Skip to content

Watchlist Commands

watchlists

View and manage watchlists.

After creation, Watchlists can be managed by type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be managed by title or ID.

The following values are valid watchlist types:

* CONTRACT_EMPLOYEE
* DEPARTING_EMPLOYEE
* ELEVATED_ACCESS_PRIVILEGES
* FLIGHT_RISK
* HIGH_IMPACT_EMPLOYEE
* NEW_EMPLOYEE
* PERFORMANCE_CONCERNS
* POOR_SECURITY_PRACTICES
* SUSPICIOUS_SYSTEM_ACTIVITY
* CUSTOM

Usage:

watchlists [OPTIONS] COMMAND [ARGS]...

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

watchlists add

Manage watchlist membership by including or excluding individual actors and/or groups.

Add any of the following members to a watchlist with the corresponding options:

  • actors
  • excluded-actors
  • departments
  • directory-groups

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

If adding or excluding more than 100 actors in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.

Usage:

watchlists add [OPTIONS] WATCHLIST

Options:

  --actors FILENAME              List of actor IDs or actor names to include
                                 on the watchlist. An additional lookup is
                                 performed if an actor name is passed.
                                 Argument can be passed as a comma-delimited
                                 string or from a CSV file with a single
                                 'actor' column if prefixed with '@', e.g. '--
                                 actors @actors.csv'.
  --excluded-actors FILENAME     List of actor IDs or actor names to exclude
                                 from the watchlist. An additional lookup is
                                 performed if an actor name is passed.
                                 Argument can be passed as a comma-delimited
                                 string or from a CSV file with a single
                                 'actor' column if prefixed with '@', e.g. '--
                                 excluded-actors @actors.csv'.
  --departments TEXT             Comma-delimited string of department names to
                                 include on the watchlist. Individual users
                                 from the departments will be added as
                                 watchlist members, where department
                                 information comes from SCIM or User Directory
                                 Sync.
  --directory-groups TEXT        Comma-delimited string of directory group IDs
                                 to include on the watchlist. Individual users
                                 from the directory groups will be added as
                                 watchlist members, where group information
                                 comes from SCIM or User Directory Sync.
  --users FILENAME               DEPRECATED. Use --actors instead. List of
                                 user IDs or usernames to include on the
                                 watchlist. An additional lookup is performed
                                 if a username is passed. Argument can be
                                 passed as a comma-delimited string or from a
                                 CSV file with a single 'user' column if
                                 prefixed with '@', e.g. '--users @users.csv'.
  --excluded-users FILENAME      DEPRECATED. Use --excluded-actors instead.
                                 List of user IDs or usernames to exclude from
                                 the watchlist. An additional lookup is
                                 performed if a username is passed. Argument
                                 can be passed as a comma-delimited string or
                                 from a CSV file with a single 'user' column
                                 if prefixed with '@', e.g. '--users
                                 @users.csv'.
  -f, --format [csv|json-lines]  Specify format of input file(s): 'csv' or
                                 'json-lines'. Defaults to 'csv'. Multiple
                                 input files must all be the same format.
  --log-stderr                   Enable logging to stderr.
  --log-file TEXT                Specify file path to write log output to.
  --log-level TEXT               Set level for Incydr client logging.
  --help                         Show this message and exit.

watchlists create

Create a new watchlist.

Where WATCHLIST_TYPE is of the following:

  • CONTRACT_EMPLOYEE
  • DEPARTING_EMPLOYEE
  • ELEVATED_ACCESS_PRIVILEGES
  • FLIGHT_RISK
  • HIGH_IMPACT_EMPLOYEE
  • NEW_EMPLOYEE
  • PERFORMANCE_CONCERNS
  • POOR_SECURITY_PRACTICES
  • SUSPICIOUS_SYSTEM_ACTIVITY
  • CUSTOM

The --title (required) and --description (optional) options are exclusively for creating CUSTOM watchlists.

Usage:

watchlists create [OPTIONS] WATCHLIST_TYPE

Options:

  --title TEXT        Required title for a CUSTOM watchlist.
  --description TEXT  Optional description for a CUSTOM watchlist.
  --log-stderr        Enable logging to stderr.
  --log-file TEXT     Specify file path to write log output to.
  --log-level TEXT    Set level for Incydr client logging.
  --help              Show this message and exit.

watchlists delete

Delete a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists delete [OPTIONS] WATCHLIST

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

watchlists list

List watchlists.

