Alerts Commands (Deprecated)¶
alerts¶
View and manage alerts.
Usage:
alerts [OPTIONS] COMMAND [ARGS]...
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
alerts add-note¶
Add an optional note to an alert.
Usage:
alerts add-note [OPTIONS] ALERT_ID NOTE
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
alerts bulk-update-state¶
Bulk update multiple alerts from a file.
Takes a single arg FILE which specifies the path to the file (use "-" to read from stdin).
File format can either be CSV or JSON Lines format (Default is CSV).
The --state and --note options to this command will override respective columns/keys in the CSV/JSON input.
This allows you to bulk change a set of alerts without having manually modify the state/note value for each CSV or
JSON Lines row in the file. For example, to close all currently "PENDING" alerts older than
incydr alerts search --end <DATE> --state PENDING --format json-lines | incydr alerts bulk-update-state - --state RESOLVED --note "bulk resolved alerts older than <DATE>"
If --state is not provided, the CSV/JSON input must have a state column/key for each row/object.
Usage:
alerts bulk-update-state [OPTIONS] FILE
Options:
-f, --format [csv|json-lines] Specify format of input file: 'csv' or
'json-lines'. Defaults to 'csv'.
--state [OPEN|RESOLVED|IN_PROGRESS|PENDING]
Override CSV/JSON input's `state` value with
this value.
--note TEXT Override CSV/JSON input's `note` value with
this value.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
alerts clear-checkpoint¶
Remove the saved alerts checkpoint from searches made with --checkpoint mode.
Usage:
alerts clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options:
--help Show this message and exit.
alerts search¶
Search alerts. Various options are provided to filter query results.
Results will be output to the console by default, use the --output option to send data to a server.
Checkpointing is available through the --checkpoint <checkpoint-name> option and will only return new results
on subsequent queries with that same checkpoint. Checkpointing filters by timestamp, additional filter
options will need to be included in each run.
Usage:
alerts search [OPTIONS]
Options:
--checkpoint TEXT Use a checkpoint with the given name to only
get search results that were not previously
retrieved. If a checkpoint for the search
with the given name doesn't exist, it will
be created on the first run. Subsequent CLI
runs with this option and the same name will
use the stored checkpoint to modify the
search query and then update the stored
checkpoint.Checkpointing is most accurate
with json outputs. For table and csv
formats, checkpointing will track the last
returned event in the table.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--columns TEXT Comma-delimited string of column names.
Nested values should be specified in dot-
notation. Limits output to contain only the
specified columns in CSV or Table format.
Ignored for JSON output formats.
-f, --format TABLEFORMAT Format to print result. One of 'table',
'json-pretty', 'json-lines', or 'csv. If
environment has INCYDR_USE_RICH=false set,
defaults to 'json-lines', else defaults to
'table'.
--ignore-cert-validation BOOLEAN
Set to skip CA certificate validation for
the TLS-TCP protocol. Incompatible with the
'certs' option.
--certs TEXT A CA certificates-chain file for the TLS-TCP
protocol.
--output TEXT Use to send the raw-json data in to a syslog
server. Pass a string in the format
PROTOCOL:HOSTNAME:PORT to output to the
specified server endpoint, where format is
either TCP, TLS-TCP, or UDP (ex:
TCP:localhost:5000). Also accepts strings of
the format HOSTNAME and HOSTNAME:PORT.
Defaults to TCP protocol on port 601. The
--certs or --ignore-cert-validation option
can be used with TLS-TCP format. Note that
most data will be too large to be sent via
UDP protocol.
--advanced-query FILENAME A raw JSON alerts query. Useful for when the
provided query parameters do not satisfy
your requirements. Argument can be passed
as a string, read from stdin by passing '-',
or from a filename if prefixed with '@',e.g.
'--advanced-query @query.json'. WARNING:
Using advanced queries is incompatible with
other query-building arguments. Any
additional filter options will be ignored.
--alert-severity TEXT Filter by alert severity. One of [LOW,
MEDIUM, HIGH].
--rule-id TEXT Filter by the rule ID that corresponds to
the rulel which triggered the alert.
--state TEXT Filter by the state of the alert. One of
[OPEN, RESOLVED, IN_PROGRESS, PENDING].
--risk-severity TEXT Filter by risk severity. One of
[NO_RISK_INDICATED, LOW, MODERATE, HIGH,
CRITICAL].
--actor-id TEXT Filter by the actor ID.
--actor TEXT Filter by the actor (the user who triggered
the alert.)
--name TEXT Filter by the name of the alert.
--type TEXT Filter by the type of alert. One of
[FED_ENDPOINT_EXFILTRATION,
FED_CLOUD_SHARE_PERMISSIONS,
FED_FILE_TYPE_MISMATCH, FED_FILE_NAME_MATCH,
FED_COMPOSITE].
--alert-id TEXT Filter by the unique alert ID.
--on TEXT Look for alerts created on the date given,
argument forms are the same as `--start`.
--end TEXT The end of the date range in which to look
for alerts, argument format options are the
same as `--start`.
--start TEXT The beginning of the date range in which to
look for alerts. Filters by alert creation
time. Accepts a date/time in yyyy-MM-dd
(UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr
time) format.
--help Show this message and exit.
alerts show¶
Show the details of a single alert.
Usage:
alerts show [OPTIONS] ALERT_ID
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
-f, --format SINGLEFORMAT Format to print result. One of 'rich', 'json-
pretty', or 'json-lines'. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'rich'.
--help Show this message and exit.
alerts update-state¶
Change the state of an alert, and optionally add a note.
Usage:
alerts update-state [OPTIONS] ALERT_ID STATE
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--note TEXT Optional note to indicate the reason for the state change.
--help Show this message and exit.