Cases reference

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise

Incydr Basic and Advanced

CrashPlan Cloud

CrashPlan for Small Business

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity. This reference guide describes the information available in the Cases section of the Code42 console.

Specifically, Cases enables you to:

Assemble evidence related to an investigation
Add file events from Forensic Search
Add notes to provide additional context
Summarize and share findings with others in your organization

Considerations

To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

Cases list

To access cases:

Sign in to the Code42 console.
Select Cases.
- Click any column heading to sort the list by that column.
- Click any entry in the table to view detailed case information.

Cases list view

Item		Description
a	Create case	Click to create a new case.
b	Case name	The name of the case.
c	Status	Indicates the status of the case. Open: The case is active and all aspects of the case are editable. Closed: The case is resolved. Closed cases cannot be re-opened or modified. Case data for closed cases is retained indefinitely.
d	Assignee	The Code42 username/email address of the security analyst or administrator assigned to investigate this case. Only users with the Customer Cloud Admin or Security Center User roles can be assigned to a case. Assignee is optional. Cases without an assignee display Unassigned.
e	Created	Date and time the case was created. Dates appear in Coordinated Universal Time (UTC).
f	Last modified	Date and time the case was last modified. Dates appear in Coordinated Universal Time (UTC). For cases with the status Closed, the Last modified date indicates when the case was closed.
g	Filter	Click to filter the case list by: Status: Choose to show open cases, closed cases, or both. By default, the cases list is filtered to show open cases. Date range: Show cases created within a defined date range. Case name: Enter a partial or full case name. Subject: Enter a Code42 username/email address to show only cases where that person is the subject of an investigation. Assignee: Enter a Code42 username/email address to show only cases assigned to that person.
h	View case details	Click to view case details (see below), including case subject, findings, and all file events and associated metadata.

Case data

Case details view

Item		Description
a	Case name	The name of the case.
b	Case status	Indicates the status of the case. Open: The case is active and all aspects of the case are editable. Closed: The case is resolved. Closed cases cannot be re-opened or modified. Case data for closed cases is retained indefinitely.
c	Export	Click to export the case. Choose either: Case summary: Exports a PDF with the case subject, details, and findings. Detailed file activity is not included. File activity: Exports a CSV file with extensive file metadata details for all events in this case. For field definitions, see the Forensic Search event details.
d	Delete case	Click to permanently delete this case. Deleting a case: Deletes the case details and findings Permanently deletes file activity older than 90 days
e	Close case	Click to close this case. Once you close a case, it cannot be re-opened or modified.
f	Case Subject	Provides information about the person being investigated in this case, including attributes synced from your provisioning provider, risk context, and a link to the user's profile.
g	Case Details	Provides general information about the case: Status Case ID Case name Description Assignee Created date Modified date Click the edit icon to update the Case name or Description.
h	View profile	Click to view the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk.
i	Risk detection list memberships	Indicates if the user is on the Departing Employees list or High Risk Employees list.
j	User attributes	Displays user attributes synced from your provisioning provider, including Department, Title, Location, and Manager. If your Code42 environment does not use provisioning, these attributes do not appear and cannot be added manually.
k	Departure date	If the user is on the Departing Employees list, displays the date entered for the employee's departure. If no date was entered, no value is listed.
l	High risk user groups	If the user is on the High Risk Employees list, displays user group attributes in the user's profile (for example, High impact employee or Flight risk).
m	Notes	Displays notes from the User Profile.
n	Edit subject	Edit which user is associated with this case.
o	Findings	Provides a place for you to enter notes about the case. If no findings are entered yet, click Add findings to enter notes. Click the edit icon to edit or add to existing findings.
p	Edit findings	Click to edit the findings. This field supports basic html formatting, including titles, bold, italics, and numbered and bulleted lists.
q	File activity	Lists all file events included in this case. To add file activity to a case, from Forensic Search, click the Add to case icon for a file event. File event limit Each case is limited to 10,000 file events.
r	Risk score	Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity. 9+: Critical 7-8: High 4-6: Moderate 1-3: Low 0: No risk indicated To learn more about how risk scores are calculated, see Risk settings reference.
s	Date observed	Date and time Code42 detected the file event. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).
t	Exposure type	The type of exposure risk.
u	Filename	The name of the file, including the file extension.
v	File path	The file location on the user's device. Endpoint file events only. Cloud and email events do not include a file path.
w	Remove file event	Click to remove the event from the case.
x	View file event details	Click to view all metadata for the event, including a link to download the file contents. (If the file contents are available for download, the link appears in the File > Filename section.) Retention period for file contents depends on your Code42 product plan In Incydr Professional and Enterprise, file contents are retained in a case according to the data retention policy for your product plan (30 or 90 days). File retention is based on the date the file event occurred, not the date the event was added to a case. To preserve a file indefinitely, save a copy before the end of the retention period. File metadata is retained indefinitely for all events in a case. In Incydr Basic and Advanced, both file contents and metadata are retained indefinitely. For in-depth descriptions of all metadata fields, see the Forensic Search event details.

Overview

Considerations

Cases list

Case data

Related topics