Skip to content

Models

Note

Incydr SDK's Pydantic models default to snake_case for all field attribute names for consistency, and by default will convert names to the casing expected by the API endpoint when serializing the data using the model's .json() and .dict() methods.

For example, if the server returns a response with a JSON key of createdAt, the value will be accessible on the model via Model.created_at, but calling Model.json() will output with a key of createdAt so the data can be used in further requests.

Fields where a transormation has been applied are marked with json_alias=<aliasName> below.

See Pydantic documentation for full list of available model methods.

Agents

Agent model

class incydr.models.Agent(*, agentId=None, name=None, userId=None, osHostname=None, osName=None, active=None, agentType=None, appVersion=None, productVersion=None, lastConnected=None, externalReference=None, creationDate=None, modificationDate=None, **extra_data)

A model representing an Incydr agent.

Fields:

  • agent_id: str The globally unique ID (guid) for this agent.
  • name: str The editable name of the agent.
  • user_id: str The unique ID of the user the agent is assigned to.
  • os_hostname: str The hostname reported by the OS the agent is running on.
  • os_name: str The name of the OS the agent is running on.
  • active: bool If the agent status is active.
  • agent_type: AgentType The type of agent.
  • app_version: str The app version of the agent.
  • product_version: str The product version of the agent.
  • last_connected: datetime The time the agent last connected to a Code42 Authority server.
  • external_reference: str Editable reference information (useful for identifying an agent in external systems).
  • creation_date: datetime The time the agent was first registered.
  • modification_date: datetime The time the agent's database entry was last updated.

AgentsPage model

class incydr.models.AgentsPage(*, agents, totalCount, pageSize, page, **extra_data)

A model representing a page of Agents.

Fields:

  • agents: List[Agent] The list of agents returned from the query.
  • total_count: int Total number of agents found in query results.
  • page_size: int The maximum number of agents returned in query results page.
  • page_num: int The current page number of the query result set.

Alerts

AlertDetails model

class incydr.models.AlertDetails(*, tenantId, type, id=None, createdAt, state, stateLastModifiedBy=None, stateLastModifiedAt=None, name=None, description=None, actor=None, actorId=None, target=None, severity=None, riskSeverity=None, ruleId=None, watchlists=None, observations=None, note=None, **extra_data)

A model representing the full details of an alert. Includes all the fields from AlertSummary plus file event observations (the events that triggered the alert), and any notes that have been added to the alert.

Fields:

  • observations: List[Observation] List of observed file events that triggered the alert.
  • note: str Most recent note added to the alert.

AlertSummary model

class incydr.models.AlertSummary(*, tenantId, type, id=None, createdAt, state, stateLastModifiedBy=None, stateLastModifiedAt=None, name=None, description=None, actor=None, actorId=None, target=None, severity=None, riskSeverity=None, ruleId=None, watchlists=None, **extra_data)

A model representing an alert summary.

Fields:

  • tenant_id: str The unique identifier representing the tenant.
  • type: RuleType Rule type that generated the alert.
  • id: str The unique id of the alert.
  • created_at: datetime The timestamp when the alert was created.
  • state: AlertState The current state of the alert.
  • state_last_modified_by: str The actor who last modified the alert state.
  • state_last_modified_at: datetime The timestamp when the alert state was last modified.
  • name: str The name of the alert. Same as the name of the rule that triggered it.
  • description: str The description of the alert. Same as the description of the rule that triggered it.
  • actor: str The user who triggered the alert.
  • actor_id: str The user id who triggered the alert, if it is available.
  • target: str Unused legacy property.
  • severity: AlertSeverity Indicates static rule severity of the alert. (Deprecated)
  • risk_severity: RiskSeverity Indicates event risk severity of the alert.
  • rule_id: str The unique id corresponding to the rule which triggered the alert.
  • watchlists: str Watchlists the actor is on at the time of the alert (if any).

AlertQueryPage model

class incydr.models.AlertQueryPage(*, type, alerts=None, totalCount, problems=None, **extra_data)

A model representing a page of AlertSummary objects resulting from an alert search query.

Fields:

  • alerts: List[AlertSummary] List of alerts that found by query.
  • total_count: int The count of alerts found.
  • problems: List[QueryProblem] Potential issues that were hit while trying to run the query.

