Code42 Incydr

The Sumo Logic app for Code42 Incydr assists security teams in monitoring, detecting, and responding to data threats within an organization. It features dashboards that track audits, file events, and user sessions. By identifying risky file activities and monitoring user behavior, the app helps prevent data leaks and intellectual property theft. Incydr also provides a comprehensive analysis of user actions, risk patterns, and geolocation, equipping security professionals with the information necessary to safeguard against insider threats and ensure compliance with data security standards.

info

This app includes built-in monitors. For details on creating custom monitors, refer to the Create monitors for Code42 Incydr app.

Log types

This app uses Sumo Logic’s Code42 Incydr Source to collect audits, file events, and session logs from the Code42 Incydr platform.

Sample log messages

Audit Log

{
    "type$": "audit_log::search_issued/1",
    "actorId": "1004622955308648174",
    "actorName": "partner-demo-environment-admin@code42.com",
    "actorAgent": "Apache-HttpAsyncClient/4.1.4 (Java/11.0.3)",
    "actorIpAddress": "50.93.255.223",
    "timestamp": "2023-06-16T21:49:21.072416Z",
    "actorType": "USER",
    "success": true,
    "type": "query",
    "requestJson": "{\"groups\":[{\"filters\":[{\"term\":\"deviceUserName\",\"operator\":\"IS\",\"value\":\"darnell.waters@c42demo.com\",\"display\":null}],\"filterClause\":\"OR\",\"display\":null},{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"WITHIN_THE_LAST\",\"value\":\"PT15M\",\"display\":null}],\"filterClause\":\"AND\",\"display\":null},{\"filters\":[{\"term\":\"exposure\",\"operator\":\"IS\",\"value\":\"RemovableMedia\",\"display\":null},{\"term\":\"exposure\",\"operator\":\"IS\",\"value\":\"ApplicationRead\",\"display\":null},{\"term\":\"exposure\",\"operator\":\"IS\",\"value\":\"CloudStorage\",\"display\":null}],\"filterClause\":\"OR\",\"display\":null},{\"filters\":[{\"term\":\"md5Checksum\",\"operator\":\"DOES_NOT_EXIST\",\"value\":null,\"display\":null}],\"filterClause\":\"AND\",\"display\":null}],\"groupClause\":\"AND\",\"pgSize\":100,\"pgNum\":1,\"pgToken\":null,\"srtKey\":null,\"srtDir\":\"desc\",\"purpose\":null}",
    "resultCount": 0
}

