Skip to main content

Code42 Incydr Source

code42-incydr-icon

The Code42 Incydr is an insider risk management solution that allows you to detect and respond to data exposure and exfiltration from corporate computer, cloud, and email systems. It provides the visibility, context, and controls needed to protect data without overwhelming security teams or inhibiting employee productivity.

Code42 Incydr source is used to analyze and fetch file events, alerts and audit logs from the Code42 Incydr API and send it to Sumo Logic.

Data collected

Polling IntervalData
5 minAlerts, File Events, and Audit Logs (Audit Events)

Setup

Vendor configuration

The Code42 Incydr source requires you to provide the Base URL, Client ID, and Secret Key to access the source data.

  • The Base URL is used to retrieve the source data from the Incydr API. The domain used for making API requests can be determined using the domain you use to sign in to the Code42 console.
    • api.us.code42.com
    • api.us2.code42.com
    • api.ie.code42.com
    • api.gov.code42.com
    info

    Make sure that all API requests are made using HTTPs.

  • To generate the Client ID and Secret Key, follow the instructions mentioned in the Incydr API documentation.

Source configuration

When you create an Code42 Incydr source, you add it to a Hosted Collector. Before creating the source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.

To configure a Code42 Incydr Source:

  1. Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
    New UI. In the Sumo Logic top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.  
  2. On the Collection page, click Add Source next to a Hosted Collector.
  3. Search for and select Code42 Incydr.
  4. Enter a Name for the source. The description is optional.
  5. (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
  6. (Optional) Fields. Click the +Add button to define the fields you want to associate. Each field needs a name (key) and value.
    • green check circle.png A green circle with a check mark is shown when the field exists in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
  7. In Base URL, select the domain from which you want to retrieve the source data from the Incydr API.
  8. In Client ID, enter the Client ID you generated from the Code42 Incydr platform.
  9. In Secret Key, enter the Secret Key you generated from the Code42 Incydr platform.
  10. In Data Collection, select the type of source from which you want to collect the data from. This allows you to limit the response to just the data you want.

Metadata fields

FieldValueDescription
_siemParser/Parsers/System/Code42/Code42 IncydrSet when Forward To SIEM is checked.

JSON schema

Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See JSON to configure Sources for details. 

ParameterTypeValueRequiredDescription
schemaRefJSON Object{"type":"Code42 Incydr"}YesDefine the specific schema type.
sourceTypeString"Universal"YesType of source.
configJSON ObjectConfiguration objectYesSource type specific values.

Configuration Object

ParameterTypeRequiredDefaultDescriptionExample
nameStringYesnullType a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source."mySource"
descriptionStringNonullType a description of the source."Testing source"
categoryStringNonullType a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details."mySource/test"
fieldsJSON ObjectNonullJSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM.{"_siemForward": false, "fieldA": "valueA"}
baseURLStringYesnullAPI Key to used for Authorization.
clientIDBooleanNonullClient ID generated from the Code42 Incydr platform.
secretKeyStringNonullSecret Key generated secured from the Code42 Incydr platform.
dataCollectionStringNonullType of source from which you want to collect the data from.

JSON example

{
"api.version": "v1",
"source": {
"config": {
"name": "Code42",
"description": "Code42",
"category": "code42",
"baseURL": "https://api.us.code42.com",
"clientID": "key-xxxx0316-xxxx-492d-xxxx-308184abxxx3",
"secretKey": "XXXXV%DsznXXX!hxr479cXsxxnbkX@vxxrxkbfxc",
"dataCollection": [
"auditEvents",
"alerts",
"fileEvents"
]
},
"schemaRef": {
"type": "Code42 Incydr"
},
"sourceType": "Universal"
}
}
Download example

Terraform example

resource "sumologic_cloud_to_cloud_source" "code42incydr_source" {
collector_id = sumologic_collector.collector.id
schema_ref = {
type = "Code42 Incydr"
}
config = jsonencode({
"name": "Code42",
"description": "Code42",
"category": "code42",
"baseURL": "https://api.us.code42.com",
"clientID": "key-xxxx0316-xxxx-492d-xxxx-308184abxxx3",
"secretKey": "XXXXV%DsznXXX!hxr479cXsxxnbkX@vxxrxkbfxc",
"dataCollection": [
"auditEvents",
"alerts",
"fileEvents"
]
})
}
resource "sumologic_collector" "collector" {
name = "my-collector"
description = "Just testing this"
}
Download example

Troubleshooting

After configuring your source, you should check the status of the source in the Collectors page > Status column. If the source is not functioning as expected, you may see an error next to the Source Category column as shown below: 

Error Code401
Error Details:

{
"error": "invalid_client"
}

To resolve these errors:

  • Make sure the Base URL matches your domain.
  • Make sure correct Client ID or Secret Key is used to configure the source.

FAQ

info

Click here for more information about Cloud-to-Cloud sources.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.