Code42 Cloud

Code42 Cloud is a data protection solution that helps detect against data theft and respond to insider risk. You can integrate InsightIDR with the Code42 API to generate third-party alerts from the Search for alerts endpoint.

To learn more about Code42, refer to the API documentation: https://developer.code42.com/api/#tag/Alerts/operation/Alerts_QueryAlert

To set up Code42 Cloud:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Code42 Cloud to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

Visit the third-party vendor's documentation

For the most up-to-date information about configuring your event source product, Rapid7 recommends that you visit the vendor's documentation. While we will continue to update our event source documentation in case of user interface changes in InsightIDR, we cannot guarantee the same for third-party product interfaces.

Requirements

You must have Full Access for the Code42 API. If you only have Base Access, you won’t be able to create an API client, which is necessary to configure Code42 to send data to InsightIDR. For more information, view the Code42 API Access page: https://support.code42.com/hc/en-us/articles/14827740809239#base-access-0-3

Configure Code42 Cloud to send data to InsightIDR

To enable communication between InsightIDR and the Code42 API, you must create an API client with the Alerts: Read API permission.

To create an API client, follow the Code42 documentation: https://support.code42.com/hc/en-us/articles/14827617150231#api-clients-in-the-code42-console-0-10

Once you have saved the API client, note the client ID, secret and base URL. You will need these values when you configure InsightIDR to collect data from Code42.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Code42 Cloud in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select Code42 Cloud.
  4. Name the event source. The name you enter will be used for the log that the event data streams into in Log Search. If you do not name the event source, the log name defaults to Code42 Cloud.
  5. Select a collector.
  6. Optionally, choose to send unparsed data.
  7. Create a new credential. You will need to input the client ID, secret, and URL you noted when configuring Code42 to send data to InsightIDR.
  8. Enter a refresh rate in minutes to determine how often the event source will return data. You must enter a value greater than 5 minutes.
  9. Click Save.

Test the configuration

This event source will generate third party alerts.

To test that event data is flowing into InsightIDR through the Collector:

  1. Verify that data is flowing to the Collector:
    • From the Data Collection Management page, click the Event Sources tab.
    • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
    • Wait approximately seven minutes, then open the Log Search page in InsightIDR.
  2. Verify that log entries are appearing in Log Search:
    • From the left menu, go to Log Search.
    • In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Code42 logs should flow into the Third Party Alert log set.
    • Select the log sets and the logs within them.
    • Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set: Third Party Alert.

Here is a typical raw log entry that is created by the event source:

Sample Alerts log

 
1
{ "tenantId": "77c14aaa-a5c6-4afa-aa68-0bfe667a2436", "type": "FED_CLOUD_SHARE_PERMISSIONS", "name": "Cloud Share Rule", "description": "Alert me on all the sharing of very sensitive files.", "actor": "jdoe@rapid7.com", "actorId": "98db8bd6-0cc0-4e67-9de5-f187f1cd1b41", "target": "string", "severity": "HIGH", "riskSeverity": "HIGH", "notificationInfo": [], "ruleId": "341fedb084754504bb76f6c7d4548404", "ruleSource": "Departing Employee", "watchlists": [], "userEducation": { "lessonId": "abcd1234-83cd-4991-b1b3-aacef74cf097", "messagingMethod": 0, "isAutoDismissAlertEnabled": true }, "id": "ea987674-85a6-4025-aa60-3a950eae7d2a", "createdAt": "2020-02-19T01:57:45.006683Z", "state": "OPEN", "stateLastModifiedBy": "msmith@rapid7.com", "stateLastModifiedAt": "2019-08-24T14:15:22Z" }