Skip to content

File Events Commands

file-events

View and manage file events.

Usage:

file-events [OPTIONS] COMMAND [ARGS]...

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

file-events clear-checkpoint

Remove the saved file events checkpoint from searches made with --checkpoint mode.

Usage:

file-events clear-checkpoint [OPTIONS] CHECKPOINT_NAME

Options:

  --help  Show this message and exit.

file-events list-saved-searches

List saved searches.

Usage:

file-events list-saved-searches [OPTIONS]

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

Search file events. Various options are provided to filter query results.

Use the --saved-search or the --advanced-query option if the available filters don't satisfy your requirements.

Defaults to returning events with a risk score >= 1. Add the --risk-score 0 filter to return all events, including those with no risk associated with them.

Results will be output to the console by default, use the --output option to send data to a server.

Checkpointing is available through the --checkpoint <checkpoint-name> option and will only return new results on subsequent queries with that same checkpoint. Checkpointing stores the original query it was run with, so additional filters on subsequent runs will be ignored.

Usage:

file-events search [OPTIONS]

Options:

  --checkpoint TEXT               Use a checkpoint with the given name to only
                                  get search results that were not previously
                                  retrieved. If a checkpoint for the search
                                  with the given name doesn't exist, it will
                                  be created on the first run. Subsequent CLI
                                  runs with this option and the same name will
                                  use the stored checkpoint to modify the
                                  search query and then update the stored
                                  checkpoint.Checkpointing is most accurate
                                  with json outputs.  For table and csv
                                  formats, checkpointing will track the last
                                  returned event in the table.
  -f, --format TABLEFORMAT        Format to print result. One of 'table',
                                  'json-pretty', 'json-lines', or 'csv. If
                                  environment has INCYDR_USE_RICH=false set,
                                  defaults to 'json-lines', else defaults to
                                  'table'.
  --columns TEXT                  Comma-delimited string of column names.
                                  Nested values should be specified in dot-
                                  notation. Limits output to contain only the
                                  specified columns in CSV or Table format.
                                  Ignored for JSON output formats.
  --ignore-cert-validation BOOLEAN
                                  Set to skip CA certificate validation for
                                  the TLS-TCP protocol. Incompatible with the
                                  'certs' option.
  --certs TEXT                    A CA certificates-chain file for the TLS-TCP
                                  protocol.
  --output TEXT                   Use to send the raw-json data in to a syslog
                                  server.  Pass a string in the format
                                  PROTOCOL:HOSTNAME:PORT to output to the
                                  specified server endpoint, where format is
                                  either TCP, TLS-TCP, or UDP (ex:
                                  TCP:localhost:5000). Also accepts strings of
                                  the format HOSTNAME and HOSTNAME:PORT.
                                  Defaults to TCP protocol on port 601. The
                                  --certs or --ignore-cert-validation option
                                  can be used with TLS-TCP format.  Note that
                                  most data will be too large to be sent via
                                  UDP protocol.
  --advanced-query FILENAME       Get events from a raw JSON file events
                                  query. Useful for when the provided query
                                  parameters do not satisfy your requirements.
                                  Argument can be passed as a string, read
                                  from stdin by passing '-', or from a
                                  filename if prefixed with '@',e.g. '--
                                  advanced-query @query.json'. WARNING: Using
                                  advanced queries is incompatible with other
                                  query-building arguments.  Any additional
                                  filter options will be ignored.
  --saved-search TEXT             Get events from a saved search with the
                                  given ID.  WARNING: Using a saved search is
                                  incompatible with other query-building
                                  arguments.  Any additional filter options
                                  will be ignored.
  --risk-score INTEGER            Filter by risk scores greater than the
                                  provided value. The risk score is the sum of
                                  the weights for each risk indicator. This
                                  score is used to determine the overall risk
                                  severity of the event.  Defaults to 1.  Set
                                  to 0 to return all events, including those
                                  that have no risk associated with them.
  --risk-severity TEXT            Filter by the general risk assessment of the
                                  event, based on the numeric score.
  --risk-indicator TEXT           Filter by a list of risk indicators
                                  identified for this event. If more than one
                                  risk indicator applies to this event, the
                                  sum of all indicators determines the total
                                  risk score.
  --file-category TEXT            Filter by the categorization of the file
                                  that is inferred from MIME type.
  --file-directory TEXT           Filter by the file location on the user's
                                  device; a forward or backslash must be
                                  included at the end of the filepath.
                                  Possibly null if the file event occurred on
                                  a cloud provider.
  --file-name TEXT                Filter by the name of the file, including
                                  the file extension.
  --destination-category TEXT     Filter by the category of the file
                                  destination. For example: Cloud Storage,
                                  Email, Social Media.
  --source-category TEXT          Filter by the category of where the file
                                  originated. For example: Cloud Storage,
                                  Email, Social Media.
  --sha256 TEXT                   Filter by the SHA-256 hash of the file
                                  contents.
  --md5 TEXT                      Filter by the MD5 hash of the file contents.
  --username TEXT                 Filter by the Code42 username used to sign
                                  in to the Code42 app on the device. Null if
                                  the file event occurred on a cloud provider.
  --event-action TEXT             Filter by the type of file event observed.
  --end TEXT                      The end of the date range in which to look
                                  for file events, argument format options are
                                  the same as `--start`.
  --start TEXT                    The beginning of the date range in which to
                                  look for file events. Accepts a date/time in
                                  yyyy-MM-dd (UTC) oryyyy-MM-dd HH:MM:SS
                                  (UTC+24-hr time) format or a duration in the
                                  form of an ISO-duration string (ex. Pass
                                  `P7D` to filter for events which occurred in
                                  the last week).
  --log-stderr                    Enable logging to stderr.
  --log-file TEXT                 Specify file path to write log output to.
  --log-level TEXT                Set level for Incydr client logging.
  --help                          Show this message and exit.

Show details for a single saved search.

Usage:

file-events show-saved-search [OPTIONS] SEARCH_ID

Options:

  -f, --format SINGLEFORMAT  Format to print result. One of 'rich', 'json-
                             pretty', or 'json-lines'. If environment has
                             INCYDR_USE_RICH=false set, defaults to 'json-
                             lines', else defaults to 'rich'.
  --log-stderr               Enable logging to stderr.
  --log-file TEXT            Specify file path to write log output to.
  --log-level TEXT           Set level for Incydr client logging.
  --help                     Show this message and exit.