Alert Rules

RuleUser model

class incydr.models.RuleUser(*, userIdFromAuthority=None, aliases=None, **extra_data)

A model representing a user assigned to a rule.

Fields:

  • user_id_from_authority: str - A unique Code42 user ID.
  • user_alias_list: List[str] - List of user aliases associated with the user.

RuleUsersList model

class incydr.models.RuleUsersList(*, id=None, users=None, mode=None, **extra_data)

A model representing a list of users associated with a rule, as well as the rule's configuration mode to INCLUDE or EXCLUDE those users.

Fields:

  • id: str - Unique ID of the rule.
  • users: List[RuleUser] - A list of users in the rule's username filter.
  • mode: str - Indicates how to filter on the user list. Specifies whether to INCLUDE or EXCLUDE the listed users from the rule.

RuleDetails model

class incydr.models.RuleDetails(*, name=None, description=None, severity=None, isEnabled=None, source=None, notifications=None, education=None, vectors=None, filters=None, id=None, createdAt=None, createdBy=None, modifiedAt=None, modifiedBy=None, isSystemRule=None, **extra_data)

Audit Log

AuditEventsPage model

class incydr.models.AuditEventsPage(*, events=None, paginationRangeEndIndex=None, paginationRangeStartIndex=None, **extra_data)

A model representing a page of audit events.

Fields:

  • events: List[Dict[Optional[str], Any]] A list of zero or more events matching the given criteria. Each event is represented as a dictionary of property names associated with that event. These fields may differ from event to event.
  • pagination_range_end_index: int The index of the last result returned, in relation to total results found.
  • pagination_range_start_index: int The index of the first result returned, in relation to total results found.

Cases

Case model

class incydr.models.Case(*, number=None, name=None, createdAt=None, updatedAt=None, subject=None, subjectUsername=None, status, assignee=None, assigneeUsername=None, createdByUserUid=None, createdByUsername=None, lastModifiedByUserUid=None, lastModifiedByUsername=None, archivalTime=None, **extra_data)

A model representing an Incydr Case.

Fields:

  • number: int Unique numeric identifier for the case.
  • name: str Unique name given to the case.
  • created_at: datetime Time at which the case was created. json_alias=createdAt
  • updated_at: datetime | None Time at which the case was last updated. json_alias=updatedAt
  • subject: str | None The user UID of the subject being investigated in this case.
  • subject_username: str | None The username of the subject being investigated in this case. json_alias=subjectUsername
  • status: CaseStatus Indicates the status of the case. OPEN: The case is active and all aspects of the case are editable. CLOSED: The case is resolved. Closed cases cannot be re-opened or modified. Case data for closed cases is retained indefinitely.
  • assignee: str | None The user ID of the administrator assigned to investigate the case.
  • assignee_username: str | None The username of the administrator assigned to investigate the case. json_alias=assigneeUsername
  • created_by_user_id: str | None User UID of the user who created the case. json_alias=createdByUserUid
  • created_by_username: str | None Username of the user who created the case. json_alias=createdByUsername
  • last_modified_by_user_id: str | None User UID of the user who last modified the case. json_alias=lastModifiedByUserUid
  • last_modified_by_username: str | None Username of the user who last modified the case. json_alias=lastModifiedByUsername
  • archival_time: datetime Time at which the case will be archived.

CasesPage model

class incydr.models.CasesPage(*, cases, totalCount, **extra_data)

A model representing a page of Case objects.

Fields:

  • cases: List[Case] The list of n number of cases retrieved from the query, where n=page_size.
  • total_count: int Total count of cases found by the query.

CaseFileEvents model

class incydr.models.CaseFileEvents(*, events=None, totalCount=None, **extra_data)

A model representing file events associated with a case.

Fields:

  • events: List[FileEvent] - List of events in the response..
  • total_count: int - Total number of events associated with the case.

Customer

Customer model

class incydr.models.Customer(*, name=None, registrationKey=None, tenantId=None, **extra_data)

A model providing details of an Incydr customer account.

Fields:

  • name: str The Code42 account name.
  • registration_key: str The Code42 registration key (primarily for licensing purposes).
  • tenant_id: str The unique identifier for the account within Code42.

