Overview
This article describes the dashboards available in the Code42 Insider Threat app for Splunk. Splunk is a solution for data analytics monitoring and visualization. The Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show activity happening across your Code42 environment, which can help you identify insider risk. You can also ingest audit log and device health data from Code42.
To install the app, see Install and manage the Code42 Insider Threat app for Splunk.
Considerations
- To use the Code42 Insider Threat app for Splunk, you must have an existing Splunk Enterprise version 7.0 or later environment or a Splunk Cloud environment.
- The data available in the Code42 Insider Threat app for Splunk depends on your product plan.
Access the Code42 Insider Threat app for Splunk
- Start Splunk Enterprise or start Splunk Cloud.
- On your Splunk home page, click the Code42 Insider Threat Add-On button:
The Risk Exposure Overview dashboard appears.
Incydr Overview dashboard
The Incydr Overview dashboard provides a snapshot of different types of activity in your Code42 environment:
- Cases
- Employees with the most file activity
- Users on watchlists
Use this dashboard to quickly identify unusual activity and investigate further in Incydr. To access the Incydr Overview dashboard, click Incydr Overview on the menu bar.
Float your mouse over any pane in the dashboard and click the search icon
Item | Description | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
a | Splunk menu bar | Default menu bar in Splunk. For usage, see Splunk documentation. | ||||||||||
b | Incydr Overview | See a snapshot of alerts, cases, and potentially risky file activity in your Code42 environment. | ||||||||||
c | Exposure Dashboards | See risk exposure dashboards, including dashboards for specific exposure types. | ||||||||||
d | Inputs | View or create an input to confirgure what Code42 data appears in Splunk. | ||||||||||
e | Configuration | View and add accounts for connecting to your Code42 environment and view or update logging levels. | ||||||||||
f | Search | Conduct a custom search. | ||||||||||
g | Edit | Edit the layout of the dashboard. | ||||||||||
h | Export |
Export data from the dashboard with the following options:
|
||||||||||
i | ... |
Perform actions on the current dashboard.
|
||||||||||
j | Index | Select the index for which you want to view data. | ||||||||||
k | Global Time Range | Select to view data from a specified time range. | ||||||||||
l | Search by Username | Filter all dashboard widgets by a single username. You can search by partial string with wildcards (*). | ||||||||||
m | Exclude Trust Settings | Select Yes to exclude activity on trusted domains. Select No to include activity on trusted domains. | ||||||||||
n | Hide Filters / Show Filters | Hides or shows the filter options from view. | ||||||||||
o | Total Users | Number of users with a file event within the Global Time Range. | ||||||||||
p | Users with Critical Events | Number of users with a critical file event within the Global Time Range. | ||||||||||
q | New Critical Alerts | Number of critical severity alerts opened within the Global Time Range. | ||||||||||
r | New Open Cases | Number of cases opened within the Global Time Range. | ||||||||||
s | Top 20 Users by Critical Activity | List of the top 20 users, ranked by how many critical severity events each had within the Global Time Range. | ||||||||||
t | Top Destination Indicators | List of the top 10 destination names, listed by number of events. | ||||||||||
u | Top File Indicators | List of the top 10 file categories, by number of events. | ||||||||||
v | Risk Activity of Users Recently Added to Watchlists | List of users in watchlists, ranked by number of file events. |
Exposure Dashboards
The Exposure Dashboards menu provides access to the following dashboards about different types of file exposure:
- Risk Exposure Overview
- Removable Media Transfers
- Cloud File Shares
- Cloud Desktop Syncs
- Browser Reads
- App Reads
In the Code42 console, browser and app reads are categorized as the same exposure type. In Splunk, web browser events and other application events (such as Slack, AirDrop, FTP, and curl) are displayed in separate dashboards for convenience.
Risk Exposure Overview
The Risk Exposure Overview dashboard provides a high-level look at file activity in your Code42 environment that could indicate risk.
To access the Risk Exposure Overview dashboard, click Exposure Dashboards > Risk Exposure Overview on the menu bar.
Float your mouse over any pane in the dashboard and click the search icon
Item | Description | |
---|---|---|
a | Index | Select the index for which you want to view data. |
b | File Category | Optionally filter the data by file category. |
c | Exclude trusted domains? | Select to exclude events that occur within trusted domains. |
d | Time Range |
Select to view data from a specified time range. |
e | Keyword Search | Searches the file path, file name, tab URL, and window title by keyword. |
f | Hide Filters / Show Filters | Hides or shows the filter options from view. |
g |
Unique Users |
Displays the number of unique users with file exfiltration activity. |
h | Exposure Events | Displays the total number of exposure events that meet the filter criteria. |
i | Browser Reads | Displays the number of files uploaded to a web browser. |
j | Application Reads | Displays the number of files opened in an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl. |
k | Cloud File Shares | Displays the number of files where permissions were increased on a file in your cloud services. |
l | Cloud Desktop Syncs | Displays the number of files that exist in a folder on the device that is used for syncing with a cloud service, such as Box or Google Drive. |
m | Removable Media Transfers | Displays the number of files moved to an external device, such as a USB drive, memory card, or other external drive. |
n | File Activity Over Time | Displays file exfiltration activity by file category over time. |
o | File Activity by File Category | Displays the total number of file events by file category. |
p | Top 20 Users by File Category | Displays the users with the highest number of file events. |
Removable Media Transfers
The Removable Media Transfers dashboard provides data about file activity that occurred on an external device, such as an external drive or memory card.
