Watchlist Commands¶
watchlists¶
View and manage watchlists.
After creation, Watchlists can be managed by type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be managed by title or ID.
The following values are valid watchlist types:
* CONTRACT_EMPLOYEE
* DEPARTING_EMPLOYEE
* ELEVATED_ACCESS_PRIVILEGES
* FLIGHT_RISK
* HIGH_IMPACT_EMPLOYEE
* NEW_EMPLOYEE
* PERFORMANCE_CONCERNS
* POOR_SECURITY_PRACTICES
* SUSPICIOUS_SYSTEM_ACTIVITY
* CUSTOM
Usage:
watchlists [OPTIONS] COMMAND [ARGS]...
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists add¶
Manage watchlist membership by including or excluding individual actors and/or groups.
Add any of the following members to a watchlist with the corresponding options:
- actors
- excluded-actors
- departments
- directory-groups
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
If adding or excluding more than 100 actors in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.
Usage:
watchlists add [OPTIONS] WATCHLIST
Options:
--actors FILENAME List of actor IDs or actor names to include
on the watchlist. An additional lookup is
performed if an actor name is passed.
Argument can be passed as a comma-delimited
string or from a CSV file with a single
'actor' column if prefixed with '@', e.g. '--
actors @actors.csv'.
--excluded-actors FILENAME List of actor IDs or actor names to exclude
from the watchlist. An additional lookup is
performed if an actor name is passed.
Argument can be passed as a comma-delimited
string or from a CSV file with a single
'actor' column if prefixed with '@', e.g. '--
excluded-actors @actors.csv'.
--departments TEXT Comma-delimited string of department names to
include on the watchlist. Individual users
from the departments will be added as
watchlist members, where department
information comes from SCIM or User Directory
Sync.
--directory-groups TEXT Comma-delimited string of directory group IDs
to include on the watchlist. Individual users
from the directory groups will be added as
watchlist members, where group information
comes from SCIM or User Directory Sync.
--users FILENAME DEPRECATED. Use --actors instead. List of
user IDs or usernames to include on the
watchlist. An additional lookup is performed
if a username is passed. Argument can be
passed as a comma-delimited string or from a
CSV file with a single 'user' column if
prefixed with '@', e.g. '--users @users.csv'.
--excluded-users FILENAME DEPRECATED. Use --excluded-actors instead.
List of user IDs or usernames to exclude from
the watchlist. An additional lookup is
performed if a username is passed. Argument
can be passed as a comma-delimited string or
from a CSV file with a single 'user' column
if prefixed with '@', e.g. '--users
@users.csv'.
-f, --format [csv|json-lines] Specify format of input file(s): 'csv' or
'json-lines'. Defaults to 'csv'. Multiple
input files must all be the same format.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists create¶
Create a new watchlist.
Where WATCHLIST_TYPE is of the following:
CONTRACT_EMPLOYEEDEPARTING_EMPLOYEEELEVATED_ACCESS_PRIVILEGESFLIGHT_RISKHIGH_IMPACT_EMPLOYEENEW_EMPLOYEEPERFORMANCE_CONCERNSPOOR_SECURITY_PRACTICESSUSPICIOUS_SYSTEM_ACTIVITYCUSTOM
The --title (required) and --description (optional) options are exclusively for creating CUSTOM watchlists.
Usage:
watchlists create [OPTIONS] WATCHLIST_TYPE
Options:
--title TEXT Required title for a CUSTOM watchlist.
--description TEXT Optional description for a CUSTOM watchlist.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists delete¶
Delete a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists delete [OPTIONS] WATCHLIST
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list¶
List watchlists.
Usage:
watchlists list [OPTIONS]
Options:
--actor TEXT Filter by watchlists where the actor is a member.
Accepts an actor ID or actor name. Performs an
additional lookup if an actor name is passed
--user TEXT DEPRECATED. Use Actor instead. Filter by
watchlists where the user is a member. Accepts a
user ID or a username. Performs an additional
lookup if a username is passed
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-departments¶
List departments included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-departments [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-directory-groups¶
List directory groups included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-directory-groups [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-excluded-actors¶
List actors excluded from a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-excluded-actors [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-excluded-users¶
DEPRECATED. List users excluded from a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-excluded-users [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-included-actors¶
List actors explicitly included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-included-actors [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-included-users¶
DEPRECATED. List users explicitly included on a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-included-users [OPTIONS] WATCHLIST
Options:
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists list-members¶
List members of a watchlist.
