Cases reference

Overview

Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity. This reference guide describes the information available in the Cases section of the Code42 console.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • Case data is secured in the Code42 cloud in accordance with the security data collection details in the Code42 architecture article. For Incydr Basic, Advanced, and Gov F1, file contents are stored separately from preservation (backup) data.

Cases list

To access cases:

  1. Sign in to the Code42 console.
  2. Select Cases.
    • Click any column heading to sort the list by that column.
    • Click any entry in the table to view detailed case information.

Cases list view

Item Description
a Create case Click to create a new case.
b Case name The name of the case.
c Status

Indicates the status of the case.

  • Open: The case is active and all aspects of the case are editable.
  • Closed: The case is resolved. Closed cases cannot be re-opened or modified.
  • Archived: The case is no longer active. Only the case subject, details, and findings are available. File events and file contents are permanently deleted and no longer accessible. Archived cases cannot be un-archived or modified.
d Assignee

The Code42 username/email address of the security analyst or administrator assigned to investigate this case. Only users with the Insider Risk Analyst or Insider Risk Admin roles can be assigned to a case.

Assignee is optional. Cases without an assignee display Unassigned.

e Created Date and time the case was created. Dates appear in Coordinated Universal Time (UTC).
f Last modified

Date and time the case was last modified. Dates appear in Coordinated Universal Time (UTC).

For cases with the status Closed, the Last modified date indicates when the case was closed.

g Archival date

Indicates when the case was, or will be, archived:

  • A date in the past indicates the case is already archived.
  • A date in the future indicates when the case will be automatically archived if it is not manually archived first.

The automatic archival date varies based on your product plan and ranges from 90 to 365 days after the case's Created date.

Cases created before October 18, 2022
Automatic case archival was introduced on October 18, 2022. To allow you enough time to export older cases, cases created before October 18, 2022 use this date for the purposes of calculating the automatic archival date.

For example, if the Automatic cases archival value for your product plan is 180 days, cases created before October 18, 2022 will be automatically archived 180 days after October 18, 2022 (on April 16, 2023). 
h Filter

Click to filter the case list by:

  • Status: Choose to show open, closed, or archived cases. By default, the cases list is filtered to show open cases.
  • Created date: Show cases created within a defined date range.
  • Archival date: Show cases archived within a defined date range.
  • Case name: Enter a partial or full case name.
  • Subject: Enter a Code42 username/email address to show only cases where that person is the subject of an investigation.
  • Assignee: Enter a Code42 username/email address to show only cases assigned to that person.
i View case details Click to view case details (see below), including case subject, findings, and all file events and associated metadata.

Case data

Case details view

Item Description
a Case name The name of the case.
b Case status

Indicates the status of the case.

  • Open: The case is active and all aspects of the case are editable.
  • Closed: The case is resolved. Closed cases cannot be re-opened or modified.
c Export

Click to export the case. Choose one or more components:

  • Case summary: A PDF with the case subject, details, and findings.
  • File activity: A CSV file with extensive file metadata details for all events in this case. For field definitions, see the File event metadata details.
  • Files: All file contents. 
    • Each file is exported in its own folder.
    • The folder naming convention is yyyymmdd-hhmmss - filename.ext, where the timestamp indicates the event's Date observed value.
    • The timestamp enables you to easily associate the exported file with a specific event.
    • Using a parent folder also preserves the original filename. For example, if there are two files in a case with the same name, the unique timestamp in the folder name prevents appending (1) to a filename during the export.
    • To export file contents, the total size of all files in the case must be less than 7 GB. If file contents are greater than 7 GB, download files individually from the event details.

If you select Files, or select more than one component, the case is exported as a .zip file.

d Archive case

Click to archive this case.

  • An archived case is no longer active and cannot be un-archived or modified.
  • Archiving a case permanently deletes the file events and file contents in the case. Only the case subject, details, and findings remain available.
  • To preserve the file events and file contents, Export the case before archiving it.
e Delete case

Click to permanently delete this case. Deleting a case:

  • Deletes the case details and findings
  • Permanently deletes file activity older than 90 days
f Close case Click to close this case. Once you close a case, it cannot be re-opened or modified.
g Case Subject

Provides information about the person being investigated in this case, including attributes synced from your provisioning provider, risk context, and a link to the user's profile.

A case can only have one subject.

h Case Details

Provides general information about the case:

  • Status
  • Case ID
  • Case name
  • Description
  • Assignee
  • Created date
  • Modified date
  • Archival date

Click the edit icon Edit icon to update the Case name or Description.

i View profile

Click to view the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk.

j User attributes Displays user attributes synced from your provisioning provider, including Department, Title, Location, and Manager. If your Code42 environment does not use provisioning, these attributes do not appear and cannot be added manually.
k Departure date

If the user is on the Departing watchlist, displays the date entered for the employee's departure. If no date was entered, no value is listed.

l Notes Displays notes from the User Profile.
m Edit subject Edit icon Edit which user is associated with this case.
n Findings

Provides a place for you to enter notes about the case.

  • If no findings are entered yet, click Add findings to enter notes.
  • Click the edit icon Edit icon to edit or add to existing findings.
o Edit findings Edit icon Click to edit the findings. This field supports basic html formatting, including titles, bold, italics, and numbered and bulleted lists.
p File activity

Lists all file events included in this case.

To add file activity to a case, from Forensic Search, click the Add to case icon Add to case icon for a file event.

File event limit
Each case is limited to 10,000 file events.
q PRISM score

Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity.

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

To learn more, see Risk settings reference.

r Risk indicators List of risks that determine the severity and PRISM score for this event. To learn more about risk indicators, see Risk settings reference.
s Date observed Date and time Code42 detected the file event. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).
t Filename The name of the file, including the file extension.
u File path

The file location on the user's device.

Endpoint file events only. Cloud and email events do not include a file path.

v Remove file event Click to remove the event from the case.
w View file event details View details

Click to view all metadata for the event, including a link to download the file contents. (If the file contents are available for download, the link appears in the File > Filename section.)

For in-depth descriptions of all metadata fields, see the File event metadata reference.

Case file event details