Cases API
Who is this article for?
Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
CrashPlan Cloud
Other product plans
Incydr Professional and Enterprise, yes.
Incydr Basic and Advanced, yes.
CrashPlan Cloud, no.
Other product plans, no.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
This article explains how to use the Code42 API to interact with Cases.
The examples in this article use curl, but the concepts apply to any tool you choose for interacting with the Code42 API.
Cases API details
Base URL
- United States
- If you sign in to the Code42 console at https://console.us.code42.com/console (US1), use: https://east-cases.us.code42.com
- If you sign in to the Code42 console at https://console.us2.crashplan.com/console (US2), use: https://default-cases.prod.ffs.us2.code42.com
- Code42 federal environment: If you sign in to the Code42 console at https://console.gov.code42.com/console (US3), use: https://default-cases.gov.code42.com
- Ireland:
- If you sign in to the Code42 console at https://console.ie.code42.com/console (EU1), use: https://default-cases.ie.code42.com
For additional API documentation, see https://developer.code42.com/api/#tag/Cases.
Request parameters
In the sample use cases, items formatted as <value> represent values you need to customize for your specific request. See below for steps to obtain these values. Do not include the brackets in the request.
For all requests below:
- Replace
<Base_URL>with the address of your Code42 environment. - Replace
<auth_token>with the authentication token.
For requests about a specific case:
- Replace
<case number>with the number of the case you want to view or modify. There are two ways to obtain the case number:- Use the Return list of cases filtered by status request below to return a list of cases. The case number is the
numberfield in the response. - From the Code42 console:
- Select Cases.
- Select a case.
- Select the Case Details tab.
- Note the Case ID.
- Use the Return list of cases filtered by status request below to return a list of cases. The case number is the
For requests about a specific file event:
- Replace
<eventId>with a specific event id string. To obtain the event id, either:- Use the Forensic Search API to search for file events and obtain the value of the
eventIdparameter. - Use the Return events associated with a case request below to return events for a case and note the
eventId. (Note: The same event can be included in multiple cases, but duplicate events are not allowed in the same case.)
- Use the Forensic Search API to search for file events and obtain the value of the
Other values:
- Replace
<status>with either:OPENto keep the case active and editable.CLOSEDto resolve the case. Closed cases cannot be re-opened or modified.
- Replace
<subject User UID>with the User UID of the person being investigated in the case. - Replace
<assignee User UID>with the User UID of the security analyst or administrator assigned to investigate the case.
Sample use cases
Create a case
Request
Only the name field is required. To leave a field blank, supply the value null .
Copied!
curl -X POST '<Base URL>/api/v1/case' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>' -d '{ "name": "Sample case name", "description": "Sample description", "findings": "Sample findings", "subject": null, "assignee": null }'
Response
{
"number": 1,
"name": "Sample case name",
"createdAt": "2020-10-27T15:16:05.369203Z",
"updatedAt": "2020-10-27T15:16:05.369203Z",
"description": "Sample description",
"findings": "Sample findings",
"subject": null,
"subjectUsername": null,
"status": "OPEN",
"assignee": null,
"assigneeUsername": null,
"createdByUserUid": "806150685834341101",
"createdByUsername": "05c28ad3-7eca-4d99-8bb7-a5d0995806c8",
"lastModifiedByUserUid": "806150685834341101",
"lastModifiedByUsername": "05c28ad3-7eca-4d99-8bb7-a5d0995806c8"
}
Update an existing case
Before updating a case, perform a GET request for that case number to obtain all existing values. For example:
Copied!
curl -X GET '<Base URL>/api/v1/case/<case number>' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>'
Missing parameters are set to null
Resubmit all values in the sample
Resubmit all values in the sample
PUT command below, even if they're not changing. If you don't send an explicit value for each of these fields, they will be updated to null.Request
Copied!
