Skip to content

Code42

Code42

About

File events represent the creation, modification, deletion, and movement of files in your organization's working environment (both on endpoints and in supported cloud providers).

When file activity occurs on an endpoint or in the cloud, Incydr records metadata about the event and retains it for 90 days. At any time in that 90-day window you can search for the file activity based on the metadata collected, such as (but not limited to):

  • the file name
  • who acted on the file
  • whether the file was shared in a cloud service or email
  • the device the file was stored on

Product Details

Vendor URL: Code42

Product Type: SaaS

Product Tier: Tier III

Integration Method: Custom

Integration URL: Code42 Crashplan - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: CODE42

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
actor security_result.about.user.userid
destination.category additional.fields
destination.name additional.fields
event.id metadata.product_log_id
file.directory target.file.full_path
file.hash.md5 target.file.sha256
file.hash.sha256 target.file.sha256
file.mimeType target.file_mime_type
file.name target.file.full_path
process.executable target.process.file.full_path
removableMedia.busType additional.fields
removableMedia.capacity additional.fields
removableMedia.mediaName additional.fields
removableMedia.name additional.fields
removableMedia.partitionId additional.fields
removableMedia.serialNumber additional.fields
removableMedia.vendor additional.fields
removableMedia.volumeName additional.fields
risk.score security_result.about.investigation.severity_score
risk.severity security_result.severity_details
source.privateIp principal.ip
user.deviceUid principal.asset.asset_id
user.email principal.user.userid
user.id principal.hostname

Product Event Types

Event UDM Event Classification
CREATED FILE_CREATION
DELETED FILE_DELETION
MODIFIED FILE_MODIFICATION
READ FILE_READ

Log Sample

{"@timestamp":"2023-10-18T13:10:34.038Z","destination":{"accountName":null,"accountType":null,"category":null,"domains":[],"email":{"recipients":[],"subject":null},"ip":null,"name":null,"operatingSystem":null,"printJobName":null,"printedFilesBackupPath":null,"printerName":null,"privateIp":[],"remoteHostname":null,"removableMedia":{"busType":null,"capacity":null,"mediaName":null,"name":null,"partitionId":[],"serialNumber":null,"vendor":null,"volumeName":[]},"tabs":[],"user":{"email":[]}},"event":{"action":"file-created","detectorDisplayName":null,"id":"event","ingested":"2023-10-18T13:12:52.773Z","inserted":"2023-10-18T13:13:16.394696908Z","observer":"Endpoint","shareType":[],"vector":"NONE"},"file":{"acquiredFrom":[],"archiveId":null,"category":"Uncategorized","categoryByBytes":null,"categoryByExtension":null,"changeType":"CREATED","classifications":[],"cloudDriveId":null,"created":"2023-10-18T13:04:15.561Z","directory":"/Users/john.doe/file_path/extensions_crx_cache/","directoryId":[],"hash":{"md5":"md5","md5Error":null,"sha256":"sha256","sha256Error":null},"id":null,"mimeType":"application/x-chrome-package","mimeTypeByBytes":"application/x-chrome-package","mimeTypeByExtension":"application/octet-stream","modified":"2023-10-18T13:04:15.646Z","name":"filename","originalDirectory":null,"originalName":null,"owner":"john.doe","parentArchiveId":null,"passwordProtected":null,"sizeInBytes":245390,"url":null},"git":{"eventId":null,"lastCommitHash":null,"repositoryEmail":null,"repositoryEndpointPath":null,"repositoryUri":null,"repositoryUser":null},"process":{"executable":null,"extension":{"browser":null,"loggedInUser":null,"version":null},"owner":null},"report":{"count":null,"description":null,"headers":[],"id":null,"name":null,"type":null},"responseControls":{"preventativeControl":null,"userJustification":{"reason":null,"text":null}},"risk":{"indicators":[],"score":0,"severity":"NO_RISK_INDICATED","trustReason":null,"trusted":false,"untrustedValues":{"accountNames":[],"domains":[],"gitRepositoryUris":[],"slackWorkspaces":[],"urlPaths":[]}},"source":{"accountName":null,"accountType":null,"category":"Device","domain":"10.168.0.131","domains":[],"email":{"from":null,"sender":null},"ip":"10.23.99.137","name":"name_here","operatingSystem":"MacOS","privateIp":["10.127.100.1","10.168.0.131"],"remoteHostname":null,"removableMedia":{"busType":"data1","capacity":"data2","mediaName":"data3","name":"data4","partitionId":["data5"],"serialNumber":"data6","vendor":"data7","volumeName":["data8"]},"tabs":[],"user":{"email":[]}},"user":{"deviceUid":"uid","email":"first.last@recursionpharma.com","id":"userid"}}

Sample Parsing

metadata.event_timestamp = "2021-09-29T17:04:48.533979Z"
metadata.event_type = "GENERIC_EVENT"
metadata.ingested_timestamp = "2021-09-29T17:04:48.533979Z"
metadata.product_event_type = "CREATED"
metadata.product_log_id = "event"
metadata.product_name = "CrashPlan"
metadata.vendor_name = "Code42"
principal.asset.asset_id = "CP:uid"
principal.hostname = "userid"
principal.ip = "10.127.100.1"
principal.ip = "10.168.0.131"
principal.user.userid = "john.doe"
target.user.attribute.permissions.name = "john.doe"
target.file.full_path = "/Users/john.doe/file_path/extensions_crx_cache/filename"
target.file.md5 = "md5"
target.file.mime_type = "application/x-chrome-package"
target.file.sha256 = "sha256"
target.file.size = "245390"
security_result.about.investigation.severity_score = 0
security_result.severity_details = "NO_RISK_INDICATED"