TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Code42 Alerts | ✅ | code42_alerts | NDJSON | S3 | |||
Code42 Audit Logs | ✅ | ✅ | code42_audit_logs | NDJSON | S3 | ||
Code42 File Events | ✅ | ✅ | code42_file_events | NDJSON | S3 |
Overview
Code42 is a SaaS platform aimed to log and detect data loss (through documents being copied/moved/being accessible to the wrong persons), and response accordingly.
Integrating your Code42 logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.
Supported data types
Code42 Alerts
Table name: code42_alerts
Code42 alerts are a critical component of its functionality, enabling organizations to proactively manage and mitigate risks associated with data exposure and exfiltration.
Code42 Audit Logs
Table name: code42_audit_logs
Audit logs in Code42 provide a detailed record of activities and events within the Code42 environment. These logs are essential for tracking user actions, file movements, permission changes, and system modifications, offering transparency and accountability for data security practices.
Code42 File Events
Table name: code42_file_events
File events in Code42 encompass a wide range of activities related to files across an organization's network, including file creation, modification, deletion, and movement. These events are meticulously tracked to provide visibility into how sensitive data is being handled by users, which is essential for data loss prevention (DLP) and insider threat detection.
Send data to Hunters
Hunters supports the ingestion of Code42 logs via an intermediary AWS S3 bucket.
To connect Code42 logs:
Export your logs from Code42 to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The expected format of the logs is ND-JSON as exported from Code42.
Code42 Alert samples
{"type$": "ALERT_SUMMARY", "tenantId": "12345678-9abc-def0-1234-567890abcdef", "type": "FED_COMPOSITE", "name": "Cloud sync initiated", "description": "Alerts you when files are synced to a cloud storage application.", "actor": "<email_address>@<email_host>", "actorId": "1234567890123456789", "target": "N/A", "severity": "MEDIUM", "riskSeverity": "MODERATE", "ruleId": "12345678-9abc-def0-1234-567890abcdef", "id": "12345678-9abc-def0-1234-567890abcdef", "createdAt": "2022-02-19T10:20:30.756747Z", "state": "OPEN"}
{"type$": "ALERT_SUMMARY", "tenantId": "12345678-9abc-def0-1234-567890abcdef", "type": "FED_COMPOSITE", "name": " Cloud Storage Catch-all", "description": "", "actor": "<email_address>@<email_host>", "actorId": "1234567890123456789", "target": "N/A", "severity": "MEDIUM", "riskSeverity": "MODERATE", "ruleId": "12345678-9abc-def0-1234-567890abcdef", "id": "12345678-9abc-def0-1234-567890abcdef", "createdAt": "2022-02-19T10:20:30.756747Z", "state": "OPEN"}
Code2 Audit Log samples
{"type$": "audit_log::search_issued/1", "actorId": "1234567890123456789", "actorName": "<email_address>@<email_host>", "actorAgent": "py42 1.21.1 python 3.7.10", "actorIpAddress": "55.205.250.120", "timestamp": "2022-02-19T10:20:30.756747Z", "actorType": "USER", "success": true, "type": "query", "requestJson": "{\"groups\":[{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"ON_OR_AFTER\",\"value\":\"2022-02-17T10:20:30.000Z\",\"display\":null},{\"term\":\"eventTimestamp\",\"operator\":\"ON_OR_BEFORE\",\"value\":\"2022-02-18T10:20:30.000Z\",\"display\":null}],\"filterClause\":\"AND\",\"display\":null}],\"groupClause\":\"AND\",\"pgSize\":10000,\"pgNum\":1,\"pgToken\":\"\",\"srtKey\":\"eventId\",\"srtDir\":\"asc\",\"purpose\":null,\"defaultSortKey\":\"eventTimestamp\"}", "resultCount": 945}
{"type$": "audit_log::logged_in/1", "actorId": "1234567890123456789", "actorName": "<email_address>@<email_host>", "actorAgent": "py42 1.21.1 python 3.7.10", "actorIpAddress": "55.205.250.120, 64.250.60.180", "timestamp": "2022-02-19T10:20:30.756747Z", "actorType": "USER"}
Code42 File Events sample
{"eventId": "123456789abcdef01234567890abcdef", "eventType": "MODIFIED", "eventTimestamp": "2022-02-19T10:20:30.756Z", "insertionTimestamp": "2022-02-19T10:20:30.756Z", "fieldErrors": [{"field": "md5Checksum", "error": "GDRIVE_NATIVE_HASH"}, {"field": "sha256Checksum", "error": "GDRIVE_NATIVE_HASH"}], "filePath": null, "fileName": "<File_name>", "fileType": "FILE", "fileCategory": "Document", "fileCategoryByBytes": "Uncategorized", "fileCategoryByExtension": "Document", "fileSize": null, "fileOwner": "<email_address>@<email_host", "md5Checksum": null, "sha256Checksum": null, "createTimestamp": "2022-02-19T10:20:30.756Z", "modifyTimestamp": "2022-02-19T10:20:30.756Z", "deviceUserName": "<email_address>@<email_host>", "osHostName": null, "domainName": null, "publicIpAddress": "55.205.250.120", "privateIpAddresses": [], "deviceUid": null, "userUid": "1234567890123456789", "actor": "<email_address>@<email_host>", "directoryId": ["0AJLSsw5hCGBjUk8PEK"], "source": "GoogleDrive", "url": "<url>", "shared": "TRUE", "sharedWith": [{"cloudUsername": "<email_address_0>@<email_host>"}, {"cloudUsername": "<email_address_1>@<email_host>"}, {"cloudUsername": "<email_address_2>@<email_host>"}, {"cloudUsername": "<email_address_3>@<email_host>"}], "sharingTypeAdded": [], "cloudDriveId": "0AIMRsw5hCDBjJk0EKJ", "detectionSourceAlias": "Code 42 GDrive", "fileId": "214jek1MhMN9_FizzYBu41HcatUtdHEKh5T9hrI5tjFR", "exposure": [], "processOwner": null, "processName": null, "windowTitle": [], "tabUrl": null, "tabs": [], "sourceTabs": [], "fileClassifications": [], "removableMediaVendor": null, "removableMediaName": null, "removableMediaSerialNumber": null, "removableMediaCapacity": null, "removableMediaBusType": null, "removableMediaMediaName": null, "removableMediaVolumeName": [], "removableMediaPartitionId": [], "syncDestination": null, "syncDestinationUsername": [], "emailDlpPolicyNames": [], "emailSubject": null, "emailSender": null, "emailFrom": null, "emailRecipients": null, "outsideActiveHours": true, "mimeTypeByBytes": null, "mimeTypeByExtension": "application/vnd.google-apps.document", "mimeTypeMismatch": false, "printJobName": null, "printerName": null, "printedFilesBackupPath": null, "remoteActivity": null, "trusted": true, "trustReason": "Shared with trusted users", "operatingSystemUser": null, "destinationCategory": null, "destinationName": null, "sourceCategory": null, "sourceName": null, "riskScore": 0, "riskSeverity": "NO_RISK_INDICATED", "riskIndicators": [], "reportName": null, "reportDescription": null, "reportColumnHeaders": null, "reportRecordCount": null, "reportType": null, "reportId": null}