Code42 Insider Threat app for Splunk reference

Overview

This article describes the dashboards available in the Code42 Insider Threat app for Splunk. Splunk is a solution for data analytics monitoring and visualization. The Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show activity happening across your Code42 environment, which can help you identify insider risk. You can also ingest audit log and device health data from Code42.  

To install the app, see Install and manage the Code42 Insider Threat app for Splunk.

Considerations

  • To use the Code42 Insider Threat app for Splunk, you must have an existing Splunk Enterprise version 7.0 or later environment or a Splunk Cloud environment.
  • The data available in the Code42 Insider Threat app for Splunk depends on your product plan

Access the Code42 Insider Threat app for Splunk

  1. Start Splunk Enterprise or start Splunk Cloud.
  2. On your Splunk home page, click the Code42 Insider Threat Add-On button:
    Splunk_app_tile
    The Risk Exposure Overview dashboard appears. 

Incydr Overview dashboard

The Incydr Overview dashboard provides a snapshot of different types of activity in your Code42 environment: 

  • Cases
  • Employees with the most file activity 
  • Users on watchlists

Use this dashboard to quickly identify unusual activity and investigate further in Incydr. To access the Incydr Overview dashboard, click Incydr Overview on the menu bar.

Incydr overview dashboard

Mouse over data to access Splunk search
Float your mouse over any pane in the dashboard and click the search icon Splunk_search_icon.png to perform a Splunk search on the data point. You can also click a segment in a chart to perform a search on that data. 
Item Description
a Splunk menu bar Default menu bar in Splunk. For usage, see Splunk documentation.
b Incydr Overview See a snapshot of alerts, cases, and potentially risky file activity in your Code42 environment. 
c Exposure Dashboards See risk exposure dashboards, including dashboards for specific exposure types.
d Inputs View or create an input to confirgure what Code42 data appears in Splunk.
e Configuration View and add accounts for connecting to your Code42 environment and view or update logging levels. 
f Search Conduct a custom search
g Edit Edit the layout of the dashboard.
h Export

Export data from the dashboard with the following options: 

  • Export PDF
  • Print
i ...

Perform actions on the current dashboard. 

Item Description
Clone Clone the dashboard.
Clone in Dashboard Studio Clone the dashboard using Splunk Dashboard Studio
Edit Permissions Set who has permissions to the dashboard.
Set as Home Dashboard Set the current dashboard as the home dashboard in the Code42 Insider Threat app for Splunk.

 

j Index Select the index for which you want to view data. 
k Global Time Range Select to view data from a specified time range. 
l Search by Username Filter all dashboard widgets by a single username. You can search by partial string with wildcards (*).  
m Exclude Trust Settings Select Yes to exclude activity on trusted domains. Select No to include activity on trusted domains
n Hide Filters / Show Filters Hides or shows the filter options from view. 
o Total Users Number of users with a file event within the Global Time Range.
p Users with Critical Events Number of users with a critical file event within the Global Time Range.
q New Critical Alerts Number of critical severity alerts opened within the Global Time Range. 
r New Open Cases Number of cases opened within the Global Time Range. 
s Top 20 Users by Critical Activity List of the top 20 users, ranked by how many critical severity events each had within the Global Time Range. 
t Top Destination Indicators List of the top 10 destination names, listed by number of events.
u Top File Indicators List of the top 10 file categories, by number of events. 
v Risk Activity of Users Recently Added to Watchlists List of users in watchlists, ranked by number of file events. 

Exposure Dashboards

The Exposure Dashboards menu provides access to the following dashboards about different types of file exposure: 

Read by browser or other app events are separated
In the Code42 console, browser and app reads are categorized as the same exposure type. In Splunk, web browser events and other application events (such as Slack, AirDrop, FTP, and curl) are displayed in separate dashboards for convenience. 

Risk Exposure Overview

The Risk Exposure Overview dashboard provides a high-level look at file activity in your Code42 environment that could indicate risk. 

To access the Risk Exposure Overview dashboard, click Exposure Dashboards > Risk Exposure Overview on the menu bar.

Risk Exposure Dashboard with annotations

Mouse over data to access Splunk search
Float your mouse over any pane in the dashboard and click the search icon Splunk_search_icon.png to perform a Splunk search on the data point. You can also click a segment in a chart to perform a search on that data. 
Item   Description
a Index Select the index for which you want to view data. 
b File Category Optionally filter the data by file category.
c Exclude trusted domains?  Select to exclude events that occur within trusted domains
d Time Range

Select to view data from a specified time range. 

e Keyword Search Searches the file path, file name, tab URL, and window title by keyword.
f Hide Filters / Show Filters Hides or shows the filter options from view. 
g

Unique Users

Displays the number of unique users with file exfiltration activity. 
h Exposure Events Displays the total number of exposure events that meet the filter criteria.
i Browser Reads Displays the number of files uploaded to a web browser.
j Application Reads Displays the number of files opened in an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl.
k Cloud File Shares Displays the number of files where permissions were increased on a file in your cloud services. 
l Cloud Desktop Syncs Displays the number of files that exist in a folder on the device that is used for syncing with a cloud service, such as Box or Google Drive. 
m Removable Media Transfers Displays the number of files moved to an external device, such as a USB drive, memory card, or other external drive.
n File Activity Over Time Displays file exfiltration activity by file category over time. 
o File Activity by File Category Displays the total number of file events by file category. 
p Top 20 Users by File Category Displays the users with the highest number of file events. 

