Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Code42 Support

Integrate Code42 with Rapid7


Rapid7 InsightIDR is a security center solution that contains security information and event management (SIEM), user behavior analytics (UBA), and endpoint detection and response (EDR) solutions. This tutorial explains how to ingest file exfiltration event data from Code42 into Rapid7 InsightIDR using a Rapid7 Collector and the Code42 command-line interface (CLI). 



  • For more detailed information about setting up and configuring the Rapid7 Collector, see Rapid7's InsightIDR Collector Overview documentation.
  • This article describes, as an example, how to download, install, and configure the Rapid7 Collector on the same dedicated machine (CentOS 7.3) as the Code42 CLI.

Code42 command-line interface (CLI)

  • Python version 3.5 or later is required. For instructions on downloading and installing Python, see the Python documentation
  • Your orchestration server must be able to connect via SSL (ports 80 and 443) to your Code42 console address. 
  • For instructor-led training on using the Code42 CLI, visit the Code42 University

Before you begin

Prepare a Code42 user account

To integrate with Rapid7 InsightIDR using the Code42 CLI, create a Code42 user service account. This must be a local (non-SSO) user assigned roles that provide the necessary permissions. Assign the roles in our use case for managing a security application integrated with Code42

Install and configure the Code42 CLI

To integrate with Rapid7, you must first install the Code42 CLI and create a profile following the instructions in

Step 1: Collect file exfiltration event data

After you've completed the steps of creating a user and setting up the Code42 CLI, create an automated task or cron job for running a query on a scheduled basis

Linux cron job

Windows automated task

Step 2: Configure log collection into Rapid7 InsightIDR 

Download, install, and configure the Rapid7 InsightIDR collector either on the orchestration server you are using for the Code42 CLI or on another dedicated system. For more information, see the Rapid7 documentation

Download and install the collector

  1. Sign in to the Rapid7 InsightIDR console. 
  2. If necessary based on your Rapid7 products, click Open on the Insight IDR tile.
  3. From the left menu, select Data Collection
  4. Select Setup Collector > Download Collector.
  5. Select the download option for your environment (Windows or Linux).
  6. Install the collector following the instructions in the Rapid7 documentation
Copy Agent key for Linux installations
Once the installation completes successfully, copy the Agent key as directed in the instructions for Linux. The Agent key is required for activating the collector in the following steps.  

Activate the collector 

Once the collector is installed and the service is started, go back to the Rapid7 InsightIDR console in your web browser. 

  1. Select Data Collection from the left menu. 
  2. Select Setup Collector > Activate Collector.  
  3. Enter a Collector Name.
  4. Paste the agent key from the previous step into the Activation Token field. 
  5. Once the activation process completes, the collector appears on the Collectors screen. 

Step 3: Configure the Code42 source for collection by the agent

  1. From the Data Collection Management page, select the Event Sources tab. 
    Data Collection Management
  2. Click Add Event Source
  3. Scroll down to the Raw Data section and select Custom Logs
    The Add Event Source window opens. 
  4. Select the collector you added previously.  
  5. For the Event Source Type, select Rapid7 Custom Logs
  6. For the Collection Method, select Listen on Network Port if you're using the Code42 CLI to send your data to the Rapid7 collector via syslog. 
  7. Complete the rest of the required fields. 
  8. Select Save
    The source is now configured and logs begin flowing from the orchestration server to your Rapid7 InsightIDR environment. 

Log type

The available log type is Code42 Exposure Events. 

Sample log message

{"eventId": "0_c4b5e830-824a-40a3-a6d9-345664cfbb33_941983451917189059_971295845574006661_193", 
"eventType": "READ_BY_APP", "eventTimestamp": "2020-09-09T20:55:47.087Z", 
"insertionTimestamp": "2020-09-09T20:57:22.179901Z", "fieldErrors": [], 
"filePath": "C:/Users/first.last/Documents/", "fileName": "filename.png", 
"fileType": "FILE", "fileCategory": "IMAGE", "fileCategoryByBytes": "Image", 
"fileCategoryByExtension": "Image", "fileSize": 4052619, "fileOwner": 
"first.last", "md5Checksum": "4d43da7448e03de913622559d35d84af", 
"sha256Checksum": "f25e1fb2665a6fa3edd505f4c4ffb8b5bd84a5f3e5373c0db8b76ebea678bedd", 
"createTimestamp": "2020-02-10T04:38:42Z", "modifyTimestamp": 
"2020-02-10T04:38:42Z", "deviceUserName": "", 
"osHostName": "FIRSTL-WIN10", "domainName": "", 
"publicIpAddress": "XXX.XXX.XX.XXX", "privateIpAddresses": ["XXX.XXX.XX.XXX 
", "fe80:0:0:0:1d77:dcdf:c593:1143%eth4", "0:0:0:0:0:0:0:1", ""], 
"deviceUid": "941983451917189059", "userUid": "902428473202283166", "actor": 
null, "directoryId": [], "source": "Endpoint", "url": null, "shared": null, 
"sharedWith": [], "sharingTypeAdded": [], "cloudDriveId": null, 
"detectionSourceAlias": null, "fileId": null, "exposure": 
["ApplicationRead"], "processOwner": "first.last", "processName": "\\Device\
\HarddiskVolume2\\Program Files (x86)\\Google\\Chrome\\Application\
\chrome.exe", "windowTitle": ["Files - OneDrive - Google Chrome"], "tabUrl": 
onedrive.aspx", "removableMediaVendor": null, "removableMediaName": null, 
"removableMediaSerialNumber": null, "removableMediaCapacity": null, 
"removableMediaBusType": null, "removableMediaMediaName": null, 
"removableMediaVolumeName": [], "removableMediaPartitionId": [], 
"syncDestination": null, "syncDestinationUsername": [], 
"emailDlpPolicyNames": null, "emailSubject": null, "emailSender": null, 
"emailFrom": null, "emailRecipients": null, "outsideActiveHours": false, 
"mimeTypeByBytes": "image/png", "mimeTypeByExtension": "image/png", 
"mimeTypeMismatch": false, "printJobName": null, "printerName": null, 
"printedFilesBackupPath": null, "remoteActivity": "TRUE", "trusted": true, 
"operatingSystemUser": "first.last"}

