Code42 Cloud
Copy link

Code42 Cloud is a data protection solution that helps detect against data theft and respond to insider risk. You can integrate SIEM (InsightIDR) with the Code42 API to generate third-party alerts from the Search for alerts endpoint.

To learn more about Code42, refer to the API documentation: https://developer.code42.com/api/#tag/Alerts/operation/Alerts_QueryAlert

To set up Code42 Cloud:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Code42 Cloud to send data to SIEM (InsightIDR).
  3. Configure SIEM (InsightIDR) to collect data from the event source.
  4. Test the configuration.
ℹ️

Visit the third-party vendor's documentation

For the most up-to-date information about configuring your event source product, Rapid7 recommends that you visit the vendor’s documentation. While we will continue to update our event source documentation in case of user interface changes in SIEM (InsightIDR), we cannot guarantee the same for third-party product interfaces.

Requirements
Copy link

You must have Full Access for the Code42 API. If you only have Base Access, you won’t be able to create an API client, which is necessary to configure Code42 to send data to SIEM (InsightIDR). For more information, view the Code42 API Access page: https://support.code42.com/hc/en-us/articles/14827740809239#base-access-0-3

Configure Code42 Cloud to send data to SIEM (InsightIDR)
Copy link

To enable communication between SIEM (InsightIDR) and the Code42 API, you must create an API client with the Alerts: Read API permission.

To create an API client, follow the Code42 documentation: https://support.code42.com/hc/en-us/articles/14827617150231#api-clients-in-the-code42-console-0-10

Once you have saved the API client, note the client ID, secret and base URL. You will need these values when you configure SIEM (InsightIDR) to collect data from Code42.

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Code42 Cloud in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select Code42 Cloud.
  4. Name the event source. The name you enter will be used for the log that the event data streams into in Log Search. If you do not name the event source, the log name defaults to Code42 Cloud.
  5. Select a collector.
  6. Optionally, choose to send unparsed data.
  7. Create a new credential. You will need to input the client ID, secret, and URL you noted when configuring Code42 to send data to SIEM (InsightIDR).
  8. Enter a refresh rate in minutes to determine how often the event source will return data. You must enter a value greater than 5 minutes.
  9. Click Save.

Test the configuration
Copy link

This event source will generate third party alerts.

To test that event data is flowing into SIEM (InsightIDR) through the Collector:

  1. Verify that data is flowing to the Collector:
    • From the Data Collection Management page, click the Event Sources tab.
    • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
    • Wait approximately seven minutes, then open the Log Search page in SIEM (InsightIDR).
  2. Verify that log entries are appearing in Log Search:
    • From the left menu, go to Log Search.
    • In the Log Search filter panel, search for the event source you named in step 4 of Configure SIEM (InsightIDR) to collect data from the event source. Code42 logs should flow into the Third Party Alert log set.
    • Select the log sets and the logs within them.
    • Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into SIEM (InsightIDR) in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample logs
Copy link

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set: Third Party Alert.

Here is a typical raw log entry that is created by the event source:

Sample Alerts log

{ "tenantId": "77c14aaa-a5c6-4afa-aa68-0bfe667a2436", "type": "FED_CLOUD_SHARE_PERMISSIONS", "name": "Cloud Share Rule", "description": "Alert me on all the sharing of very sensitive files.", "actor": "jdoe@rapid7.com", "actorId": "98db8bd6-0cc0-4e67-9de5-f187f1cd1b41", "target": "string", "severity": "HIGH", "riskSeverity": "HIGH", "notificationInfo": [], "ruleId": "341fedb084754504bb76f6c7d4548404", "ruleSource": "Departing Employee", "watchlists": [], "userEducation": { "lessonId": "abcd1234-83cd-4991-b1b3-aacef74cf097", "messagingMethod": 0, "isAutoDismissAlertEnabled": true }, "id": "ea987674-85a6-4025-aa60-3a950eae7d2a", "createdAt": "2020-02-19T01:57:45.006683Z", "state": "OPEN", "stateLastModifiedBy": "msmith@rapid7.com", "stateLastModifiedAt": "2019-08-24T14:15:22Z" }