File Events Commands¶
file-events¶
View and manage file events.
Usage:
file-events [OPTIONS] COMMAND [ARGS]...
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
file-events clear-checkpoint¶
Remove the saved file events checkpoint from searches made with --checkpoint mode.
Usage:
file-events clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options:
--help Show this message and exit.
file-events list-saved-searches¶
List saved searches.
Usage:
file-events list-saved-searches [OPTIONS]
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
file-events search¶
Search file events. Various options are provided to filter query results.
Use the --saved-search or the --advanced-query option if the available filters don't satisfy your requirements.
Defaults to returning events with a risk score >= 1. Add the --risk-score 0 filter to return all events,
including those with no risk associated with them.
Results will be output to the console by default, use the --output option to send data to a server.
Checkpointing is available through the --checkpoint <checkpoint-name> option and will only return new results
on subsequent queries with that same checkpoint. Checkpointing stores the original query it was run with, so
additional filters on subsequent runs will be ignored.
Usage:
file-events search [OPTIONS]
Options:
--checkpoint TEXT Use a checkpoint with the given name to only
get search results that were not previously
retrieved. If a checkpoint for the search
with the given name doesn't exist, it will
be created on the first run. Subsequent CLI
runs with this option and the same name will
use the stored checkpoint to modify the
search query and then update the stored
checkpoint.Checkpointing is most accurate
with json outputs. For table and csv
formats, checkpointing will track the last
returned event in the table.
-f, --format TABLEFORMAT Format to print result. One of 'table',
'json-pretty', 'json-lines', or 'csv. If
environment has INCYDR_USE_RICH=false set,
defaults to 'json-lines', else defaults to
'table'.
--columns TEXT Comma-delimited string of column names.
Nested values should be specified in dot-
notation. Limits output to contain only the
specified columns in CSV or Table format.
Ignored for JSON output formats.
--ignore-cert-validation BOOLEAN
Set to skip CA certificate validation for
the TLS-TCP protocol. Incompatible with the
'certs' option.
--certs TEXT A CA certificates-chain file for the TLS-TCP
protocol.
--output TEXT Use to send the raw-json data in to a syslog
server. Pass a string in the format
PROTOCOL:HOSTNAME:PORT to output to the
specified server endpoint, where format is
either TCP, TLS-TCP, or UDP (ex:
TCP:localhost:5000). Also accepts strings of
the format HOSTNAME and HOSTNAME:PORT.
Defaults to TCP protocol on port 601. The
--certs or --ignore-cert-validation option
can be used with TLS-TCP format. Note that
most data will be too large to be sent via
UDP protocol.
--advanced-query FILENAME Get events from a raw JSON file events
query. Useful for when the provided query
parameters do not satisfy your requirements.
Argument can be passed as a string, read
from stdin by passing '-', or from a
filename if prefixed with '@',e.g. '--
advanced-query @query.json'. WARNING: Using
advanced queries is incompatible with other
query-building arguments. Any additional
filter options will be ignored.
--saved-search TEXT Get events from a saved search with the
given ID. WARNING: Using a saved search is
incompatible with other query-building
arguments. Any additional filter options
will be ignored.
--risk-score INTEGER Filter by risk scores greater than the
provided value. The risk score is the sum of
the weights for each risk indicator. This
score is used to determine the overall risk
severity of the event. Defaults to 1. Set
to 0 to return all events, including those
that have no risk associated with them.
--risk-severity TEXT Filter by the general risk assessment of the
event, based on the numeric score.
--risk-indicator TEXT Filter by a list of risk indicators
identified for this event. If more than one
risk indicator applies to this event, the
sum of all indicators determines the total
risk score.
--file-category TEXT Filter by the categorization of the file
that is inferred from MIME type.
--file-directory TEXT Filter by the file location on the user's
device; a forward or backslash must be
included at the end of the filepath.
Possibly null if the file event occurred on
a cloud provider.
--file-name TEXT Filter by the name of the file, including
the file extension.
--destination-category TEXT Filter by the category of the file
destination. For example: Cloud Storage,
Email, Social Media.
--source-category TEXT Filter by the category of where the file
originated. For example: Cloud Storage,
Email, Social Media.
--sha256 TEXT Filter by the SHA-256 hash of the file
contents.
--md5 TEXT Filter by the MD5 hash of the file contents.
--username TEXT Filter by the Code42 username used to sign
in to the Code42 app on the device. Null if
the file event occurred on a cloud provider.
--event-action TEXT Filter by the type of file event observed.
--end TEXT The end of the date range in which to look
for file events, argument format options are
the same as `--start`.
--start TEXT The beginning of the date range in which to
look for file events. Accepts a date/time in
yyyy-MM-dd (UTC) oryyyy-MM-dd HH:MM:SS
(UTC+24-hr time) format or a duration in the
form of an ISO-duration string (ex. Pass
`P7D` to filter for events which occurred in
the last week).
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
file-events show-saved-search¶
Show details for a single saved search.
Usage:
file-events show-saved-search [OPTIONS] SEARCH_ID
Options:
-f, --format SINGLEFORMAT Format to print result. One of 'rich', 'json-
pretty', or 'json-lines'. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'rich'.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.