Runs a query using Forensic Search. For use cases on how to employ this query to alert on a multitude of security issues such as malware or file exfiltration, see Forensic Search use cases.	Forensic Search parameters: Start time¹ End time¹ File event: New file Modified No longer observed File hash Filename File path Hostname Username IP address (private) IP address (public) Query (in JSON format)
unlock device	Deactivates an access lock on a specified device.	Device ID (computerId attribute)
unquarantine device	Unblocks a device.	Device ID (computerId attribute)
test connectivity	Validates the asset configuration for connectivity using the supplied configuration.	NA

¹Use UNIX Epoch time for start time and end time. Start time and end time fields are required if the Query field is not used; if the Query field is used, all other fields are ignored.

Uninstall the Code42 app for Splunk Phantom

In the upper-left corner of your Splunk Phantom environment, click the main menu button (labeled Home by default) and select Apps.
Type "Code42" in the Search app names box.
The Code42 app appears in the Configured Apps tab.
Under Configured Apps, select Code42.
Click the uninstall button to the right of the Code42 app.
The Code42 app is uninstalled.

Release history for the Code42 app for Splunk Phantom

Following are release highlights. For complete release notes, see the in-app documentation.

Version 1.0.24

September 26, 2019

Fixes an issue that caused the lock device action to fail.
Fixes the known issue in version 1.0.5 of requests going to a single Code42 cloud URL when performing the run query action.

Version 1.0.5

November 2, 2018

Initial release of the Code42 app for Splunk Phantom.

Known issue

For the run query action, requests go to a single Code42 cloud URL regardless of the URL entered when you configured the asset. Requests go to https://authority-east-lb.us.code42.com, the URL used by Code42 environments that access the Code42 console at https://console.us.code42.com.

To resolve this issue, install the latest version of the Code42 app for Splunk Phantom.

This problem affects your installation if you use the run query action and you have a different Code42 cloud URL in your asset configuration:

Code42 environments that access the Code42 console at https://console.us2.code42.com use URL https://console.us2.code42.com
Code42 environments connecting to the Ireland Code42 cloud and access the Code42 console at https://console.ie.code42.com use URL https://authority-default-lb.ie.code42.com