Overview

Code 42 is a SaaS platform aimed to log and detect data loss (through documents being copied/moved/being accessible to the wrong persons), and response accordingly.

Integrating your Code42 logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.

Supported Data Types

  • Code42 Alerts - Alerts generated by the product (see more details here).

  • Code42 Audit Logs - Audit Log provides a record of who did what and when in the Code42 environment (see more details here).

  • Code42 File Events - File event metadata provides detailed visibility about insider risks caused by files (see more details here).

Hunters Integration

In order to integrate your Code42 logs into Hunters, the logs need to be collected from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters. For more details regarding Code42’s API collection, see here.

The expected format of the logs is ND-JSON as exported from Code42.

For example:

Code42 Alerts Samples
{"type$": "ALERT_SUMMARY", "tenantId": "12345678-9abc-def0-1234-567890abcdef", "type": "FED_COMPOSITE", "name": "Cloud sync initiated", "description": "Alerts you when files are synced to a cloud storage application.", "actor": "<email_address>@<email_host>", "actorId": "1234567890123456789", "target": "N/A", "severity": "MEDIUM", "riskSeverity": "MODERATE", "ruleId": "12345678-9abc-def0-1234-567890abcdef", "id": "12345678-9abc-def0-1234-567890abcdef", "createdAt": "2022-02-19T10:20:30.756747Z", "state": "OPEN"}
{"type$": "ALERT_SUMMARY", "tenantId": "12345678-9abc-def0-1234-567890abcdef", "type": "FED_COMPOSITE", "name": " Cloud Storage Catch-all", "description": "", "actor": "<email_address>@<email_host>", "actorId": "1234567890123456789", "target": "N/A", "severity": "MEDIUM", "riskSeverity": "MODERATE", "ruleId": "12345678-9abc-def0-1234-567890abcdef", "id": "12345678-9abc-def0-1234-567890abcdef", "createdAt": "2022-02-19T10:20:30.756747Z", "state": "OPEN"}
CODE
Code42 Audit Logs Samples
{"type$": "audit_log::search_issued/1", "actorId": "1234567890123456789", "actorName": "<email_address>@<email_host>", "actorAgent": "py42 1.21.1 python 3.7.10", "actorIpAddress": "55.205.250.120", "timestamp": "2022-02-19T10:20:30.756747Z", "actorType": "USER", "success": true, "type": "query", "requestJson": "{\"groups\":[{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"ON_OR_AFTER\",\"value\":\"2022-02-17T10:20:30.000Z\",\"display\":null},{\"term\":\"eventTimestamp\",\"operator\":\"ON_OR_BEFORE\",\"value\":\"2022-02-18T10:20:30.000Z\",\"display\":null}],\"filterClause\":\"AND\",\"display\":null}],\"groupClause\":\"AND\",\"pgSize\":10000,\"pgNum\":1,\"pgToken\":\"\",\"srtKey\":\"eventId\",\"srtDir\":\"asc\",\"purpose\":null,\"defaultSortKey\":\"eventTimestamp\"}", "resultCount": 945}
{"type$": "audit_log::logged_in/1", "actorId": "1234567890123456789", "actorName": "<email_address>@<email_host>", "actorAgent": "py42 1.21.1 python 3.7.10", "actorIpAddress": "55.205.250.120, 64.250.60.180", "timestamp": "2022-02-19T10:20:30.756747Z", "actorType": "USER"}
CODE
Code42 File Events Sample
{"eventId": "123456789abcdef01234567890abcdef", "eventType": "MODIFIED", "eventTimestamp": "2022-02-19T10:20:30.756Z", "insertionTimestamp": "2022-02-19T10:20:30.756Z", "fieldErrors": [{"field": "md5Checksum", "error": "GDRIVE_NATIVE_HASH"}, {"field": "sha256Checksum", "error": "GDRIVE_NATIVE_HASH"}], "filePath": null, "fileName": "<File_name>", "fileType": "FILE", "fileCategory": "Document", "fileCategoryByBytes": "Uncategorized", "fileCategoryByExtension": "Document", "fileSize": null, "fileOwner": "<email_address>@<email_host", "md5Checksum": null, "sha256Checksum": null, "createTimestamp": "2022-02-19T10:20:30.756Z", "modifyTimestamp": "2022-02-19T10:20:30.756Z", "deviceUserName": "<email_address>@<email_host>", "osHostName": null, "domainName": null, "publicIpAddress": "55.205.250.120", "privateIpAddresses": [], "deviceUid": null, "userUid": "1234567890123456789", "actor": "<email_address>@<email_host>", "directoryId": ["0AJLSsw5hCGBjUk8PEK"], "source": "GoogleDrive", "url": "<url>", "shared": "TRUE", "sharedWith": [{"cloudUsername": "<email_address_0>@<email_host>"}, {"cloudUsername": "<email_address_1>@<email_host>"}, {"cloudUsername": "<email_address_2>@<email_host>"}, {"cloudUsername": "<email_address_3>@<email_host>"}], "sharingTypeAdded": [], "cloudDriveId": "0AIMRsw5hCDBjJk0EKJ", "detectionSourceAlias": "Code 42 GDrive", "fileId": "214jek1MhMN9_FizzYBu41HcatUtdHEKh5T9hrI5tjFR", "exposure": [], "processOwner": null, "processName": null, "windowTitle": [], "tabUrl": null, "tabs": [], "sourceTabs": [], "fileClassifications": [], "removableMediaVendor": null, "removableMediaName": null, "removableMediaSerialNumber": null, "removableMediaCapacity": null, "removableMediaBusType": null, "removableMediaMediaName": null, "removableMediaVolumeName": [], "removableMediaPartitionId": [], "syncDestination": null, "syncDestinationUsername": [], "emailDlpPolicyNames": [], "emailSubject": null, "emailSender": null, "emailFrom": null, "emailRecipients": null, "outsideActiveHours": true, "mimeTypeByBytes": null, "mimeTypeByExtension": "application/vnd.google-apps.document", "mimeTypeMismatch": false, "printJobName": null, "printerName": null, "printedFilesBackupPath": null, "remoteActivity": null, "trusted": true, "trustReason": "Shared with trusted users", "operatingSystemUser": null, "destinationCategory": null, "destinationName": null, "sourceCategory": null, "sourceName": null, "riskScore": 0, "riskSeverity": "NO_RISK_INDICATED", "riskIndicators": [], "reportName": null, "reportDescription": null, "reportColumnHeaders": null, "reportRecordCount": null, "reportType": null, "reportId": null}
CODE