Step 4: Configure the Code42 dashboard 

Configure a dashboard in Rapid7 InsightIDR with visualizations based on specific Code42 use cases.

  1. Select Dashboards and Reporting.
  2. Create a new dashboard. See the Rapid7 documentation for detailed instructions. 
  3. Customize the visualization cards and create dashboards to meet your needs. These visualizations are only based on Code42 data and do not contain other data sources.


Visualization card samples 

Below are details about the visualization cards displayed above, including the visualization name, the type of visualization, and the query used for the visualization.

Total exposures

This visualization shows the total count of all Code42 exposure events in the last 30 days. 

  • Log Set: Code42 Incydr data 
  • Query: calculate(count) 
  • Visualization Option: # Calculated Number


Total exposures by source 

This visualization shows the number of Code42 exposure events in the last 30 days, per source.

  • Log Set: Code42 Incydr data 
  • Query: groupBy(source)calculate(count) 
  • Visualization Option: Table Data


Total Count - Untrusted Activity

This visualization shows the total count of Code42 exposure events from outside your trusted domains, in the last 30 days. 

  • Log Set: Code42 Incydr data 
  • Query: where(trusted=false)calculate(count) 
  • Visualization Option: # Calculated Number


Mime Type Mismatch Activity

This visualization shows file mismatch activity within the last 30 days, grouped by Device Username, filemane, and md5Checksum.

  • Log Set: Code42 Incydr data 
  • Query: where(mimeTypeMismatch=true)groupBy(deviceUserName, fileName, md5Checksum) 
  • Visualization Option: Table Data


Removable Media Activity

This visualization shows the exposure events where users have moved files to removable media. It is grouped by username and filename. 

  • Log Set: Code42 Incydr data 
  • Query: where(exposure.0=RemovableMedia) groupBy(deviceUserName, fileName) 
  • Visualization Option: Pie Chart


Cloud Sharing Activity

This visualization shows Code42 cloud sharing exposure events (GoogleDrive, Box, and OneDrive only) in the last 30 days, grouped by source, exposure type, and actor. 

  • Log Set: Code42 Incydr data 
  • Query: where(source = Box OR GoogleDrive OR OneDrive) groupBy(source, exposure.0, actor) 
  • Visualization Option: Pie Chart


Unsanctioned DropBox Activity by User 

This visualization shows Code42 exposure events related to DropBox for the last 30 days. If Dropbox is not an approved application within your organization, this visualization helps identify unsanctioned cloud sharing activity. 

  • Log Set: Code42 Incydr data 
  • Query: where(destinationName = Dropbox)groupBy(deviceUserName)calculate(count) 
  • Visualization Option: Table Data


Zip File Exposures by User

This visualization shows Code42 zip file exposure events in the last 30 days, grouped by username.  

  • Log Set: Code42 Incydr data 
  • Query: where(fileCategory = Archive )groupBy(deviceUserName)calculate(count) 
  • Visualization Option: Table Data


Cloud Sharing Activity by File Category

This visualization shows Code42 cloud sharing activity, grouped by File Category and filename, in the last 30 days. 

  • Log Set: Code42 Incydr data 
  • Query: where(source = Box OR GoogleDrive OR OneDrive) groupBy(source, actor, exposure.0, fileCategory, fileName)) 
  • Visualization Option: Table Data


Outside active hours

This visualization shows file exposure activity that happened outside the hours an employee is typically active, in the last 30 days. 

  • Log Set: Code42 Incydr data 
  • Query: where(outsideActiveHours=true) groupBy(deviceUserName, fileName) 
  • Visualization Option: Table Data


AirDrop Syncs

This visualization shows the files shared via AirDrop in the last 30 days, grouped by user and file name. 

  • Log Set: Code42 Incydr data 
  • Query: where(processName="/usr/libexec/sharingd")groupBy(deviceUserName, fileName) 
  • Visualization Option: Table Data


Email exposures 

This visualization shows the files uploaded to an email provider via web browser in the last 30 days, grouped by username and filename. 

  • Log Set: Code42 Incydr data 
  • Query: where(destinationCategory = Email)groupBy(deviceUserName, fileName) 
  • Visualization Option: Pie Chart


Source Code Repository Activity

This visualization shows the files uploaded to a source code repository, by user, in the last 30 days. 

  • Log Set: Code42 Incydr data 
  • Query: where(destinationCategory = "Source Code Repository")groupBy(deviceUserName, destinationName) 
  • Visualization Option: Pie Chart


Related topics

  • Was this article helpful?