Forensic Search reference

Overview

Forensic Search is a powerful tool for investigating file activity across your organization. With a wide range of search filters covering both endpoint and cloud activity, you can easily create custom queries to gain visibility into all activity monitored by Incydr. For example:

  • Browser uploads and downloads
  • Cloud sharing
  • Removable media usage
  • Git clone, pull, and push activity
  • Print activity
  • File created, modified, and renamed events
  • Paste activity from clipboard to browser

This article provides in-depth details about the search interface. For detailed descriptions of each field returned in search results, see the File event metadata reference guide

Forensic Search

To access Forensic Search:

  1. Sign in to the Code42 console.
    You must have a role with permissions that allow access to Forensic Search.
  2. Select Forensic Search > Search.
  3. Add search criteria and click Search.
    See below for details about search filters and results.
What is a "file event"?
Forensic Search reports on file events detected by Incydr. A file event is defined as any activity observed for a file. For example, creating, modifying, uploading, sharing, or deleting a file generates an event for that file.

Search results

Forensic Search results

Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.
Incydr displays data for users in all organizations
Visibility of activity captured by Incydr is not limited by your Code42 organization hierarchy.

Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as the Risk Exposure dashboard, Alerts, and Forensic Search) can view insider risk data for users in all organizations.
Item   Description
a Risk settings

Displays all risk indicators and associated scores.

To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

b Load Saved Search Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results.
c Date selector

All searches must specify a date range. Select one the following options:

  • Events observed in the last: Select a pre-defined time period. This is especially useful for saved searches because they can be used at any time in the future and still search the same relative time period.
  • Events observed on or after: Search events on or after a specific date and time. To include all events on the start date, enter a time value of 00:00:00.
  • Events observed on or before: Search events on or before a specific date and time. To include all events on the end date, enter a time value of 23:59:59. 
  • Events observed is in range: Search events between specific start and end dates/times. Enter a time range of 00:00:00 to 23:59:59 to include all events on the start and end dates.

Times are evaluated as Coordinated Universal Time (UTC).

d Filter

Select an item from the menu or type the name of a filter to include in your search. For detailed descriptions of all filter options, see the File event metadata reference guide

e Operator

Search operator options vary based on the search filter.

  • Single value
    • Is: Returns events that match the search criteria
    • Is not: Excludes events that match the search criteria
    • Exists: Returns events including any value for the search criteria
    • Does not exist: Returns events with no value for the search criteria
  • Multi-value (OR)
    • Includes any: Returns events that match any item in the list of search criteria. This search is evaluated as though the "OR" operator exists between each value.
    • Includes none: Returns events that do not match the items included in the list of search criteria.

For File Size, select is greater than or is less than.

f Value

Defines the search criteria. Searches are case-insensitive.

For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.

Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example:

  • Enter the search string expenses* to return events for any filename beginning with the phrase expenses, such as expenses.xls, expenses.doc, expenses to review.txt, and so on.
  • Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xls, expenses2017.xls, and so on.

Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size.

Avoid starting a search term with a wildcard
Do not enter a search string that begins with a wildcard or contains only wildcards (for example, filename is * or file path is *documents). These searches may either timeout and never complete, or take a long time to complete and can return many millions of results, which are not practical to review or export.
  • File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example:
    • Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder.
    • Enter  /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders.

For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).

g Remove search criteria Removes this search criteria.
h Add search criteria Adds another item to the search criteria. Search results only return events that match all criteria.
i Save As Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name.
j Reset Clears all search filters and results.
k Update Search Performs a search based on the current search criteria.
-- Charts
(not pictured)

Select the Charts tab to create custom charts based on the current search results. Use the drop down menus to select a chart type and define the chart parameters.

Select Export chart to download an image of the chart.

l Modify columns Displays a list of available columns. Select or deselect items to customize the format of your search results.
m Export results

Downloads the current search results to a CSV file.