File Event Log

{
    "@timestamp": "2025-01-28T01:24:03.271Z",
    "event": {
        "id": "001f4927-8958-4b9c-bc75-c0fd29700a49",
        "inserted": "2025-01-28T01:24:24.362976Z",
        "action": "file-modified",
        "observer": "GoogleDrive",
        "detectorDisplayName": "C42Demo Google Drive",
        "shareType": [],
        "ingested": "2025-01-28T01:24:04.208Z",
        "vector": "UNKNOWN"
    },
    "user": {
        "email": "sean.cassidy@c42demo.com",
        "id": "1004441363834186785",
        "deviceUid": null
    },
    "file": {
        "name": "queue.js",
        "originalName": null,
        "directory": null,
        "originalDirectory": null,
        "category": "SourceCode",
        "mimeType": "application/javascript",
        "mimeTypeByBytes": "text/plain",
        "categoryByBytes": "Document",
        "mimeTypeByExtension": "application/javascript",
        "categoryByExtension": "SourceCode",
        "sizeInBytes": 3641,
        "owner": "sean.cassidy@c42demo.com",
        "created": "2022-04-19T17:57:11.136Z",
        "modified": "2025-01-28T01:03:56.903Z",
        "hash": {
            "md5": "3024ad52166b0db6a2b1797a6e9b9f3b",
            "sha256": "144b3bc72834d2c901f214ca6425b76c58dbdbcf2bb9bd1e61633648a7a3a598",
            "md5Error": null,
            "sha256Error": null
        },
        "id": "1PIPbb2PrFIADdi3mzQlCPBMUy0kpqBru",
        "url": "https://drive.google.com/file/d/1PIPbb2PrFIADdi3mzQlCPBMUy0kpqBru/view?usp=drivesdk",
        "directoryId": [
            "1yEL6PL-KYJSLdSdh5ncBwM17067ntB-u"
        ],
        "cloudDriveId": "sean.cassidy@c42demo.com",
        "classifications": [],
        "acquiredFrom": [],
        "changeType": "MODIFIED"
    },
    "report": {
        "id": null,
        "name": null,
        "description": null,
        "headers": [],
        "count": null,
        "type": null
    },
    "source": {
        "category": null,
        "name": null,
        "user": {
            "email": []
        },
        "domain": null,
        "ip": null,
        "privateIp": [],
        "operatingSystem": null,
        "email": {
            "sender": null,
            "from": null
        },
        "removableMedia": {
            "vendor": null,
            "name": null,
            "serialNumber": null,
            "capacity": null,
            "busType": null,
            "mediaName": null,
            "volumeName": [],
            "partitionId": []
        },
        "tabs": [],
        "accountName": null,
        "accountType": null,
        "domains": []
    },
    "destination": {
        "category": null,
        "name": null,
        "user": {
            "email": []
        },
        "ip": null,
        "privateIp": [],
        "operatingSystem": null,
        "printJobName": null,
        "printerName": null,
        "printedFilesBackupPath": null,
        "removableMedia": {
            "vendor": null,
            "name": null,
            "serialNumber": null,
            "capacity": null,
            "busType": null,
            "mediaName": null,
            "volumeName": [],
            "partitionId": []
        },
        "email": {
            "recipients": null,
            "subject": null
        },
        "tabs": [],
        "accountName": null,
        "accountType": null,
        "domains": [],
        "remoteHostname": null
    },
    "process": {
        "executable": null,
        "owner": null
    },
    "risk": {
        "score": 0,
        "severity": "NO_RISK_INDICATED",
        "indicators": [],
        "trusted": false,
        "trustReason": null,
        "untrustedValues": {
            "accountNames": [],
            "domains": [],
            "gitRepositoryUris": [],
            "slackWorkspaces": [],
            "urlPaths": []
        },
        "preventativeControl": null
    },
    "git": {
        "eventId": null,
        "lastCommitHash": null,
        "repositoryUri": null,
        "repositoryUser": null,
        "repositoryEmail": null,
        "repositoryEndpointPath": null
    },
    "responseControls": {
        "preventativeControl": null,
        "userJustification": {
            "reason": null,
            "text": null
        }
    }
}

Session Log

{
    "sessionId": "1004440923549707297_1711129878056",
    "tenantId": "1af25e70-6993-498f-ab78-65c520259d95",
    "actorId": "1004440923549707297",
    "beginTime": 1711129878056,
    "endTime": 1711133446212,
    "firstObserved": 1711130127002,
    "lastUpdated": 1711134024842,
    "noRiskEvents": 241,
    "lowEvents": 0,
    "moderateEvents": 0,
    "highEvents": 0,
    "criticalEvents": 1,
    "notes": [],
    "riskIndicators": [
        {
            "id": "Download to unmonitored device from corporate Salesforce",
            "weight": 6,
            "eventCount": 1,
            "name": "Download to unmonitored device from corporate Salesforce"
        },
        {
            "id": "fileName-260f9635-0605-40fb-9d6b-1a5dde73085b",
            "weight": 3,
            "eventCount": 1,
            "name": "Sensitive Keyword Exfiltration"
        },
        {
            "id": "Flight risk",
            "weight": 3,
            "eventCount": 1,
            "name": "Flight risk"
        },
        {
            "id": "High impact",
            "weight": 1,
            "eventCount": 1,
            "name": "High impact"
        },
        {
            "id": "Spreadsheet",
            "weight": 0,
            "eventCount": 1,
            "name": "Spreadsheet"
        },
        {
            "id": "watchlist-377e1f05-86ee-40b3-bbd1-093cc035d172",
            "weight": 0,
            "eventCount": 1,
            "name": "Enterprise Sales"
        }
    ],
    "scores": [
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711130405673
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711130737347
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711131000346
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711131300264
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711131609219
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711131901523
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711132200768
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711132503399
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711132815102
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711133100885
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711133413799
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711133703988
        },
        {
            "score": 0,
            "severity": 0,
            "sourceTimestamp": 1711134003295
        },
        {
            "score": 13,
            "severity": 4,
            "sourceTimestamp": 1711134301878
        }
    ],
    "triggeredAlerts": [
        {
            "alertId": "28a8451d-143b-4c56-9f14-c3cc38277014",
            "ruleId": "fe130f34-22d3-4687-a628-7069d5b204bd",
            "lessonId": null
        },
        {
            "alertId": "f85bc31a-45c6-452e-80e3-728c9f6f8d74",
            "ruleId": "44d79d69-aeba-47d4-acb3-faad058806ab",
            "lessonId": null
        }
    ],
    "states": [
        {
            "state": "OPEN",
            "sourceTimestamp": 1711130127002,
            "userId": null
        }
    ],
    "exfiltrationSummary": "spreadsheet file(s) downloaded to unmonitored device from corporate Salesforce",
    "contextSummary": "",
    "riskIndicatorsAlertedOn": [],
    "contentInspectionResults": {
        "status": "UNPROCESSED",
        "eventResults": []
    }
}

