Skip to content

Watchlist Commands

watchlists

View and manage watchlists.

After creation, Watchlists can be managed by type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be managed by title or ID.

The following values are valid watchlist types:

* CONTRACT_EMPLOYEE
* DEPARTING_EMPLOYEE
* ELEVATED_ACCESS_PRIVILEGES
* FLIGHT_RISK
* HIGH_IMPACT_EMPLOYEE
* NEW_EMPLOYEE
* PERFORMANCE_CONCERNS
* POOR_SECURITY_PRACTICES
* SUSPICIOUS_SYSTEM_ACTIVITY
* CUSTOM

Usage:

watchlists [OPTIONS] COMMAND [ARGS]...

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

watchlists add

Manage watchlist membership by including or excluding individual users and/or groups.

Add any of the following members to a watchlist with the corresponding options:

  • users
  • excluded-users
  • departments
  • directory-groups

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

If adding or excluding more than 100 users in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.

Usage:

watchlists add [OPTIONS] WATCHLIST

Options:

  --users FILENAME               List of user IDs or usernames to include on
                                 the watchlist. An additional lookup is
                                 performed if a username is passed. Argument
                                 can be passed as a comma-delimited string or
                                 from a CSV file with a single 'user' column
                                 if prefixed with '@', e.g. '--users
                                 @users.csv'.
  --excluded-users FILENAME      List of user IDs or usernames to exclude from
                                 the watchlist. An additional lookup is
                                 performed if a username is passed. Argument
                                 can be passed as a comma-delimited string or
                                 from a CSV file with a single 'user' column
                                 if prefixed with '@', e.g. '--users
                                 @users.csv'.
  --departments TEXT             Comma-delimited string of department names to
                                 include on the watchlist. Individual users
                                 from the departments will be added as
                                 watchlist members, where department
                                 information comes from SCIM or User Directory
                                 Sync.
  --directory-groups TEXT        Comma-delimited string of directory group IDs
                                 to include on the watchlist. Individual users
                                 from the directory groups will be added as
                                 watchlist members, where group information
                                 comes from SCIM or User Directory Sync.
  -f, --format [csv|json-lines]  Specify format of input file(s): 'csv' or
                                 'json-lines'. Defaults to 'csv'. Multiple
                                 input files must all be the same format.
  --log-stderr                   Enable logging to stderr.
  --log-file TEXT                Specify file path to write log output to.
  --log-level TEXT               Set level for Incydr client logging.
  --help                         Show this message and exit.

watchlists create

Create a new watchlist.

Where WATCHLIST_TYPE is of the following:

  • CONTRACT_EMPLOYEE
  • DEPARTING_EMPLOYEE
  • ELEVATED_ACCESS_PRIVILEGES
  • FLIGHT_RISK
  • HIGH_IMPACT_EMPLOYEE
  • NEW_EMPLOYEE
  • PERFORMANCE_CONCERNS
  • POOR_SECURITY_PRACTICES
  • SUSPICIOUS_SYSTEM_ACTIVITY
  • CUSTOM

The --title (required) and --description (optional) options are exclusively for creating CUSTOM watchlists.

Usage:

watchlists create [OPTIONS] WATCHLIST_TYPE

Options:

  --title TEXT        Required title for a CUSTOM watchlist.
  --description TEXT  Optional description for a CUSTOM watchlist.
  --log-stderr        Enable logging to stderr.
  --log-file TEXT     Specify file path to write log output to.
  --log-level TEXT    Set level for Incydr client logging.
  --help              Show this message and exit.

watchlists delete

Delete a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists delete [OPTIONS] WATCHLIST

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

watchlists list

List watchlists.

Usage:

watchlists list [OPTIONS]

Options:

  --user TEXT               Filter by watchlists where the user is a member.
                            Accepts a user ID or a username.  Performs an
                            additional lookup if a username is passed
  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-departments

List departments included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-departments [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-directory-groups

List directory groups included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-directory-groups [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-excluded-users

List users excluded from a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-excluded-users [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-included-users

List users explicitly included on a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-included-users [OPTIONS] WATCHLIST

Options:

  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists list-members

List members of a watchlist.

