Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Create and edit cases

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity. This tutorial explains how to create, update, and close cases.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

Considerations

Create a new case

There are two ways to create a case: 

  • From the Cases screen in the Code42 console
  • While viewing file events in Forensic Search results

From Cases

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. Select Create case.
  4. Enter a name for the case. Optionally, enter a description and assignee. The name, description, and assignee can also be edited later (until the case is closed).
  5. Click Submit.
  6. To view the case, click View case in the confirmation message that appears at the bottom of the screen. Alternatively, select the case you just created from the list of all cases.
    Case created confirmation

From Forensic Search

  1. Sign in to the Code42 console.
  2. Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
    • Enter search criteria directly in Forensic Search.
    • From event details in the User ProfileRisk Exposure, Departing Employees, or High Risk Employees sections of the Code42 console, click the Investigate in Forensic Search icon Investigate in Forensic Search icon.
      Forensic Search results appear.
  3. To add a single file event, click the Add to case icon Add to case icon for the event you want to add to a new case.
  4. (Optional) To add multiple events at once, select each event, then click the Add to case icon Add to case icon in the upper right.
  5. In the Add to case dialog, click Create case.
  6. Enter a name for the case.
  7. Click Save.
    Create new case from Forensic Search results
  8. To view the case, click View case in the confirmation message that appears at the bottom of the screen. Alternatively, navigate to Cases and select the case you just created.
    Event added to case confirmation message

Add file events to an existing case

  1. Sign in to the Code42 console.
  2. Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
    • Enter search criteria directly in Forensic Search.
    • From event details in the User ProfileRisk Exposure, Departing Employees, or High Risk Employees sections of the Code42 console, click the Investigate in Forensic Search icon Investigate in Forensic Search icon.
      Forensic Search results appear.
  3. To add a single event, click the Add to case icon Add to case icon for the event you want to add.
  4. (Optional) To add multiple events at once, select each event, then click the Add to case icon Add to case icon in the upper right.
  5. In the Add to case dialog, select a case. Optionally, start typing the name of a case to filter the list of cases.
  6. To view the case, click View case in the confirmation message that appears at the bottom of the screen. Alternatively, navigate to Cases and select the case.
    Event added to case confirmation message
File event limit
Each case is limited to 10,000 file events.

Edit a case 

To edit the case subject, details, and findings:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select a case. Optionally, click the filter icon Cases filter icon to search by case status, date created, case name, or case subject.
    The case details appear.
  4. From the detailed case view, click the edit icon Cases edit icon next to the section you want to update.
  5. Make your updates, then click Save.
  6. To remove a file event, click the Remove event Remove file event icon icon for the event you want to remove.

For steps to add file activity, see the Add file events to an existing case section above.

Export a case

To export a case:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select the case you want to export.
    The case details appear.
  4. Click Export.
  5. Choose either:
    • Case summary: Exports a PDF with the case subject, details, and findings. Detailed file activity is not included.
    • File activity: Exports a CSV file with extensive file metadata details for all events in this case. For field definitions, see the Forensic Search event details.
  6. Click Export.
    Your web browser downloads the case details.

Close a case

To close a case:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select the case you want to close.
    The case details appear.
  4. Click Close case.

Once a case is closed, it cannot be reopened or edited in any way. However, closed cases are retained indefinitely as a read-only reference.

  • Was this article helpful?