Sample queries

Total Audits

_sourceCategory="Labs/Code42Incydr" type$
| json "type$", "actorId", "actorName", "actorAgent", "actorIpAddress", "timestamp", "actorType", "success", "type" as audit_type, actor_id, actor_name, actor_agent,actor_ip_address, timestamp, actor_type, success, search_type nodrop

// global filters
| where audit_type matches "{{audit_type}}"
| where actor_type matches "{{actor_type}}"
| where actor_agent matches "{{actor_agent}}"
| where isNull(success) or success matches "{{success}}"
| where actor_name matches "{{actor_name}}"

// panel specific
| count by timestamp,actor_id
| count

Total File Events

_sourceCategory="Labs/Code42Incydr" file
| json "@timestamp","event.id","event.action","event.observer","event.detectorDisplayName","user.email","user.id","file.url","file.name","file.originalName","file.directory","file.category","file.mimeType","file.sizeInBytes","file.owner","source.category","source.operatingSystem","source.ip","destination.ip","risk.score","risk.severity","risk.indicators","user.deviceUid" as timestamp,event_id, event_action, event_observer, event_detector_display_name, user_email, user_id, file_url, file_name, file_original_name, file_directory, file_category,file_mimetype, file_size_in_bytes, file_owner, source_category,source_operating_system,source_ip,destination_ip,risk_score,risk_severity,risk_indicators,device_uid nodrop

// global filters
| where event_action matches "{{event_action}}"
| where event_observer matches "{{event_observer}}"
| where user_email matches "{{user_email}}"
| where file_category matches "{{file_category}}"
| where risk_severity matches "{{risk_severity}}"
| where isNull(source_operating_system) or source_operating_system matches "{{operating_system}}"

// panel specific
| count by event_id
| count

Total Sessions

_sourceCategory="Labs/Code42Incydr" !type$ sessionId
| json "sessionId", "actorId","tenantId", "beginTime","endTime", "noRiskEvents", "lowEvents", "moderateEvents", "highEvents", "criticalEvents", "riskIndicators", "triggeredAlerts", "states[0].state","exfiltrationSummary","riskIndicatorsAlertedOn[*].name", "contentInspectionResults.status","riskIndicators[*].name" as session_id, actor_id,tenant_id, begin_epoch,end_epoch, no_risk_events, low_risk_events, moderate_risk_events, high_risk_events, critical_risk_events,risk_indicators,triggered_alerts, state, exfiltration_summary, risk_indicators_alerted_on, content_inspection_results,risk_indicators_names nodrop

// global variables 
| where isNull(tenant_id) or tenant_id matches "{{tenant_id}}"
| where isNull(actor_id) or actor_id matches "{{actor_id}}"
| where isNull(state) or state matches "{{session_state}}"
| where isNull(content_inspection_results) or content_inspection_results matches "{{content_inspection_result}}"

// panel specific
| count by session_id
| count

Collection configuration and app installation

Depending on the set up collection method, you can configure and install the app in three ways:

• Create a new collector and install the app. Create a new Sumo Logic Cloud-to-Cloud (C2C) source under a new Sumo Logic Collector and later install the app; Or
• Use an existing collector and install the app. Create a new Sumo Logic Cloud-to-Cloud (C2C) source under an existing Sumo Logic Collector and later install the app; Or
• Use existing source and install the app. Use your existing configured Sumo Logic Cloud-to-Cloud (C2C) source and install the app.

info

Use the Cloud-to-Cloud Integration for Code42 Incydr to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Code42 Incydr app is properly integrated and configured to collect and analyze your Code42 Incydr data.

