Code42¶
About¶
File events represent the creation, modification, deletion, and movement of files in your organization's working environment (both on endpoints and in supported cloud providers).
When file activity occurs on an endpoint or in the cloud, Incydr records metadata about the event and retains it for 90 days. At any time in that 90-day window you can search for the file activity based on the metadata collected, such as (but not limited to):
- the file name
- who acted on the file
- whether the file was shared in a cloud service or email
- the device the file was stored on
Product Details¶
Vendor URL: Code42
Product Type: SaaS
Product Tier: Tier III
Integration Method: Custom
Integration URL: Code42 Crashplan - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: CODE42
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
actor | security_result.about.user.userid |
destination.category | additional.fields |
destination.name | additional.fields |
event.id | metadata.product_log_id |
file.directory | target.file.full_path |
file.hash.md5 | target.file.sha256 |
file.hash.sha256 | target.file.sha256 |
file.mimeType | target.file_mime_type |
file.name | target.file.full_path |
process.executable | target.process.file.full_path |
removableMedia.busType | additional.fields |
removableMedia.capacity | additional.fields |
removableMedia.mediaName | additional.fields |
removableMedia.name | additional.fields |
removableMedia.partitionId | additional.fields |
removableMedia.serialNumber | additional.fields |
removableMedia.vendor | additional.fields |
removableMedia.volumeName | additional.fields |
risk.score | security_result.about.investigation.severity_score |
risk.severity | security_result.severity_details |
source.privateIp | principal.ip |
user.deviceUid | principal.asset.asset_id |
user.email | principal.user.userid |
user.id | principal.hostname |
Product Event Types¶
Event | UDM Event Classification |
---|---|
CREATED | FILE_CREATION |
DELETED | FILE_DELETION |
MODIFIED | FILE_MODIFICATION |
READ | FILE_READ |
Log Sample¶
{"@timestamp":"2023-10-18T13:10:34.038Z","destination":{"accountName":null,"accountType":null,"category":null,"domains":[],"email":{"recipients":[],"subject":null},"ip":null,"name":null,"operatingSystem":null,"printJobName":null,"printedFilesBackupPath":null,"printerName":null,"privateIp":[],"remoteHostname":null,"removableMedia":{"busType":null,"capacity":null,"mediaName":null,"name":null,"partitionId":[],"serialNumber":null,"vendor":null,"volumeName":[]},"tabs":[],"user":{"email":[]}},"event":{"action":"file-created","detectorDisplayName":null,"id":"event","ingested":"2023-10-18T13:12:52.773Z","inserted":"2023-10-18T13:13:16.394696908Z","observer":"Endpoint","shareType":[],"vector":"NONE"},"file":{"acquiredFrom":[],"archiveId":null,"category":"Uncategorized","categoryByBytes":null,"categoryByExtension":null,"changeType":"CREATED","classifications":[],"cloudDriveId":null,"created":"2023-10-18T13:04:15.561Z","directory":"/Users/john.doe/file_path/extensions_crx_cache/","directoryId":[],"hash":{"md5":"md5","md5Error":null,"sha256":"sha256","sha256Error":null},"id":null,"mimeType":"application/x-chrome-package","mimeTypeByBytes":"application/x-chrome-package","mimeTypeByExtension":"application/octet-stream","modified":"2023-10-18T13:04:15.646Z","name":"filename","originalDirectory":null,"originalName":null,"owner":"john.doe","parentArchiveId":null,"passwordProtected":null,"sizeInBytes":245390,"url":null},"git":{"eventId":null,"lastCommitHash":null,"repositoryEmail":null,"repositoryEndpointPath":null,"repositoryUri":null,"repositoryUser":null},"process":{"executable":null,"extension":{"browser":null,"loggedInUser":null,"version":null},"owner":null},"report":{"count":null,"description":null,"headers":[],"id":null,"name":null,"type":null},"responseControls":{"preventativeControl":null,"userJustification":{"reason":null,"text":null}},"risk":{"indicators":[],"score":0,"severity":"NO_RISK_INDICATED","trustReason":null,"trusted":false,"untrustedValues":{"accountNames":[],"domains":[],"gitRepositoryUris":[],"slackWorkspaces":[],"urlPaths":[]}},"source":{"accountName":null,"accountType":null,"category":"Device","domain":"10.168.0.131","domains":[],"email":{"from":null,"sender":null},"ip":"10.23.99.137","name":"name_here","operatingSystem":"MacOS","privateIp":["10.127.100.1","10.168.0.131"],"remoteHostname":null,"removableMedia":{"busType":"data1","capacity":"data2","mediaName":"data3","name":"data4","partitionId":["data5"],"serialNumber":"data6","vendor":"data7","volumeName":["data8"]},"tabs":[],"user":{"email":[]}},"user":{"deviceUid":"uid","email":"first.last@recursionpharma.com","id":"userid"}}
Sample Parsing¶
metadata.event_timestamp = "2021-09-29T17:04:48.533979Z"
metadata.event_type = "GENERIC_EVENT"
metadata.ingested_timestamp = "2021-09-29T17:04:48.533979Z"
metadata.product_event_type = "CREATED"
metadata.product_log_id = "event"
metadata.product_name = "CrashPlan"
metadata.vendor_name = "Code42"
principal.asset.asset_id = "CP:uid"
principal.hostname = "userid"
principal.ip = "10.127.100.1"
principal.ip = "10.168.0.131"
principal.user.userid = "john.doe"
target.user.attribute.permissions.name = "john.doe"
target.file.full_path = "/Users/john.doe/file_path/extensions_crx_cache/filename"
target.file.md5 = "md5"
target.file.mime_type = "application/x-chrome-package"
target.file.sha256 = "sha256"
target.file.size = "245390"
security_result.about.investigation.severity_score = 0
security_result.severity_details = "NO_RISK_INDICATED"