A member may have been added as an included user, or is a member of an included department, etc.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

Usage:

watchlists list-members [OPTIONS] WATCHLIST

Options:

  --columns TEXT            Comma-delimited string of column names. Nested
                            values should be specified in dot-notation. Limits
                            output to contain only the specified columns in
                            CSV or Table format.  Ignored for JSON output
                            formats.
  -f, --format TABLEFORMAT  Format to print result. One of 'table', 'json-
                            pretty', 'json-lines', or 'csv. If environment has
                            INCYDR_USE_RICH=false set, defaults to 'json-
                            lines', else defaults to 'table'.
  --log-stderr              Enable logging to stderr.
  --log-file TEXT           Specify file path to write log output to.
  --log-level TEXT          Set level for Incydr client logging.
  --help                    Show this message and exit.

watchlists remove

Manage watchlist membership by removing individual users and/or groups.

Remove any of the following members from a watchlist with the corresponding options:

  • users
  • excluded-users
  • departments
  • directory-groups

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

If removing more than users or exclusions in a single run, the CLI will automatically batch requests due to a limit of 100 per request on the backend.

Usage:

watchlists remove [OPTIONS] WATCHLIST

Options:

  --users FILENAME               List of included user IDs or usernames to
                                 remove from the watchlist. An additional
                                 lookup is performed if a username is
                                 passed.Argument can be passed as a comma-
                                 delimited string or as a file if prefixed
                                 with '@', e.g. '--users @users.csv'. File
                                 should have a single 'user' field.  File
                                 format can either be CSV or JSON Lines
                                 format, as specified with the --format option
                                 (Default is CSV).
  --excluded-users FILENAME      List of excluded user IDs or usernames to
                                 remove from the watchlist. An additional
                                 lookup is performed if a username is passed.
                                 Argument can be passed as a comma-delimited
                                 string or as a file if prefixed with '@',
                                 e.g. '--users @users.csv'. File should have a
                                 single 'user' field.  File format can either
                                 be CSV or JSON Lines format, as specified
                                 with the --format option (Default is CSV).
  --departments TEXT             Comma-delimited string of department names to
                                 remove from the watchlist. Individual users
                                 from the departments will be added as
                                 watchlist members, where department
                                 information comes from SCIM or User Directory
                                 Sync.
  --directory-groups TEXT        Comma-delimited string of directory group IDs
                                 to remove from the watchlist. Individual
                                 users from the directory groups will be added
                                 as watchlist members, where group information
                                 comes from SCIM or User Directory Sync.
  -f, --format [csv|json-lines]  Specify format of input file(s): 'csv' or
                                 'json-lines'. Defaults to 'csv'. Multiple
                                 input files must all be the same format.
  --log-stderr                   Enable logging to stderr.
  --log-file TEXT                Specify file path to write log output to.
  --log-level TEXT               Set level for Incydr client logging.
  --help                         Show this message and exit.

watchlists show

Show details for a watchlist.

WATCHLIST can be specified by watchlist type (ex: DEPARTING_EMPLOYEE) or ID. CUSTOM watchlists must be specified by title or ID.

If using rich, outputs a summary of watchlist information and membership. This includes the following:

  • included_users
  • excluded_users
  • included_departments
  • included_directory_groups

Lists of users will be truncated to only display the first 25 members, use the list-included-users and list-excluded-users commands respectively to see more details.

If not using rich, outputs watchlist information in JSON without additional membership summary information.

Usage:

watchlists show [OPTIONS] WATCHLIST

Options:

  --log-stderr      Enable logging to stderr.
  --log-file TEXT   Specify file path to write log output to.
  --log-level TEXT  Set level for Incydr client logging.
  --help            Show this message and exit.

watchlists update

Update a CUSTOM watchlist.

Usage:

watchlists update [OPTIONS] WATCHLIST_ID

Options:

  --title TEXT         Updated title for a CUSTOM watchlist.
  --description TEXT   Updated description for a CUSTOM watchlist.
  --clear-description  Clear the description on a CUSTOM watchlist.
  --log-stderr         Enable logging to stderr.
  --log-file TEXT      Specify file path to write log output to.
  --log-level TEXT     Set level for Incydr client logging.
  --help               Show this message and exit.