Watchlist Commands¶
watchlists¶
View and manage watchlists.
After creation, Watchlists can be managed by type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be managed by title or ID.
The following values are valid watchlist types:
* CONTRACT_EMPLOYEE
* DEPARTING_EMPLOYEE
* ELEVATED_ACCESS_PRIVILEGES
* FLIGHT_RISK
* HIGH_IMPACT_EMPLOYEE
* NEW_EMPLOYEE
* PERFORMANCE_CONCERNS
* POOR_SECURITY_PRACTICES
* SUSPICIOUS_SYSTEM_ACTIVITY
* CUSTOM
Usage:
watchlists [OPTIONS] COMMAND [ARGS]...
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists add¶
Manage watchlist membership by including or excluding individual users and/or groups.
Add any of the following members to a watchlist with the corresponding options:
- users
- excluded-users
- departments
- directory-groups
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
If adding or excluding more than 100 users in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.
Usage:
watchlists add [OPTIONS] WATCHLIST
Options:
--users FILENAME List of user IDs or usernames to include on
the watchlist. An additional lookup is
performed if a username is passed. Argument
can be passed as a comma-delimited string or
from a CSV file with a single 'user' column
if prefixed with '@', e.g. '--users
@users.csv'.
--excluded-users FILENAME List of user IDs or usernames to exclude from
the watchlist. An additional lookup is
performed if a username is passed. Argument
can be passed as a comma-delimited string or
from a CSV file with a single 'user' column
if prefixed with '@', e.g. '--users
@users.csv'.
--departments TEXT Comma-delimited string of department names to
include on the watchlist. Individual users
from the departments will be added as
watchlist members, where department
information comes from SCIM or User Directory
Sync.
--directory-groups TEXT Comma-delimited string of directory group IDs
to include on the watchlist. Individual users
from the directory groups will be added as
watchlist members, where group information
comes from SCIM or User Directory Sync.
-f, --format [csv|json-lines] Specify format of input file(s): 'csv' or
'json-lines'. Defaults to 'csv'. Multiple
input files must all be the same format.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists create¶
Create a new watchlist.
Where WATCHLIST_TYPE is of the following:
CONTRACT_EMPLOYEEDEPARTING_EMPLOYEEELEVATED_ACCESS_PRIVILEGESFLIGHT_RISKHIGH_IMPACT_EMPLOYEENEW_EMPLOYEEPERFORMANCE_CONCERNSPOOR_SECURITY_PRACTICESSUSPICIOUS_SYSTEM_ACTIVITYCUSTOM
The --title (required) and --description (optional) options are exclusively for creating CUSTOM watchlists.
Usage:
watchlists create [OPTIONS] WATCHLIST_TYPE
Options:
--title TEXT Required title for a CUSTOM watchlist.
--description TEXT Optional description for a CUSTOM watchlist.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists delete¶
Delete a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists delete [OPTIONS] WATCHLIST
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list¶
List watchlists.
Usage:
watchlists list [OPTIONS]
Options:
--user TEXT Filter by watchlists where the user is a member.
Accepts a user ID or a username. Performs an
additional lookup if a username is passed
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-departments¶
List departments included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-departments [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-directory-groups¶
List directory groups included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-directory-groups [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-excluded-users¶
List users excluded from a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-excluded-users [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-included-users¶
List users explicitly included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-included-users [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-members¶
List members of a watchlist.
A member may have been added as an included user, or is a member of an included department, etc.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-members [OPTIONS] WATCHLIST
Options:
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists remove¶
Manage watchlist membership by removing individual users and/or groups.
Remove any of the following members from a watchlist with the corresponding options:
- users
- excluded-users
- departments
- directory-groups
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
If removing more than users or exclusions in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.
Usage:
watchlists remove [OPTIONS] WATCHLIST
Options:
--users FILENAME List of included user IDs or usernames to
remove from the watchlist. An additional
lookup is performed if a username is
passed.Argument can be passed as a comma-
delimited string or as a file if prefixed
with '@', e.g. '--users @users.csv'. File
should have a single 'user' field. File
format can either be CSV or JSON Lines
format, as specified with the --format option
(Default is CSV).
--excluded-users FILENAME List of excluded user IDs or usernames to
remove from the watchlist. An additional
lookup is performed if a username is passed.
Argument can be passed as a comma-delimited
string or as a file if prefixed with '@',
e.g. '--users @users.csv'. File should have a
single 'user' field. File format can either
be CSV or JSON Lines format, as specified
with the --format option (Default is CSV).
--departments TEXT Comma-delimited string of department names to
remove from the watchlist. Individual users
from the departments will be added as
watchlist members, where department
information comes from SCIM or User Directory
Sync.
--directory-groups TEXT Comma-delimited string of directory group IDs
to remove from the watchlist. Individual
users from the directory groups will be added
as watchlist members, where group information
comes from SCIM or User Directory Sync.
-f, --format [csv|json-lines] Specify format of input file(s): 'csv' or
'json-lines'. Defaults to 'csv'. Multiple
input files must all be the same format.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists show¶
Show details for a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
If using rich, outputs a summary of watchlist information and membership. This includes the following:
- included_users
- excluded_users
- included_departments
- included_directory_groups
Lists of users will be truncated to only display the first 25 members, use the list-included-users and list-excluded-users
commands respectively to see more details.
If not using rich, outputs watchlist information in JSON without additional membership summary information.
Usage:
watchlists show [OPTIONS] WATCHLIST
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists update¶
Update a CUSTOM watchlist.
Usage:
watchlists update [OPTIONS] WATCHLIST_ID
Options:
--title TEXT Updated title for a CUSTOM watchlist.
--description TEXT Updated description for a CUSTOM watchlist.
--clear-description Clear the description on a CUSTOM watchlist.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.