curl -X PUT '<Base URL>/api/v1/case/<case number>' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>' -d '{ "name": "<updated case name>", "description": "<updated description>", "findings": "<updated findings>", "subject":<subject user UID>, "assignee":<assignee user UID>, "status": "<status>" }'
Response
{
"number": 1,
"name": "Updated name",
"createdAt": "2020-10-27T15:16:05.369203Z",
"updatedAt": "2020-10-27T15:20:26.311894Z",
"description": "Updated description",
"findings": "Updated findings",
"subject": 421380797518239242
"subjectUsername": casey@example.com,
"status": "OPEN",
"assignee": 273411254592236331,
"assigneeUsername": admin@example.com,
"createdByUserUid": "806150685834341101",
"createdByUsername": "05c28ad3-7eca-4d99-8bb7-a5d0995806c8",
"lastModifiedByUserUid": "806150685834341101",
"lastModifiedByUsername": "05c28ad3-7eca-4d99-8bb7-a5d0995806c8"
}
Add events to a case
Request
Copied!
curl -X POST '<Base URL>/api/v1/case/<case_number>/fileevent/<eventId>' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>'
Response
None (204 on success)
Return events associated with a case
Request
Copied!
curl -X GET '<Base URL>/api/v1/case/<case_number>/fileevent' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>'
Response
{
"events": [
{
"eventId": "734430974935_09970279-be77-4cd1-ba08-19d958969832",
"eventTimestamp": "2020-10-26T18:56:04.661Z",
"exposure": [
"SharedToDomain",
"OutsideTrustedDomains"
],
"fileName": "Products.png",
"filePath": null
}
]
}
Return list of cases filtered by status
The sample below filters for open cases. To filter for closed cases, change the query parameter to ?status=CLOSED. Other parameters that support filtering include: assignee, createdAt, isAssigned, lastModifiedBy, name, subject, and updatedAt.
Request
Copied!
curl -X GET '<Base URL>/api/v1/case?status=OPEN' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>'
Response
{
"cases": [
{
"number": 1,
"name": "Example Case",
"createdAt": "2020-10-27T15:16:05.369203Z",
"updatedAt": "2020-10-27T15:20:26.311894Z",
"subject": null,
"subjectUsername": null,
"status": "OPEN",
"assignee": null,
"assigneeUsername": null,
"createdByUserUid": "806150685834341101",
"createdByUsername": "05c28ad3-7eca-4d99-8bb7-a5d0995806c8",
"lastModifiedByUserUid": "806150685834341101",
"lastModifiedByUsername": "05c28ad3-7eca-4d99-8bb7-a5d0995806c8"
}
],
"totalCount": 1
}
Export a case
There are two options for exporting cases:
- Case summary: Exports a PDF with the case subject, details, and findings. Detailed file activity is not included.
- File activity: Exports a CSV file with extensive file metadata details for all events in this case. For field definitions, see the Forensic Search event details.
File export considerations with curl
- Use the
-o <sample_export.csv>argument to specify a unique filename. Update the filename as appropriate for your request. Do not include the brackets in the request. - Use the
-Oargument (capital "O") to automatically name the file. This is not recommended if you need to export more than one file, because this method uses the same filename for each export and therefore overwrites the previous file. - Files are saved in the directory from which you issue the curl request in the command line. For example, in the command prompt
COMPUTER:~ clyde.bailey$ curl -X GET...the file is saved in the Users/clyde.bailey directory on the device that issued the request.
Case summary PDF
Request
Copied!
curl -X GET '<Base URL>/api/v1/case/<case number>/export' -o<sample_export.pdf>-H 'authorization: Bearer<auth_token>'
Response
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1618 0 1618 0 0 2528 0 --:--:-- --:--:-- --:--:-- 2524
The PDF is saved to your device.
File activity CSV
Request
Copied!
curl -X GET '<Base URL>/api/v1/case/<case number>/fileevent/export' -o<sample_export.csv>-H 'authorization: Bearer<auth_token>'
Response
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3771 0 3771 0 0 6843 0 --:--:-- --:--:-- --:--:-- 6843
The CSV is saved to your device.
Delete a case
Request
Copied!
curl -X DELETE '<Base URL>/api/v1/case/<case number>' -H 'content-type: application/json' -H 'authorization: Bearer<auth_token>'
Response
A 204 No Content response indicates the request successfully deleted the specified case number.