Who is this article for?
Incydr Professional, Enterprise, Horizon, and Gov F2, yes.
Incydr Basic, Advanced, and Gov F1, yes.
Forensic Search is a powerful search interface that enables security teams to monitor and investigate suspicious file activity. Forensic Search provides detailed visibility about insider risks caused by files:
- Stored on user devices
- Stored in corporate cloud storage services, such as Google Drive and Microsoft OneDrive
- Synced to personal cloud storage services, such as Box, Dropbox, iCloud, and OneDrive
- Uploaded via web browsers
- Moved to removable media
- Sent as email attachments in Microsoft Office 365 and Gmail
- Sent to printers (Mac and Linux only)
This article describes how to use the Forensic Search interface. For detailed descriptions of each field returned in search results, see the File event metadata reference guide.
To access Forensic Search:
- Sign in to the Code42 console.
You must have a role with permissions that allow access to Forensic Search.
- Select Forensic Search > Search.
Forensic Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.
Visibility of activity captured by Incydr is not limited by your Code42 organization hierarchy.
Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as the Risk Exposure dashboard, Alerts, and Forensic Search) can view insider risk data for users in all organizations.
Displays all risk indicators and associated scores.
|b||Load Saved Search||Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results.|
All searches must specify a date range. Select one the following options:
Times are evaluated as Coordinated Universal Time (UTC).
Select an item from the menu or type the name of a filter to include in your search. For detailed descriptions of all filter options, see the File event metadata reference guide.
Search operator options vary based on the search filter.
For File Size, select is greater than or is less than.
Defines the search criteria. Searches are case-insensitive.
For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.
Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example:
Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size.
Avoid starting a search term with a wildcard
Do not enter a search string that begins with a wildcard or contains only wildcards (for example,
For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).
|g||Remove search criteria||Removes this search criteria.|
|h||Add search criteria||Adds another item to the search criteria. Search results only return events that match all criteria.|
|i||Save As||Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name.|
|j||Reset||Clears all search filters and results.|
|k||Update Search||Performs a search based on the current search criteria.|
|l||Modify columns||Displays a list of available columns. Select or deselect items to customize the format of your search results.|
Downloads the current search results to a CSV file.
Some CSV column headers have different names than the corresponding field labels in Forensic Search. See Field name mapping and definitions for complete details.
|n||Select all||Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case.|
|o||Event selector||Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case.|
Column sort indicator
|Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order.|
Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity.
To learn more about how risk scores are calculated, see Risk settings reference.
|r||Add to case||
Click to add the file event to a Case:
Only available in Incydr product plans.
|s||View details||Displays all metadata for the file event. For detailed descriptions of each field, see the File event metadata reference guide.|
|t||Events per page||Select to display 10, 25, 50, or 100 events per page.|
File event details
To view file event details within search results:
- From the list of search results, click View details to show all metadata for a file event.
Event details slide in from the right.
- Within the Event details, scroll to view all metadata for the event.
- For detailed descriptions of each field, see the File event metadata reference guide.
- Use the and arrow icons to view file event details for the next or previous event.
- Click the menu icon next to any field for options to copy the value or add it to a new or existing search.
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.
To view the list of saved searches, select Forensic Search > Saved Searches.
|a||Saved search name||The name of the saved search.|
|b||Created||Lists the date the search was created and the user who created it.|
|c||Last modified||Lists the most recent date the search was modified and the user who modified it.|
|d||Run search||Executes the saved search and displays the search results.|
Click to view search options: