Install and manage the Code42 Insider Threat app for Splunk

Overview

This tutorial explains how to install, manage, and uninstall the Code42 Insider Threat app for Splunk. Splunk is a solution for data analytics monitoring and visualization. The Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show activity happening across your Code42 environment, which can help you identify insider risk. You can also ingest audit log and device health data from Code42. 

For descriptions of dashboards in the Code42 Insider Threat app for Splunk, see Code42 Insider Threat app for Splunk reference.

Considerations

  • To use the Code42 Insider Threat app for Splunk, you must have an existing Splunk Enterprise version 7.0 or later environment or a Splunk Cloud environment.
  • The data available in the Code42 Insider Threat app for Splunk depends on your product plan
  • The devices used to run Splunk and the Code42 Insider Threat app for Splunk must have network access to the Code42 cloud.
  • Code42 cannot provide technical support for Splunk. Contact Splunk support for help with Splunk.

Install the Code42 Insider Threat app for Splunk

The Code42 Insider Threat Add-On for Splunk adds Code42-specific dashboards that show activity happening across your Code42 environment, which can help you identify insider risk.

Step 1: Install the app 

Initial installation may require help from Splunk support. 

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. Select Browse more apps.
  3. In the Browse More Apps panel, search for "Code42".
  4. Click Install on Code42 Insider Threat.
  5. On the Login dialog, enter your Splunk username and password and click Login and Install.
  6. On the Complete dialog, click Open the App.

Distributed Splunk environment

For instructions about deploying the Code42 Insider Threat app to a distributed Splunk environment, see the Splunk documentation.

Step 2: Create a Code42 API client

In the Code42 console, create an API client to provide permissions for the Code42 Insider Threat app for Splunk:

  1. Sign in to the Code42 console as a user with the Insider Risk Admin role.
  2. Go to Administration > Integrations > API Clients.
  3. Create a new API client with read permissions for:
    • Alerts and Sessions
    • Audit Log
    • Cases
    • Data Preferences
    • Detection Lists
    • Device
    • File Events
    • Saved Searches
  4. Save the Client ID and Secret. These values are required to complete the remaining steps below.

Code42 API client settings

Step 3: Configure the app

Create an index

A Splunk index acts as a data repository. Create a new index to specify where you want the Code42 data to go. 

  1. In Splunk, go to Settings > Indexes.
  2. Click New Index.
  3. Configure the index. For additional details, see the Splunk documentation
  4. (Optional) To make Code42 data appear in the main Splunk interface (as opposed to only in the Code42 Insider Threat app dashboards), select Search and Reporting in the App field. 

Add an API client to Splunk

Use an the API client configured above in step 2 to provide authentication for the Splunk app. Once the API client is created, add it to the Splunk app:

  1. Go to the Code42 Insider Threat Add-on app.
  2. Select Configuration.
  3. From the API Client tab, select Add.
    The Add API Client dialog appears. 
    Add API Client input
  4. Enter a unique API Client name
  5. Enter the Authority domain you use to sign in to the Code42 console, without the protocol. For example:
  6. In the API Client ID and API Client Secret fields, enter the credentials of the API client that you want to use to authenticate. 

  7. If you direct traffic through a proxy:

    1. Enter a Proxy Address with port, for example: http://example.address:1234

    2. Optional: In the Proxy Auth field, enter the username and password used to authenticate proxy requests, separated by colon. For example username:password.

  8. Click Add
    The API client name and ID are added as an API client on the API Client tab. 

Create inputs

Create a new input to configure what Code42 data appears in Splunk. You can create inputs for the following: 

File Exposure 

Create an input to ingest file exposure data and view it on Splunk dashboards. 

  1. Select Inputs
  2. Click Create New Input > File Exposure.  
    The Add File Exposure dialog appears. 
    Splunk_Add_File_Exposure_4-2023.png
  3. Enter a unique Name.
  4. Enter the time Interval, in seconds, for retrieving event data from the Code42 cloud instance. The default is the minimum of 300 seconds, or 5 minutes. 
  5. Select the Index you created earlier. 
  6. Select the Code42 API Client you want to use. 
  7. Enter a Minimum Risk Score.
  8. Enter a Saved Search ID obtained by running the saved searches API.
  9. Check Enable V2 File Events to use the latest file event metadata data model.  
  10. Click Add
Alerts

Create an input to ingest alerts and view them on Splunk dashboards. 

