Overview
Forensic Search is a powerful tool for investigating file activity across your organization. With a wide range of search filters covering both endpoint and cloud activity, you can easily create custom queries to gain visibility into all activity monitored by Incydr. For example:
- Browser uploads and downloads
- Cloud sharing
- Removable media usage
- Git clone, pull, and push activity
- Print activity
- File created, modified, and renamed events
- Paste activity from clipboard to browser
This article provides in-depth details about the search interface. For detailed descriptions of each field returned in search results, see the File event metadata reference guide.
Forensic Search
To access Forensic Search:
-
Sign in to the Code42 console.
You must have a role with permissions that allow access to Forensic Search. - Select Forensic Search > Search.
- Add search criteria and click Search.
See below for details about search filters and results.
Forensic Search reports on file events detected by Incydr. A file event is defined as any activity observed for a file. For example, creating, modifying, uploading, sharing, or deleting a file generates an event for that file.
Search results
Item | Description | |
---|---|---|
a | Risk settings |
Displays all risk indicators and associated scores. |
b | Load Saved Search | Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results. |
c | Date selector |
All searches must specify a date range. Select one the following options:
Times are evaluated as Coordinated Universal Time (UTC). |
d | Filter |
Select an item from the menu or type the name of a filter to include in your search. For detailed descriptions of all filter options, see the File event metadata reference guide. |
e | Operator |
Search operator options vary based on the search filter.
For File Size, select is greater than or is less than. |
f | Value |
Defines the search criteria. Searches are case-insensitive. For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list. Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example:
Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size.
For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB). |
g | Remove search criteria | Removes this search criteria. |
h | Add search criteria | Adds another item to the search criteria. Search results only return events that match all criteria. |
i | Save As | Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name. |
j | Reset | Clears all search filters and results. |
k | Update Search | Performs a search based on the current search criteria. |
-- | Charts (not pictured) |
Select the Charts tab to create custom charts based on the current search results. Use the drop down menus to select a chart type and define the chart parameters. Select Export chart to download an image of the chart. |
l | Modify columns | Displays a list of available columns. Select or deselect items to customize the format of your search results. |
m | Export results |
Downloads the current search results to a CSV file.
Some CSV column headers have different names than the corresponding field labels in Forensic Search. See Field name mapping and definitions for complete details. |
n | Select all | Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case. |
o | Event selector | Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case. |
p |
Column sort indicator |
Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order. |
q | PRISM score |
Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity. To learn more, see Risk settings reference. |
r | Add to case |
Click to add the file event to a Case:
Only available in Incydr product plans. |
s | View details | Displays all metadata for the file event. For detailed descriptions of each field, see the File event metadata reference guide. |
t | Events per page | Select to display 10, 25, 50, or 100 events per page. |
File event details
To view file event details within search results:
- From the list of search results, click View details to show all metadata for a file event.
Event details slide in from the right.
- Within the Event details, scroll to view all metadata for the event.
- For detailed descriptions of each field, see the File event metadata reference guide.
- Use the and arrow icons to view file event details for the next or previous event.
- Click the menu icon next to any field for available actions.
- For Event ID, choose:
- Copy link to event details to copy a link to these event details to your clipboard. This link enables you to easily share specific events with others (who have the required permissions to access Forensic Search), or to save the URL for your own future reference.
- Copy event ID to copy the string value of the Event ID itself. Use this value to search for this event again later.
- For all other fields, choose:
- Add value to current search to update the current search to only include results matching this value.
- Add value to new search to start a new search containing this value.
- Copy value to copy the value to your clipboard.
- The Filename field contains an additional option:
- Delete file contents to remove the file from file event details in the Code42 cloud.
- For Event ID, choose:
Saved searches
To view the list of saved searches, select Forensic Search > Saved Searches.
Item | Description | |
---|---|---|
a | Saved search name | The name of the saved search. |
b | Created | Lists the date the search was created and the user who created it. |
c | Last modified | Lists the most recent date the search was modified and the user who modified it. |
d | Run search | Executes the saved search and displays the search results. |
e |
Actions |
Click to view options:
|
Email search results
Saved searches include the option to send a daily, weekly, or monthly report of the search results. Results are sent in an attached CSV and are limited to 200,000 events. Emailing search results enables you to receive notifications about activity you want to monitor, without generating an alert.
To email saved search results:
- From the list of saved searches, click the action menu for any search and select Edit name, notes, and email.
- Select Email search results on a set schedule.
- Enter up to 10 email addresses to receive the search results.
- Select a frequency (daily, weekly, or monthly).
The selected frequency overrides the date filter in the saved search. - Click Save.
Emails are not supported for saved searches with:
- The Watchlist members filter
- Blank criteria
As an alternative to the User > Watchlist members filter, use the Risk indicator > Watchlist > [Watchlist name] filter, which is supported for emailing saved search results. (The Watchlist members filter applies to all users on the watchlist at the time of the search, whereas the Watchlist risk indicator applies only to users who were on the watchlist at the time the file activity occurred.)