Create a new collector and install the app

To set up collection and install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Create a new Collector.
   1. Collector Name. Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
   2. Timezone. Set the default time zone when it is not extracted from the log timestamp. Time zone settings on Sources override a Collector time zone setting.
   3. (Optional) Metadata. Click the +Add Metadata link to add custom log Metadata Fields. Define the fields you want to associate, each metadata field needs a name (key) and value.
      • A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
      • An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
   4. Click Next.
5. Configure the source as specified in the Info box above, ensuring all required fields are included.
6. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
7. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Use an existing collector and install the app

To setup source in the existing collector and install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Use an existing Collector.
5. From the Select Collector dropdown, select the collector that you want to setup your source with and click Next.
6. Configure the source as specified in the Info box above, ensuring all required fields are included.
7. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
8. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Use an existing source and install the app

To skip collection and only install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Skip this step and use existing source and click Next.
5. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Viewing Code42 Incydr dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

• You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
• You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
• Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Audits Overview

The Code42 Incydr - Audits Overview dashboard provides a snapshot of auditing activities in your organization. It tracks key metrics like total audits, trends, and success rates over time. It also highlights the most active users in the auditing process and common audit types performed, offering insights into potential risk areas. The dashboard also segments data by user roles, search queries, and geographical locations, including embargoed areas, to show how information is accessed and monitored. It lists the top auditing tools and provides updates on recent system audits and alerts, keeping stakeholders informed about data security and compliance.

File Events

The Code42 Incydr - File Events dashboard is a security command center that tracks all file events within your organization, providing detailed metrics on total and severe events, as well as specific user and file activities, enabling identification of potential data breaches and insider threats. The dashboard displays the sources of file events, including OS-specific insights, and highlights geographic risk, particularly from embargoed areas. With real-time data and detection of anomalies in file behavior, security teams can efficiently monitor, analyze, and respond to dynamic data movement and access.

Sessions

The Code42 Incydr - Sessions dashboard offers a real-time view of your organization's session data and associated risk levels, with analytics on total sessions, average engagement, and a spectrum of risk events ranging from low to critical. Dynamic visualizations display session trends, geospatial engagement, and content inspections, helping security teams quickly identify and address potential data exfiltration risks. This dashboard is essential for continuous monitoring and ensuring prompt action on any anomalies or compliance issues to maintain strong data security protocols.

Create monitors for Code42 Incydr app

From your App Catalog:

1. From the Sumo Logic navigation, select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. Make sure the app is installed.
4. Navigate to What's Included tab and scroll down to the Monitors section.
5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
6. Scroll down to Monitor Details.
7. Under Location click on New Folder.
   note

   By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

8. Enter Folder Name. Folder Description is optional.
   tip

   Using app version in the folder name will be helpful to determine the versioning for future updates.

9. Click Create. Once the folder is created, click on Save.

Code42 Incydr monitors

Name	Description	Trigger Type (Critical / Warning / MissingData)	Alert Condition
Code42 Incydr - Alert Rules Disabled	This alert is triggered when alert rules in Code42 Incydr are disabled, potentially reducing visibility into security incidents. This may indicate unauthorized changes or misconfigurations that could impact data security monitoring.	Critical	Count > 0
Code42 Incydr - Audits from Embargoed Locations	This alert is triggered when audit events originating from embargoed or restricted locations are detected, indicating potential compliance violations or unauthorized access attempts.	Critical	Count > 0
Code42 Incydr - File Events from Embargoed Locations	This alert is triggered when file activity, such as uploads, downloads, or modifications from embargoed locations are identified. This alert helps detect potential data exfiltration or compliance risks.	Critical	Count > 0
Code42 Incydr - Sessions with Critical Risk Events	This alert is triggered if user sessions associated with high-risk activities, such as large file transfers, unusual login patterns, or interactions with sensitive data, are detected. Helping security teams respond to potential insider threats or compromised accounts.	Critical	Count > 0
Code42 Incydr - Severe File Events	This alert is triggered when critical file events occur, such as mass file deletions, sensitive data transfers, or interactions with restricted files. This alert helps prevent data loss and insider threats.	Critical	Count > 0

Upgrade/Downgrade the Code42 Incydr app (Optional)

To update the app, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
   Optionally, you can identify apps that can be upgraded in the Upgrade available section.
3. To upgrade the app, select Upgrade from the Manage dropdown.
   1. If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
   2. If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
      1. In the Configure section of your respective app, complete the following fields.
         • Key. Select either of these options for the data source.
           • Choose Source Category and select a source category from the list for Default Value.
           • Choose Custom and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Post-update

Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.

note

See our Release Notes changelog for new updates in the app.

To revert the app to a previous version, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. To version down the app, select Revert to < previous version of your app > from the Manage dropdown.

Uninstalling the Code42 Incydr app (Optional)

To uninstall the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Uninstall.