Removable Media Transfers

The Removable Media Transfers dashboard provides data about file activity that occurred on an external device, such as an external drive or memory card.

To access the Removable Media Transfers dashboard, click Exposure Dashboards > Removable Media Transfers on the menu bar.

Removable_Media_Transfers

Item   Description
a Unique Users Displays the number of unique users with removable media file exfiltration events. Click the value to view the details in a custom search. 
b Total Megabytes Exposed Displays the total size of the files exfiltrated via removable media. Click the value to view the details in a custom search. 
c Exposure Events Displays the number of file exfiltration events via removable media. Click the value to view the details in a custom search. 
d File Activity Over Time Displays the removable media file activity, by file category, over time. Click a line on the graph to filter by that file category. 
e File Activity by File Category Displays the total number of removable media file events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of removable media file events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Transferred to view the details in a custom search. 

Cloud File Shares

The Cloud File Shares dashboard provides detailed data about files exposed in a cloud service.
Data only appears here if you're licensed for one or more cloud service data sources. 

To access the Cloud File Shares dashboard, click Exposure Dashboards > Cloud File Shares on the menu bar.

Cloud_File_Shares

Item   Description
a Unique Users Displays the number of unique users with file events where one or more users were granted explicit access to the file. Click the value to view the details in a custom search. 
b Exposure Events Displays the number of cloud share file exfiltration events. Click the value to view the details in a custom search. 
c File Activity Over Time Displays the cloud share file activity, by file category, over time. Click a line on the graph to filter by that file category. 
d Exfiltration Breakdown by Exposure Type Lists the cloud share exposure types, along with the number of those events and the unique users. 
e File Activity by File Category Displays the total number of cloud share file events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of cloud share file events. Click a username or number of Events to view the details in a custom search. 

Cloud Desktop Syncs

The Cloud Desktop Syncs dashboard provides data about files that exist in a folder on the device used for syncing with a cloud service, such as Box or Google Drive.  

To access the Cloud Desktop Syncs dashboard, click Exposure Dashboards > Cloud Desktop Syncs on the menu bar.

Cloud_Desktop_Syncs

Item   Description
a Unique Users Displays the number of unique users with synced to cloud service exfiltration events. Click the value to view the details in a custom search. 
b Exposure Events Displays the number of synced to cloud service exfiltration events. Click the value to view the details in a custom search. 
c File Activity Over Time Displays the synced to cloud service exfiltration events, by file category, over time. Click a line on the graph to filter by that file category. 
d File Activity by File Category Displays the total number of synced to cloud service exfiltration events, by file category. Click a bar on the graph to filter by that file category. 
e Top 20 Users by File Activity Displays the users with the highest number of synced to cloud service exfiltration events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Transferred to view the details in a custom search. 
f Most Popular Desktop File Sync Destinations Lists the sync destinations with the highest number of file events, along with the number of unique users associated with those events. 

Browser Reads

The Browser Reads dashboard provides data about files that were opened in a web browser

To access the Browser Reads dashboard, click Exposure Dashboards > Browser Reads on the menu bar.

Browser_Reads

Item   Description
a Unique Users Displays the number of unique users who have file exposure events where the file was read by a web browser. Click the value to view the details in a custom search. 
b Total Megabytes Exposed Displays the total size of the files read by browser. Click the value to view the details in a custom search. 
c Exposure Events Displays the number of file exfiltration events with the read by browser exposure type. Click the value to view the details in a custom search. 
d File Activity Over Time Displays the read by browser file activity, by file category, over time. Click a line on the graph to filter by that file category. 
e File Activity by File Category Displays the total number of read by browser exposure events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of read by browser exposure events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Read to view the details in a custom search. 
g Browser Reads by Domain Lists the domains with the highest number of read by browser file events, along with the number of events, unique users, and bytes read associated with those events. 

App Reads 

The App Reads dashboard provides data about files that were opened in an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl. 

To access the App Reads dashboard, click Exposure Dashboards > App Reads on the menu bar.

App_Reads dashboard

Item   Description
a Unique Users Displays the number of unique users who have exposure events where the file was read by an app commonly used for uploading files. Click the value to view the details in a custom search. 
b Total Megabytes Exposed Displays the total size of the files read by an app. Click the value to view the details in a custom search. 
c Exposure Events Displays the number of file exfiltration events with the read by app exposure type. Click the value to view the details in a custom search. 
d File Activity Over Time Displays the read by app file activity, by file category, over time. Click a line on the graph to filter by that file category. 
e File Activity by File Category Displays the total number of read by app exposure events by file category. Click a bar on the graph to filter by that file category. 
f Top 20 Users by File Activity Displays the users with the highest number of read by app exposure events. Click a username to view the User Profile in the Code42 console. Click the number of Events or Bytes Read to view the details in a custom search. 
g App Reads by Process Name Lists the domains with the highest number of read by app file events, along with the number of events, unique users, and bytes read associated with those events. Click a value in the row to filter by that process name. 

Audit log and device health

To ingest audit log and device health data into Splunk, create new Inputs. Once you create the inputs, you can and view the data in Splunk Search. Query your index for the following: 

  • sourcetype="c42-audit-log"
  • sourcetype="c42-device-health"

Pre-built dashboards for audit log and device health data are not available.