Code42 Tips From the Trenches: Automating File Scans and Alerts

Tips From the Trenches: Automating File Scans and Alerts

Welcome to the first post of our Tips from the Trenches blog series. Authored by the Code42 security team, the series will explore some of the industry’s latest data security tools and tricks.

One of the best parts of working on the Code42 security operations team is that we’re facing (and solving) many of the exact same challenges as our customers. That means we get to share our experiences and trade tools, tips and tactics for what works—and what doesn’t. With that in mind, here are a few of the cool new ways we’re using search to identify hidden threats before they turn into big problems.

Better criteria for automated scanning and alerting

We’ve got a couple of tools set up to constantly scan our digital environments for risks. Recently, I created a new tool in Python that helps us go deeper with that scanning and alerting—searching via MD5 hash, hostname and filename, to name a few. This scriptable interface to the Code42 Forensic File Search API also allows for use of the full API by accepting raw JavaScript Object Notation (JSON) search payloads, meaning searches are only limited by the imagination of the user.

“ The scriptable interface to the Code42 Forensic File Search API also allows for use of the full API by accepting raw JavaScript Object Notation (JSON) search payloads, meaning searches are only limited by the imagination of the user. ”

Identifying macro-enabled Office files—a common malware source

One sample JSON search payload is the repo searches for macro-enabled Office files in users’ Downloads directories, such as *.docm and *.xlsm files—some of the most common vectors for malware. With the new tool, an automatic search alerts us when new files arrive on endpoints, so we can take action—such as sending the MD5 hash to a service like Virus Total to get a report, or even retrieving the file and sending it to a malware analysis sandbox if necessary.

Snuffing out WannaCry threats

We’ve done some early integration work to test combining Code42 Forensic File Search with a threat intel feed. This will allow us to search and detect malicious files based on MD5 hashes sourced from paid or open-source intel services.

Sharing new threat search tools and tactics

Like you, we’re dealing with new and evolving threats on a daily basis here on the Code42 Security Operations team. We’re constantly looking for new ways to use the tools we have to search and detect threats in smarter, better ways. All of the new search tools I mentioned above are available on our public Github site: https://github.com/code42/ffs-tools.

Live Q&A

Have questions about using Code42 Forensic File Search? Senior Product Manager Matthias Wollnik and I will be fielding questions live on Tuesday, July 24 from 10:30-11:30 am US Central time in the Code42 community.

Keep an eye out for more Tips from the Trenches coming soon—until then, happy threat hunting!

Facebook Twitter Google LinkedIn YouTube