To access the Removable Media Transfers dashboard, click Exposure Dashboards > Removable Media Transfers on the menu bar.
Item | Description | |
---|---|---|
a | Unique Users | Displays the number of unique users with removable media file exfiltration events. Click the value to view the details in a custom search. |
b | Total Megabytes Exposed | Displays the total size of the files exfiltrated via removable media. Click the value to view the details in a custom search. |
c | Exposure Events | Displays the number of file exfiltration events via removable media. Click the value to view the details in a custom search. |
d | File Activity Over Time | Displays the removable media file activity, by file category, over time. Click a line on the graph to filter by that file category. |
e | File Activity by File Category | Displays the total number of removable media file events by file category. Click a bar on the graph to filter by that file category. |
f | Top 20 Users by File Activity | Displays the users with the highest number of removable media file events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Transferred to view the details in a custom search. |
Cloud File Shares
The Cloud File Shares dashboard provides detailed data about files exposed in a cloud service.
Data only appears here if you're licensed for one or more cloud service data sources.
To access the Cloud File Shares dashboard, click Exposure Dashboards > Cloud File Shares on the menu bar.
Item | Description | |
---|---|---|
a | Unique Users | Displays the number of unique users with file events where one or more users were granted explicit access to the file. Click the value to view the details in a custom search. |
b | Exposure Events | Displays the number of cloud share file exfiltration events. Click the value to view the details in a custom search. |
c | File Activity Over Time | Displays the cloud share file activity, by file category, over time. Click a line on the graph to filter by that file category. |
d | Exfiltration Breakdown by Exposure Type | Lists the cloud share exposure types, along with the number of those events and the unique users. |
e | File Activity by File Category | Displays the total number of cloud share file events by file category. Click a bar on the graph to filter by that file category. |
f | Top 20 Users by File Activity | Displays the users with the highest number of cloud share file events. Click a username or number of Events to view the details in a custom search. |
Cloud Desktop Syncs
The Cloud Desktop Syncs dashboard provides data about files that exist in a folder on the device used for syncing with a cloud service, such as Box or Google Drive.
To access the Cloud Desktop Syncs dashboard, click Exposure Dashboards > Cloud Desktop Syncs on the menu bar.
Item | Description | |
---|---|---|
a | Unique Users | Displays the number of unique users with synced to cloud service exfiltration events. Click the value to view the details in a custom search. |
b | Exposure Events | Displays the number of synced to cloud service exfiltration events. Click the value to view the details in a custom search. |
c | File Activity Over Time | Displays the synced to cloud service exfiltration events, by file category, over time. Click a line on the graph to filter by that file category. |
d | File Activity by File Category | Displays the total number of synced to cloud service exfiltration events, by file category. Click a bar on the graph to filter by that file category. |
e | Top 20 Users by File Activity | Displays the users with the highest number of synced to cloud service exfiltration events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Transferred to view the details in a custom search. |
f | Most Popular Desktop File Sync Destinations | Lists the sync destinations with the highest number of file events, along with the number of unique users associated with those events. |
Browser Reads
The Browser Reads dashboard provides data about files that were opened in a web browser.
To access the Browser Reads dashboard, click Exposure Dashboards > Browser Reads on the menu bar.
Item | Description | |
---|---|---|
a | Unique Users | Displays the number of unique users who have file exposure events where the file was read by a web browser. Click the value to view the details in a custom search. |
b | Total Megabytes Exposed | Displays the total size of the files read by browser. Click the value to view the details in a custom search. |
c | Exposure Events | Displays the number of file exfiltration events with the read by browser exposure type. Click the value to view the details in a custom search. |
d | File Activity Over Time | Displays the read by browser file activity, by file category, over time. Click a line on the graph to filter by that file category. |
e | File Activity by File Category | Displays the total number of read by browser exposure events by file category. Click a bar on the graph to filter by that file category. |
f | Top 20 Users by File Activity | Displays the users with the highest number of read by browser exposure events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Read to view the details in a custom search. |
g | Browser Reads by Domain | Lists the domains with the highest number of read by browser file events, along with the number of events, unique users, and bytes read associated with those events. |
App Reads
The App Reads dashboard provides data about files that were opened in an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl.
To access the App Reads dashboard, click Exposure Dashboards > App Reads on the menu bar.
Item | Description | |
---|---|---|
a | Unique Users | Displays the number of unique users who have exposure events where the file was read by an app commonly used for uploading files. Click the value to view the details in a custom search. |
b | Total Megabytes Exposed | Displays the total size of the files read by an app. Click the value to view the details in a custom search. |
c | Exposure Events | Displays the number of file exfiltration events with the read by app exposure type. Click the value to view the details in a custom search. |
d | File Activity Over Time | Displays the read by app file activity, by file category, over time. Click a line on the graph to filter by that file category. |
e | File Activity by File Category | Displays the total number of read by app exposure events by file category. Click a bar on the graph to filter by that file category. |
f | Top 20 Users by File Activity | Displays the users with the highest number of read by app exposure events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Read to view the details in a custom search. |
g | App Reads by Process Name | Lists the domains with the highest number of read by app file events, along with the number of events, unique users, and bytes read associated with those events. Click a value in the row to filter by that process name. |
Audit log and device health
To ingest audit log and device health data into Splunk, create new Inputs. Once you create the inputs, you can and view the data in Splunk Search. Query your index for the following:
sourcetype="c42-audit-log"
sourcetype="c42-device-health"
Pre-built dashboards for audit log and device health data are not available.