  • Exports are limited to 200,000 results.
  • Only includes the fields applicable to your product plan.
  • The CSV file is UTF-8 encoded.
    The CSV file also includes a leading byte order mark (BOM) specifying the file is UTF-8 encoded. If you use customized scripts to parse the CSV export, you may need to account for the BOM at the start of the file to ensure column headings are read correctly.

Some CSV column headers have different names than the corresponding field labels in Forensic Search. See Field name mapping and definitions for complete details.

n Select all Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case.
o Event selector Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case.
p

Column sort indicator Column sort icon - ascending Column sort icon - descending

Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order.
q PRISM score

Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity.

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

To learn more, see Risk settings reference.

r Add to case Add to case icon

Click to add the file event to a Case:

  1. Select an existing case from the list of available options.
  2. Click Create case to create a new case and add this event to it.
  3. To view the case, click the case name in the confirmation message that appears upon adding the event. You can also navigate to Response > Cases and select it there.

Only available in Incydr product plans.

s View details Expand event details icon Displays all metadata for the file event. For detailed descriptions of each field, see the File event metadata reference guide.
t Events per page Select to display 10, 25, 50, or 100 events per page.

File event details

To view file event details within search results:

  1. From the list of search results, click View details Expand file event details icon to show all metadata for a file event.
    Event details slide in from the right.
    Click View details icon from search result row
  2. Within the Event details, scroll to view all metadata for the event.
    • For detailed descriptions of each field, see the File event metadata reference guide.
    • Use the File event details up arrow icon and File event details down arrow icon arrow icons to view file event details for the next or previous event.
    • Click the menu icon 3 dot menu icon next to any field for available actions.
      • For Event ID, choose:
        • Copy link to event details to copy a link to these event details to your clipboard. This link enables you to easily share specific events with others (who have the required permissions to access Forensic Search), or to save the URL for your own future reference.
        • Copy event ID to copy the string value of the Event ID itself. Use this value to search for this event again later.
      • For all other fields, choose:
        • Add value to current search to update the current search to only include results matching this value.
        • Add value to new search to start a new search containing this value.
        • Copy value to copy the value to your clipboard.
      • The Filename field contains an additional option:
        • Delete file contents to remove the file from file event details in the Code42 cloud.

Forensic Search results with expanded file event details

Saved searches

To view the list of saved searches, select Forensic Search > Saved Searches.

Saved searches list

Item   Description
a Saved search name The name of the saved search.
b Created Lists the date the search was created and the user who created it.
c Last modified Lists the most recent date the search was modified and the user who modified it.
d Run search Executes the saved search and displays the search results.
e

Actions

Click to view options:

  • Edit filters: Opens the Search tab, from which you can add, remove, and update search criteria.
  • Edit saved search: Displays the saved search name, notes, and email settings.
  • Delete: Permanently deletes the saved search for all users in your Code42 environment.

Email search results

Saved searches include the option to send a daily, weekly, or monthly report of the search results. Results are sent in an attached CSV and are limited to 200,000 events. Emailing search results enables you to receive notifications about activity you want to monitor, without generating an alert. 

To email saved search results:

  1. From the list of saved searches, click the action menu 3-dot action menu icon for any search and select Edit name, notes, and email.
  2. Select Email search results on a set schedule.
  3. Enter up to 10 email addresses to receive the search results.
  4. Select a frequency (daily, weekly, or monthly).
    The selected frequency overrides the date filter in the saved search.
  5. Click Save.
Search requirements for email
Emails are not supported for saved searches with:
  • The Watchlist members filter
  • Blank criteria
In these cases, the option to Email search results on a set schedule is disabled.

As an alternative to the User > Watchlist members filter, use the Risk indicator > Watchlist > [Watchlist name] filter, which is supported for emailing saved search results. (The Watchlist members filter applies to all users on the watchlist at the time of the search, whereas the Watchlist risk indicator applies only to users who were on the watchlist at the time the file activity occurred.)

Related topics