Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Create and edit cases

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity. This tutorial explains how to create, update, and close cases.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

Considerations

  • The Cases feature is only available with the Incydr Advanced product plan.
  • To view and edit cases, you must have the Customer Cloud Admin or Security Center User role.
  • Cases is currently an early access release.

Create a new case

There are two ways to create a case: 

  • From the Response > Cases screen in the Code42 console
  • While viewing file events in Forensic Search results

From Cases

  1. Sign in to the Code42 console.
  2. Select Response > Cases.
  3. Select Create case.
  4. Enter a name and optional description for the case. The name and description are editable until the case is closed.
  5. Click Submit.
    Create a case
  6. To view the case, click View case in the confirmation message that appears at the bottom of the screen. Alternatively, select the case you just created from the list of all cases.
    Case created confirmation

From Forensic Search

  1. Sign in to the Code42 console.
  2. Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
    • Enter search criteria directly in Forensic Search.
    • From event details in the User ProfileRisk Exposure, Departing Employees, or High Risk Employees sections of the Code42 console, click the Investigate in Forensic Search icon Investigate in Forensic Search icon.
      Forensic Search results appear.
  3. In the Action column of the results, click the Add to case icon Add to case icon for the event you want to add to a new case.
    The Add to case dialog appears.
  4. Click Create case.
  5. Enter a name for the case.
  6. Click Save.
    Create new case from Forensic Search results
  7. To view the case, click View case in the confirmation message that appears at the bottom of the screen. Alternatively, navigate to Response > Cases and select the case you just created.
    Event added to case confirmation message

Add file events to an existing case

  1. Sign in to the Code42 console.
  2. Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
    • Enter search criteria directly in Forensic Search.
    • From event details in the User ProfileRisk Exposure, Departing Employees, or High Risk Employees sections of the Code42 console, click the Investigate in Forensic Search icon Investigate in Forensic Search icon.
      Forensic Search results appear.
  3. In the Action column of the results, click the Add to case icon Add to case icon for the event you want to add.
    The Add to case dialog appears.
  4. Select a case. Optionally, start typing the name of a case to filter the list of cases.
  5. To view the case, click View case in the confirmation message that appears at the bottom of the screen. Alternatively, navigate to Response > Cases and select the case.
    Event added to case confirmation message

Edit a case 

To edit the case subject, details, and findings:

  1. Sign in to the Code42 console.
  2. Select Response > Cases.
  3. From the list of cases, select a case.
    The case details appear.
  4. From the detailed case view, click the edit icon Cases edit icon next to the section you want to update.
  5. Make your updates, then click Save.
  6. To remove a file event, click the Remove event Remove file event icon icon for the event you want to remove.

For steps to add file activity, see the Add file events to an existing case section above.

Close a case

To close a case:

  1. Sign in to the Code42 console.
  2. Select Response > Cases.
  3. From the list of cases, select the case you want to close.
    The case details appear.
  4. Click Close case.

Once a case is closed, it cannot be reopened or edited in any way. However, closed cases are retained indefinitely as a read-only reference.

  • Was this article helpful?