Code42

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Code42 Alerts

✅

code42_alerts

NDJSON

S3

Code42 Audit Logs

✅

✅

code42_audit_logs

NDJSON

S3

Code42 File Events

✅

✅

code42_file_events

NDJSON

S3


Overview

imageCode42 is a SaaS platform aimed to log and detect data loss (through documents being copied/moved/being accessible to the wrong persons), and response accordingly.

Integrating your Code42 logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.

Supported data types

Code42 Alerts

Table name: code42_alerts

Code42 alerts are a critical component of its functionality, enabling organizations to proactively manage and mitigate risks associated with data exposure and exfiltration.

Code42 Audit Logs

Table name: code42_audit_logs

Audit logs in Code42 provide a detailed record of activities and events within the Code42 environment. These logs are essential for tracking user actions, file movements, permission changes, and system modifications, offering transparency and accountability for data security practices.

Code42 File Events

Table name: code42_file_events

File events in Code42 encompass a wide range of activities related to files across an organization's network, including file creation, modification, deletion, and movement. These events are meticulously tracked to provide visibility into how sensitive data is being handled by users, which is essential for data loss prevention (DLP) and insider threat detection.

Send data to Hunters

Hunters supports the ingestion of Code42 logs via an intermediary AWS S3 bucket.

To connect Code42 logs:

  1. Export your logs from Code42 to an AWS S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

The expected format of the logs is ND-JSON as exported from Code42.

Code42 Alert samples

{"type$": "ALERT_SUMMARY", "tenantId": "12345678-9abc-def0-1234-567890abcdef", "type": "FED_COMPOSITE", "name": "Cloud sync initiated", "description": "Alerts you when files are synced to a cloud storage application.", "actor": "<email_address>@<email_host>", "actorId": "1234567890123456789", "target": "N/A", "severity": "MEDIUM", "riskSeverity": "MODERATE", "ruleId": "12345678-9abc-def0-1234-567890abcdef", "id": "12345678-9abc-def0-1234-567890abcdef", "createdAt": "2022-02-19T10:20:30.756747Z", "state": "OPEN"}
{"type$": "ALERT_SUMMARY", "tenantId": "12345678-9abc-def0-1234-567890abcdef", "type": "FED_COMPOSITE", "name": " Cloud Storage Catch-all", "description": "", "actor": "<email_address>@<email_host>", "actorId": "1234567890123456789", "target": "N/A", "severity": "MEDIUM", "riskSeverity": "MODERATE", "ruleId": "12345678-9abc-def0-1234-567890abcdef", "id": "12345678-9abc-def0-1234-567890abcdef", "createdAt": "2022-02-19T10:20:30.756747Z", "state": "OPEN"}

Code2 Audit Log samples

{"type$": "audit_log::search_issued/1", "actorId": "1234567890123456789", "actorName": "<email_address>@<email_host>", "actorAgent": "py42 1.21.1 python 3.7.10", "actorIpAddress": "55.205.250.120", "timestamp": "2022-02-19T10:20:30.756747Z", "actorType": "USER", "success": true, "type": "query", "requestJson": "{\"groups\":[{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"ON_OR_AFTER\",\"value\":\"2022-02-17T10:20:30.000Z\",\"display\":null},{\"term\":\"eventTimestamp\",\"operator\":\"ON_OR_BEFORE\",\"value\":\"2022-02-18T10:20:30.000Z\",\"display\":null}],\"filterClause\":\"AND\",\"display\":null}],\"groupClause\":\"AND\",\"pgSize\":10000,\"pgNum\":1,\"pgToken\":\"\",\"srtKey\":\"eventId\",\"srtDir\":\"asc\",\"purpose\":null,\"defaultSortKey\":\"eventTimestamp\"}", "resultCount": 945}
{"type$": "audit_log::logged_in/1", "actorId": "1234567890123456789", "actorName": "<email_address>@<email_host>", "actorAgent": "py42 1.21.1 python 3.7.10", "actorIpAddress": "55.205.250.120, 64.250.60.180", "timestamp": "2022-02-19T10:20:30.756747Z", "actorType": "USER"}

Code42 File Events sample

{"eventId": "123456789abcdef01234567890abcdef", "eventType": "MODIFIED", "eventTimestamp": "2022-02-19T10:20:30.756Z", "insertionTimestamp": "2022-02-19T10:20:30.756Z", "fieldErrors": [{"field": "md5Checksum", "error": "GDRIVE_NATIVE_HASH"}, {"field": "sha256Checksum", "error": "GDRIVE_NATIVE_HASH"}], "filePath": null, "fileName": "<File_name>", "fileType": "FILE", "fileCategory": "Document", "fileCategoryByBytes": "Uncategorized", "fileCategoryByExtension": "Document", "fileSize": null, "fileOwner": "<email_address>@<email_host", "md5Checksum": null, "sha256Checksum": null, "createTimestamp": "2022-02-19T10:20:30.756Z", "modifyTimestamp": "2022-02-19T10:20:30.756Z", "deviceUserName": "<email_address>@<email_host>", "osHostName": null, "domainName": null, "publicIpAddress": "55.205.250.120", "privateIpAddresses": [], "deviceUid": null, "userUid": "1234567890123456789", "actor": "<email_address>@<email_host>", "directoryId": ["0AJLSsw5hCGBjUk8PEK"], "source": "GoogleDrive", "url": "<url>", "shared": "TRUE", "sharedWith": [{"cloudUsername": "<email_address_0>@<email_host>"}, {"cloudUsername": "<email_address_1>@<email_host>"}, {"cloudUsername": "<email_address_2>@<email_host>"}, {"cloudUsername": "<email_address_3>@<email_host>"}], "sharingTypeAdded": [], "cloudDriveId": "0AIMRsw5hCDBjJk0EKJ", "detectionSourceAlias": "Code 42 GDrive", "fileId": "214jek1MhMN9_FizzYBu41HcatUtdHEKh5T9hrI5tjFR", "exposure": [], "processOwner": null, "processName": null, "windowTitle": [], "tabUrl": null, "tabs": [], "sourceTabs": [], "fileClassifications": [], "removableMediaVendor": null, "removableMediaName": null, "removableMediaSerialNumber": null, "removableMediaCapacity": null, "removableMediaBusType": null, "removableMediaMediaName": null, "removableMediaVolumeName": [], "removableMediaPartitionId": [], "syncDestination": null, "syncDestinationUsername": [], "emailDlpPolicyNames": [], "emailSubject": null, "emailSender": null, "emailFrom": null, "emailRecipients": null, "outsideActiveHours": true, "mimeTypeByBytes": null, "mimeTypeByExtension": "application/vnd.google-apps.document", "mimeTypeMismatch": false, "printJobName": null, "printerName": null, "printedFilesBackupPath": null, "remoteActivity": null, "trusted": true, "trustReason": "Shared with trusted users", "operatingSystemUser": null, "destinationCategory": null, "destinationName": null, "sourceCategory": null, "sourceName": null, "riskScore": 0, "riskSeverity": "NO_RISK_INDICATED", "riskIndicators": [], "reportName": null, "reportDescription": null, "reportColumnHeaders": null, "reportRecordCount": null, "reportType": null, "reportId": null}