Code42 Incydr Source
The Code42 Incydr is an insider risk management solution that allows you to detect and respond to data exposure and exfiltration from corporate computer, cloud, and email systems. It provides the visibility, context, and controls needed to protect data without overwhelming security teams or inhibiting employee productivity.
Code42 Incydr source is used to analyze and fetch file events, alerts and audit logs from the Code42 Incydr API and send it to Sumo Logic.
This source is available in all deployments, including the Fed deployment.
Data collected
| Polling Interval | Data |
|---|---|
| 5 min | Alerts, File Events, and Audit Logs (Audit Events) |
Setup
Vendor configuration
The Code42 Incydr source requires you to provide the Base URL, Client ID, and Secret Key to access the source data.
- The Base URL is used to retrieve the source data from the Incydr API. The domain used for making API requests can be determined using the domain you use to sign in to the Code42 console.
- api.us.code42.com
- api.us2.code42.com
- api.ie.code42.com
- api.gov.code42.com
infoMake sure that all API requests are made using HTTPs.
- To generate the Client ID and Secret Key, follow the instructions mentioned in the Incydr API documentation.
Source configuration
When you create an Code42 Incydr source, you add it to a Hosted Collector. Before creating the source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.
To configure a Code42 Incydr Source:
- In Sumo Logic, select Manage Data > Collection > Collection.
- On the Collection page, click Add Source next to a Hosted Collector.
- Search for and select Code42 Incydr.
- Enter a Name for the source. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
_sourceCategory. - (Optional) Fields. Click the +Add button to define the fields you want to associate. Each field needs a name (key) and value.
A green circle with a check mark is shown when the field exists in the Fields table schema.
An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
- In Base URL, select the domain from which you want to retrieve the source data from the Incydr API.
- In Client ID, enter the Client ID you generated from the Code42 Incydr platform.
- In Secret Key, enter the Secret Key you generated from the Code42 Incydr platform.
- In Data Collection, select the type of source from which you want to collect the data from. This allows you to limit the response to just the data you want.
Metadata fields
| Field | Value | Description |
|---|---|---|
_siemParser | /Parsers/System/Code42/Code42 Incydr | Set when Forward To SIEM is checked. |
JSON schema
Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See JSON to configure Sources for details.
| Parameter | Type | Value | Required | Description |
|---|---|---|---|---|
| schemaRef | JSON Object | {"type":"Code42Incydr"} | Yes | Define the specific schema type. |
| sourceType | String | "Universal" | Yes | Type of source. |
| config | JSON Object | Configuration object | Yes | Source type specific values. |
Configuration Object
| Parameter | Type | Required | Default | Description | Example |
|---|---|---|---|---|---|
| name | String | Yes | null | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source. | "mySource" |
| description | String | No | null | Type a description of the source. | "Testing source" |
| category | String | No | null | Type a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details. | "mySource/test" |
| fields | JSON Object | No | null | JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM. | {"_siemForward": false, "fieldA": "valueA"} |
| baseURL | String | Yes | null | API Key to used for Authorization. | |
| clientID | Boolean | No | null | Client ID generated from the Code42 Incydr platform. | |
| secretKey | String | No | null | Secret Key generated secured from the Code42 Incydr platform. | |
| dataCollection | String | No | null | Type of source from which you want to collect the data from. |
JSON example
{
"api.version": "v1",
"source": {
"config": {
"name": "Code42",
"description": "Code42",
"category": "code42",
"baseURL": "https://api.us.code42.com",
"clientID": "key-xxxx0316-xxxx-492d-xxxx-308184abxxx3",
"secretKey": "XXXXV%DsznXXX!hxr479cXsxxnbkX@vxxrxkbfxc",
"dataCollection": [
"auditEvents",
"alerts",
"fileEvents"
]
},
"schemaRef": {
"type": "Code42Incydr"
},
"sourceType": "Universal"
}
}
Terraform example
resource "sumologic_cloud_to_cloud_source" "code42incydr_source" {
collector_id = sumologic_collector.collector.id
schema_ref = {
type = "Code42Incydr"
}
config = jsonencode({
"name": "Code42",
"description": "Code42",
"category": "code42",
"baseURL": "https://api.us.code42.com",
"clientID": "key-xxxx0316-xxxx-492d-xxxx-308184abxxx3",
"secretKey": "XXXXV%DsznXXX!hxr479cXsxxnbkX@vxxrxkbfxc",
"dataCollection": [
"auditEvents",
"alerts",
"fileEvents"
]
})
}
resource "sumologic_collector" "collector" {
name = "my-collector"
description = "Just testing this"
}
Troubleshooting
After configuring your source, you should check the status of the source in the Collectors page > Status column. If the source is not functioning as expected, you may see an error next to the Source Category column as shown below:
Error Code: 401
Error Details:
{
"error": "invalid_client"
}
To resolve these errors:
- Make sure the Base URL matches your domain.
- Make sure correct Client ID or Secret Key is used to configure the source.
FAQ
Click here for more information about Cloud-to-Cloud sources.