  1. Select Inputs
  2. Click Create New Input > Alerts.  
    The Add Alerts dialog appears.
    Add Alerts input
  3. Enter a unique Name.
  4. Enter the time Interval, in seconds, for retrieving event data from the Code42 cloud instance. The default is 300 seconds, or 5 minutes. 
  5. Select the Index you created earlier. 
  6. Select the Code42 API Client you want to use. 
  7. Select a Search Behavior of All Alerts or Selected Alert Severities
    • If you choose All Alerts, all the types below are treated as selected.  
    • If you choose Selected Alert Severities, check one or more severity levels below. 
  8. Click Add.
Audit Log

Create an input to ingest audit log data and view it in Splunk Search

  1. Select Inputs
  2. Click Create New Input > Audit Log.  
    The Add Audit Log dialog appears.
    Add Audit Log input
  3. Enter a unique Name.
  4. Enter the time Interval, in seconds, for retrieving event data from the Code42 cloud instance. The default is 900 seconds, or 15 minutes. 
  5. Select the Index you created earlier. 
  6. Select the Code42 API Client you want to use.  
  7. Click Add.
Device Health

Create an input to ingest device health data and view it in Splunk Search

  1. Select Inputs
  2. Click Create New Input > Device Health.  
    The Add Device Health dialog appears.
    Add Device Health input
  3. Enter a unique Name.
  4. Enter the time Interval, in seconds, for retrieving event data from the Code42 cloud instance. The default is 28800 seconds, or 8 hours. 
  5. Select the Index you created earlier. 
  6. Select the Code42 API Client you want to use. 
  7. Enter the maximum number of devices to process per minute. The default is 60 devices per minute.  
  8. Click Add.

Step 4: Test the app

  1. Sign in to Splunk.
  2. From the list of apps on the Splunk home page, click Code42 Insider Threat Add-On.
    The Incydr Overview appears. 
  3. Explore the data generated by the panels.

Incydr Overview Dashboard

Troubleshoot the app

Troubleshooting considerations

  • Data may not appear in the panels immediately. Rather, data updates at scheduled intervals. The scheduled intervals are configured to avoid overloading your Code42 cloud instance with requests.
  • If data for a panel is missing, confirm that the Code42 environment user account has the necessary permissions to view that data within your Code42 environment.
  • The Splunk app ingests events based on the last known ingested Event_ID. If you would like to adjust that, you can change that marker in the Splunk app via API:
    curl -k -u user:pass https://localhost:8089/servicesNS/nobody/TA-code42-insider-threats-add-on/storage/collections/data/TA_code42_insider_threats_add_on_checkpointer/file-events -H 'content-type: application/json' -d '{"state": "<event_id>"}'


Logs within Splunk Enterprise

The Code42 Insider Threat app for Splunk updates log files that contain useful information for troubleshooting, including error messages and security warnings. For Splunk Enterprise installations, the log files are located at:

<path-to-splunk>/var/log/splunk/TA-code42-insider-threats-add-on

The path to your installation varies by operating system. See the Splunk Enterprise documentation for more information about installation and logging.

Support

If you need support for the Code42 Insider Threat app for Splunk, contact our Technical Support Engineers​ for Code42 for Enterprise support.

Our Technical Support Engineers cannot provide technical support for Splunk. Contact Splunk support for help with Splunk.

Splunk Answers

Splunk Answers is a community forum where Splunk users can post questions and get answers about Splunk usage. Go to the following URL for help with the Code42 Insider Threat app for Splunk: 
https://community.splunk.com/t5/All-Apps-and-Add-ons/bd-p/apps-add-ons-all

Upgrade the app

When a new version of the Code42 for Insider Threat app is released, perform the following steps to upgrade.

Splunk Enterprise

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for Code42 Insider Threat.
    If there is a later version of the app available, an Update link appears on the row. 
  3. Click Update.
  4. Select the option to acknowledge the terms and conditions.
  5. Click Accept and Continue
  6. Enter your Splunk username and password. 
  7. Click Login and Continue
  8. Click Restart Now to restart Splunk Enterprise and complete the upgrade.

Splunk Cloud

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for the Code42 for Insider Threat app.
    If there is a later version of the app available, an Update link appears on the row. 
  3. Click Update.

Uninstall the app

Splunk Enterprise

  1. Open a terminal window (Linux or Mac) or command prompt (Windows) on your Splunk Enterprise server.
  2. Run the following command to stop Splunk Enterprise:
    <path-to-splunk>/bin/splunk stop
  3. Run the following command to remove the Code42 Insider Threat app for Splunk:
    <path-to-splunk>/bin/splunk remove app TA-code42-insider-threats-add-on
  4. Restart Splunk.
    The Code42 Insider Threat app for Splunk no longer appears in the Splunk user interface.

Splunk Cloud

  1. From the Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for the Code42 Insider Threat app for Splunk.
  3. Click the Disable link.

Release history 

For release information about the Code42 Insider Threat app for Splunk, see the Release Notes in Splunkbase