Usage:

watchlists list [OPTIONS]

Options:

  --actor TEXT              Filter by watchlists where the actor is a member.
                            Accepts an actor ID or actor name.  Performs an
                            additional lookup if an actor name is passed
  --user TEXT               DEPRECATED. Use Actor instead. Filter by
                            watchlists where the user is a member.  Accepts a
                            user ID or a username.  Performs an additional
                            lookup if a username is passed
  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-departments

List departments included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-departments [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-directory-groups

List directory groups included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-directory-groups [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-excluded-actors

List actors excluded from a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-excluded-actors [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-excluded-users

DEPRECATED. List users excluded from a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-excluded-users [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-included-actors

List actors explicitly included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-included-actors [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-included-users

DEPRECATED. List users explicitly included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-included-users [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-members

List members of a watchlist.

A member may have been added as an included user, or is a member of an included department, etc.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-members [OPTIONS] WATCHLIST

Options:

  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists remove

Manage watchlist membership by removing individual users and/or groups.

Remove any of the following members from a watchlist with the corresponding options:

  • users
  • excluded-users
  • departments
  • directory-groups

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

If removing more than users or exclusions in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.

Usage:

watchlists remove [OPTIONS] WATCHLIST

Options:

  --actors FILENAME              List of actor IDs or actor names to remove
                                 from the watchlist. An additional lookup is
                                 performed if an actor name is passed.
                                 Argument can be passed as a comma-delimited
                                 string or from a CSV file with a single
                                 'actor' column if prefixed with '@', e.g. '--
                                 actors @actors.csv'. File should have a
                                 single 'actor' field.  File format can either
                                 be CSV or JSON Lines format, as specified
                                 with the --format option (Default is CSV).
  --excluded-actors FILENAME     List of actor IDs or actor names to remove
                                 from the watchlist. An additional lookup is
                                 performed if an actor name is passed.
                                 Argument can be passed as a comma-delimited
                                 string or from a CSV file with a single
                                 'actor' column if prefixed with '@', e.g. '--
                                 excluded-actors @actors.csv'. File should
                                 have a single 'actor' field.  File format can
                                 either be CSV or JSON Lines format, as
                                 specified with the --format option (Default
                                 is CSV).
  --departments TEXT             Comma-delimited string of department names to
                                 remove from the watchlist. Individual users
                                 from the departments will be added as
                                 watchlist members, where department
                                 information comes from SCIM or User Directory
                                 Sync.
  --directory-groups TEXT        Comma-delimited string of directory group IDs
                                 to remove from the watchlist. Individual
                                 users from the directory groups will be added
                                 as watchlist members, where group information
                                 comes from SCIM or User Directory Sync.
  --users FILENAME               DEPRECATED. Use --actors instead. List of
                                 included user IDs or usernames to remove from
                                 the watchlist. An additional lookup is
                                 performed if a username is passed.Argument
                                 can be passed as a comma-delimited string or
                                 as a file if prefixed with '@', e.g. '--users
                                 @users.csv'. File should have a single 'user'
                                 field.  File format can either be CSV or JSON
                                 Lines format, as specified with the --format
                                 option (Default is CSV).
  --excluded-users FILENAME      DEPRECATED. Use --excluded-actors instead.
                                 List of excluded user IDs or usernames to
                                 remove from the watchlist. An additional
                                 lookup is performed if a username is passed.
                                 Argument can be passed as a comma-delimited
                                 string or as a file if prefixed with '@',
                                 e.g. '--users @users.csv'. File should have a
                                 single 'user' field.  File format can either
                                 be CSV or JSON Lines format, as specified
                                 with the --format option (Default is CSV).
  -f, --format [csv|json-lines]  Specify format of input file(s): 'csv' or
                                 'json-lines'. Defaults to 'csv'. Multiple
                                 input files must all be the same format.
  --log-stderr                   Enable logging to stderr.
  --log-file TEXT                Specify file path to write log output to.
  --log-level TEXT               Set level for Incydr client logging.
  --help                         Show this message and exit.

watchlists show

Show details for a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

If using rich, outputs a summary of watchlist information and membership. This includes the following:

  • included_actors
  • excluded_actors
  • included_departments
  • included_directory_groups

Lists of actors will be truncated to only display the first 25 members, use the list-included-actors and list-excluded-actors commands respectively to see more details.

If not using rich, outputs watchlist information in JSON without additional membership summary information.

Usage:

watchlists show [OPTIONS] WATCHLIST

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

watchlists update

Update a CUSTOM watchlist.

Usage:

watchlists update [OPTIONS] WATCHLIST_ID

Options:

  --title TEXT         Updated title for a CUSTOM watchlist.
  --description TEXT   Updated description for a CUSTOM watchlist.
  --clear-description  Clear the description on a CUSTOM watchlist.
  --log-stderr         Enable logging to stderr.
  --log-file TEXT      Specify file path to write log output to.
  --log-level TEXT     Set level for Incydr client logging.
  --help               Show this message and exit.