Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Cases reference

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity. This reference guide describes the information available in the Response > Cases section of the Code42 console.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

Considerations

  • The Cases feature is only available with the Incydr Advanced product plan.
  • To view and edit cases, you must have the Customer Cloud Admin or Security Center User role.
  • Cases is currently an early access release.

Cases

To access cases:

  1. Sign in to the Code42 console.
  2. Select Response > Cases.
    • Click any column heading to sort the list by that column.
    • Click any entry in the table to view case details.

Cases list view

Item Description
a Create case Click to create a new case.
b Case name The name of the case.
c Status

Indicates the status of the case.

  • Open: The case is active and all aspects of the case are editable.
  • Closed: The case is resolved. Closed cases cannot be re-opened or modified. Case data for closed cases is retained indefinitely.
d Created Date and time the case was created. Dates appear in Coordinated Universal Time (UTC).
e Last modified

Date and time the case was last modified. Dates appear in Coordinated Universal Time (UTC).

 

For cases with the status Closed, the Last modified date indicates when the case was closed.

f View case details Click to view case details (see below), including case subject, findings, and all file events and associated metadata.

Case details

Case details view

Item Description
a Case name The name of the case.
b Case status

Indicates the status of the case.

  • Open: The case is active and all aspects of the case are editable.
  • Closed: The case is resolved. Closed cases cannot be re-opened or modified. Case data for closed cases is retained indefinitely.
c Close case Click to close this case. Once you close a case, it cannot be re-opened or modified.
d Case Subject

Provides information about the person being investigated in this case, including:

  • Code42 username/email address
  • A link to the Code42 User Profile for this user.
  • User attributes synced from your provisioning provider, including Department, Title, Location, and Manager. If your Code42 environment does not use provisioning, these attributes do not appear and cannot be added manually.
e Case Details

Provides general information about the case:

  • Status
  • Case ID
  • Case name
  • Description

Click the edit icon edit icon to update the Case name or Description.

f View profile

Click to view the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk.

g Edit subject edit icon Edit which user is associated with this case.
h Findings

Provides a place for you to enter notes about the case.

  • If no findings are entered yet, click Add findings to enter notes.
  • Click the edit icon edit icon to edit or add to existing findings.
i Edit findings edit icon Click to edit the findings. This field supports basic html formatting, including titles, bold, italics, and numbered and bulleted lists.
j File activity

Lists all file events included in this case.

 

To add file activity to a case, from Forensic Search, click the Add to case icon Add To Case icon for a file event.

k Date observed Date and time Code42 detected the file event. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).
l Exposure type The type of exposure risk.  
m Filename The name of the file, including the file extension.
n File path

The file location on the user's device.

Endpoint file events only. Cloud and email events do not include a file path.

o Remove file event Click to remove the event from the case.
p View file event details Expand details icon

Click to view all metadata for the event, including a link to download the file. (If the file is available for download, the link appears in the File > Filename section.)

 

For in-depth descriptions of all metadata fields, see the Forensic Search event details.


Case file event details

  • Was this article helpful?