Sessions Commands¶
sessions¶
View and manage Incydr Sessions, including Alerts.
Sessions group all Incydr activity for an individual actor within a specific time frame. Sessions may include file events, alerts, Instructor lessons, and more. A single session can contain one or more alerts.
Alerts are triggered when user file activity matches criteria defined in your alert rules. Alerts are included within sessions to group related activity and provide additional context.
Usage:
sessions [OPTIONS] COMMAND [ARGS]...
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
sessions bulk-update-state¶
Bulk update the state of multiple sessions. Optionally attach a note.
NEW_STATE specifies the new state to which sessions will be updated. Must be one of the following: 'OPEN', 'IN_PROGRESS', 'CLOSED', 'CLOSED_TP', 'CLOSED_FP', 'OPEN_NEW_DATA'
Takes a single arg FILE which specifies the path to the file (use "-" to read from stdin).
File format can either be CSV or JSON Lines format (Default is CSV).
The --state and --note options to this command will override respective columns/keys in the CSV/JSON input.
Accepts the following columns:
session_id(required)state(required if --state option is not provided)note(optional)
If --state is not provided, the CSV/JSON input must have a state column/key for each row/object.
Usage:
sessions bulk-update-state [OPTIONS] FILE
Options:
--state [OPEN|IN_PROGRESS|CLOSED|CLOSED_TP|CLOSED_FP|OPEN_NEW_DATA]
Override CSV/JSON input's `state` value with
this value.
--note TEXT Override CSV/JSON input's `note` value with
this value.
-f, --format [csv|json-lines] Specify format of input file: 'csv' or
'json-lines'. Defaults to 'csv'.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
sessions search¶
Search sessions.
Defaults to only include sessions that have alerts associated with them. Use the --no-alerts option to view sessions without any alerts.
Usage:
sessions search [OPTIONS]
Options:
--checkpoint TEXT Use a checkpoint with the given name to only
get search results that were not previously
retrieved. If a checkpoint for the search
with the given name doesn't exist, it will
be created on the first run. Subsequent CLI
runs with this option and the same name will
use the stored checkpoint to modify the
search query and then update the stored
checkpoint.Checkpointing is most accurate
with json outputs. For table and csv
formats, checkpointing will track the last
returned event in the table.
--actor-id TEXT Limit search to sessions generated by this
actor.
--start TEXT Limit search to sessions beginning on or
after this date and time. Accepts a
date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd
HH:MM:SS (UTC+24-hr time) format.
--end TEXT Limit search to sessions beginning before
this date and time. Accepts a date/time in
yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS
(UTC+24-hr time) format.
--no-alerts Limit search to sessions that do NOT have
alerts associated with them.
--risk-indicators TEXT A CSV list of risk indicator IDs. Limit
search to sessions that include these risk
indicators.
--state [OPEN|IN_PROGRESS|CLOSED|CLOSED_TP|CLOSED_FP|OPEN_NEW_DATA]
Limit search to sessions with this state.
Can be specified multiple times to include
multiple values.
--severity [NO_RISK|LOW|MODERATE|HIGH|CRITICAL]
Specify one or more severity levels, can be
specified multiple times to include multiple
values. Limit search to sessions that have
the matching severity value(s).
--rule-id TEXT A rule ID. Limit search to sessions
associated with this rule. Can be specified
multiple times to include multiple values.
--watchlist-id TEXT A watchlist ID. Limit search to sessions
associated with this watchlist. Can be
specified multiple times to include multiple
values.
--content-inspection-status [PENDING|FOUND|NOT_FOUND]
Limit search to sessions with the given
content inspection status.
-f, --format TABLEFORMAT Format to print result. One of 'table',
'json-pretty', 'json-lines', or 'csv. If
environment has INCYDR_USE_RICH=false set,
defaults to 'json-lines', else defaults to
'table'.
--columns TEXT Comma-delimited string of column names.
Nested values should be specified in dot-
notation. Limits output to contain only the
specified columns in CSV or Table format.
Ignored for JSON output formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
sessions show¶
Show the details of a single session.
Usage:
sessions show [OPTIONS] SESSION_ID
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
-f, --format SINGLEFORMAT Format to print result. One of 'rich', 'json-
pretty', or 'json-lines'. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'rich'.
--help Show this message and exit.
sessions show-events¶
Show the details of a single session.
Usage:
sessions show-events [OPTIONS] SESSION_ID
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--columns TEXT Comma-delimited string of column names.
Nested values should be specified in dot-
notation. Limits output to contain only the
specified columns in CSV or Table format.
Ignored for JSON output formats.
-f, --format TABLEFORMAT Format to print result. One of 'table',
'json-pretty', 'json-lines', or 'csv. If
environment has INCYDR_USE_RICH=false set,
defaults to 'json-lines', else defaults to
'table'.
--ignore-cert-validation BOOLEAN
Set to skip CA certificate validation for
the TLS-TCP protocol. Incompatible with the
'certs' option.
--certs TEXT A CA certificates-chain file for the TLS-TCP
protocol.
--output TEXT Use to send the raw-json data in to a syslog
server. Pass a string in the format
PROTOCOL:HOSTNAME:PORT to output to the
specified server endpoint, where format is
either TCP, TLS-TCP, or UDP (ex:
TCP:localhost:5000). Also accepts strings of
the format HOSTNAME and HOSTNAME:PORT.
Defaults to TCP protocol on port 601. The
--certs or --ignore-cert-validation option
can be used with TLS-TCP format. Note that
most data will be too large to be sent via
UDP protocol.
--help Show this message and exit.
sessions update¶
Update the state of and/or the note attached to the session.
Usage:
sessions update [OPTIONS] SESSION_ID
Options:
-s, --state [OPEN|IN_PROGRESS|CLOSED|CLOSED_TP|CLOSED_FP|OPEN_NEW_DATA]
Update a session's state.
--note TEXT Add a note to the session. Takes the notes
content with a 2000 character max.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.