Who is this article for?
Incydr Professional, Enterprise, Gov F2, and Horizon, yes.
Incydr Basic, Advanced, and Gov F1, yes.
CrashPlan Cloud, no.
Retired product plans, no.
CrashPlan for Small Business, no.
Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity. This reference guide describes the information available in the Cases section of the Code42 console.
Specifically, Cases enables you to:
- Assemble evidence related to an investigation
- Add file events from Forensic Search
- Add notes to provide additional context
- Summarize and share findings with others in your organization
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
To access cases:
- Sign in to the Code42 console.
- Select Cases.
- Click any column heading to sort the list by that column.
- Click any entry in the table to view detailed case information.
|a||Create case||Click to create a new case.|
|b||Case name||The name of the case.|
Indicates the status of the case.
The Code42 username/email address of the security analyst or administrator assigned to investigate this case. Only users with the Insider Risk Analyst or Insider Risk Admin roles can be assigned to a case.
Assignee is optional. Cases without an assignee display Unassigned.
|e||Created||Date and time the case was created. Dates appear in Coordinated Universal Time (UTC).|
Date and time the case was last modified. Dates appear in Coordinated Universal Time (UTC).
For cases with the status Closed, the Last modified date indicates when the case was closed.
Click to filter the case list by:
|h||View case details||Click to view case details (see below), including case subject, findings, and all file events and associated metadata.|
|a||Case name||The name of the case.|
Indicates the status of the case.
Click to export the case. Choose either:
Click to permanently delete this case. Deleting a case:
|e||Close case||Click to close this case. Once you close a case, it cannot be re-opened or modified.|
Provides information about the person being investigated in this case, including attributes synced from your provisioning provider, risk context, and a link to the user's profile.
Provides general information about the case:
Click the edit icon to update the Case name or Description.
Click to view the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk.
|i||Risk detection list memberships||Indicates if the user is on the Departing Employees list or High Risk Employees list.|
|j||User attributes||Displays user attributes synced from your provisioning provider, including Department, Title, Location, and Manager. If your Code42 environment does not use provisioning, these attributes do not appear and cannot be added manually.|
If the user is on the Departing Employees list, displays the date entered for the employee's departure. If no date was entered, no value is listed.
|l||High risk user groups||
If the user is on the High Risk Employees list, displays user group attributes in the user's profile (for example, High impact employee or Flight risk).
|m||Notes||Displays notes from the User Profile.|
|n||Edit subject||Edit which user is associated with this case.|
Provides a place for you to enter notes about the case.
|p||Edit findings||Click to edit the findings. This field supports basic html formatting, including titles, bold, italics, and numbered and bulleted lists.|
Lists all file events included in this case.
To add file activity to a case, from Forensic Search, click the Add to case icon for a file event.
File event limit
Each case is limited to 10,000 file events.
Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity.
To learn more about how risk scores are calculated, see Risk settings reference.
|s||Date observed||Date and time Code42 detected the file event. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).|
|t||Exposure type||The type of exposure risk.|
|u||Filename||The name of the file, including the file extension.|
The file location on the user's device.
Endpoint file events only. Cloud and email events do not include a file path.
|w||Remove file event||Click to remove the event from the case.|
|x||View file event details||
Click to view all metadata for the event, including a link to download the file contents. (If the file contents are available for download, the link appears in the File > Filename section.)
Retention period for file contents depends on your Code42 product plan
In Incydr Basic and Advanced, both file contents and metadata are retained indefinitely.
For in-depth descriptions of all metadata fields, see the Forensic Search event details.