A member may have been added as an included user, or is a member of an included department, etc.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
Usage:
watchlists list-members [OPTIONS] WATCHLIST
Options:
--columns TEXT Comma-delimited string of column names. Nested
values should be specified in dot-notation. Limits
output to contain only the specified columns in
CSV or Table format. Ignored for JSON output
formats.
-f, --format TABLEFORMAT Format to print result. One of 'table', 'json-
pretty', 'json-lines', or 'csv. If environment has
INCYDR_USE_RICH=false set, defaults to 'json-
lines', else defaults to 'table'.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists remove¶
Manage watchlist membership by removing individual users and/or groups.
Remove any of the following members from a watchlist with the corresponding options:
- users
- excluded-users
- departments
- directory-groups
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
If removing more than users or exclusions in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.
Usage:
watchlists remove [OPTIONS] WATCHLIST
Options:
--actors FILENAME List of actor IDs or actor names to remove
from the watchlist. An additional lookup is
performed if an actor name is passed.
Argument can be passed as a comma-delimited
string or from a CSV file with a single
'actor' column if prefixed with '@', e.g. '--
actors @actors.csv'. File should have a
single 'actor' field. File format can either
be CSV or JSON Lines format, as specified
with the --format option (Default is CSV).
--excluded-actors FILENAME List of actor IDs or actor names to remove
from the watchlist. An additional lookup is
performed if an actor name is passed.
Argument can be passed as a comma-delimited
string or from a CSV file with a single
'actor' column if prefixed with '@', e.g. '--
excluded-actors @actors.csv'. File should
have a single 'actor' field. File format can
either be CSV or JSON Lines format, as
specified with the --format option (Default
is CSV).
--departments TEXT Comma-delimited string of department names to
remove from the watchlist. Individual users
from the departments will be added as
watchlist members, where department
information comes from SCIM or User Directory
Sync.
--directory-groups TEXT Comma-delimited string of directory group IDs
to remove from the watchlist. Individual
users from the directory groups will be added
as watchlist members, where group information
comes from SCIM or User Directory Sync.
--users FILENAME DEPRECATED. Use --actors instead. List of
included user IDs or usernames to remove from
the watchlist. An additional lookup is
performed if a username is passed.Argument
can be passed as a comma-delimited string or
as a file if prefixed with '@', e.g. '--users
@users.csv'. File should have a single 'user'
field. File format can either be CSV or JSON
Lines format, as specified with the --format
option (Default is CSV).
--excluded-users FILENAME DEPRECATED. Use --excluded-actors instead.
List of excluded user IDs or usernames to
remove from the watchlist. An additional
lookup is performed if a username is passed.
Argument can be passed as a comma-delimited
string or as a file if prefixed with '@',
e.g. '--users @users.csv'. File should have a
single 'user' field. File format can either
be CSV or JSON Lines format, as specified
with the --format option (Default is CSV).
-f, --format [csv|json-lines] Specify format of input file(s): 'csv' or
'json-lines'. Defaults to 'csv'. Multiple
input files must all be the same format.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists show¶
Show details for a watchlist.
WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID.
CUSTOM watchlists must be specified by title or ID.
If using rich, outputs a summary of watchlist information and membership. This includes the following:
- included_actors
- excluded_actors
- included_departments
- included_directory_groups
Lists of actors will be truncated to only display the first 25 members, use the list-included-actors and list-excluded-actors
commands respectively to see more details.
If not using rich, outputs watchlist information in JSON without additional membership summary information.
Usage:
watchlists show [OPTIONS] WATCHLIST
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
watchlists update¶
Update a CUSTOM watchlist.
Usage:
watchlists update [OPTIONS] WATCHLIST_ID
Options:
--title TEXT Updated title for a CUSTOM watchlist.
--description TEXT Updated description for a CUSTOM watchlist.
--clear-description Clear the description on a CUSTOM watchlist.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.