Departments

DepartmentsPage model

class incydr.models.DepartmentsPage(*, departments=None, totalCount=None, **extra_data)

A model representing a list of departments.

Fields:

  • departments: List[str] - The list of n department names retrieved by the query, where n=page_size.
  • total_count: int - Total count of departments retrieved by the query.

Devices

Device model

class incydr.models.Device(*, deviceId=None, legacyDeviceId=None, name=None, osHostname=None, status=None, active=None, blocked=None, alertState=None, userId=None, legacyUserId=None, orgId=None, legacyOrgId=None, orgGuid=None, externalReferenceInfo=None, notes=None, lastConnected=None, osVersion=None, osArch=None, address=None, remoteAddress=None, timeZone=None, version=None, build=None, creationDate=None, modificationDate=None, loginDate=None, **extra_data)

A model representing a device.

Fields:

  • device_id: str - The globally unique ID (guid) for this device.
  • legacy_device_id: str - The device ID to use for older console-based APIs that require a device ID.
  • name: str - The device name.
  • os_hostname: str - The device hostname according to the device's OS.
  • status: str - The device status. One of [Active, Deactivated, Blocked, Deauthorized (Active/Deactivated followed by optional Blocked and/or Deauthorized).
  • active: bool - Whether or not the device is active. If true, the device will show up on reports, etc.
  • blocked: bool - Whether or not the device is blocked. If true, restores and logins are disabled.
  • alert_state: int - The device's alert state. One of [0=ok, 1=connection warning, 2=connection critical].
  • user_id: str - The globally unique ID for this user.
  • legacy_user_id: str - The user ID to use for older console-based APIs that require a user ID.
  • org_id: str - An ID for the Code42 organization of the user owning this device.
  • legacy_org_id: str - The org ID to use for older console-based APIs that require an org ID.
  • org_guid: str - The globally unique org ID. This is the org identifier that should be used for all org-related API actions.
  • external_reference: str - Optional external reference information, such as a serial number, asset tag, employee ID, or help desk issue ID.
  • notes: str - Optional descriptive information for the device.
  • last_connected: datetime - The last day and time this device was connected to the server.
  • os_name: str - The device's operating system name. Ex: Windows, Mac OS X, Linux, Android, iOS, SunOS, etc.
  • os_version: str - The device's operating system version. Ex: 10.5.1, 6.2, etc.
  • *address: str - The device's internal IP address and port. Ex: 192.168.42.1:4282
  • remote_address: str - The device's external IP address and port. Example: 171.22.110.41:13958
  • time_zone: str - The device's time zone. Ex: Asia/Calcutta
  • version: str - The device product display version.
  • build: int - The device build version long number, will only be applicable to CP4/SP devices.
  • creation_date: datetime - The date and time this device was created.
  • modification_date: datetime - The date and time this device was last modified.
  • login_date: datetime - The date and time this device was last logged in.

DevicesPage model

class incydr.models.DevicesPage(*, totalCount=None, devices=None, **extra_data)

A model representing a page of Device objects.

Fields:

  • devices: List[Device] - The list of n number of devices retrieved from the query, where n=page_size.
  • total_count: int - Total count of devices found by query.

Directory Groups

DirectoryGroup model

class incydr.models.DirectoryGroup(*, groupId=None, name=None, **extra_data)

DirectoryGroupsPage model

class incydr.models.DirectoryGroupsPage(*, directoryGroups=None, totalCount=None, **extra_data)

A model representing a list of directory groups.

Fields:

  • directory_groups: List[DirectoryGroup] - The list of n directory groups retrieved by the query, where n=page_size.
  • total_count: int - Total count of directory groups retrieved by the query.

File Events

FileEvent model

class incydr.models.FileEventV2(*, timestamp=None, destination=None, event=None, file=None, process=None, report=None, risk=None, source=None, user=None, git=None, **extra_data)

Fields:

  • timestamp: - The date and time that the Code42 service on the device detected the event. This timestamp is based on the device’s system clock and reported in Coordinated Universal Time (UTC).
  • destination: Destination - A [Destination] object containing metadata about the destination of the file event.
  • event: Event - An [Event] object containing summary information about the event.
  • file: File - A [File] object containing metadata about the file for this event.
  • process: Process - A [Process] object containing metadata about the process associated with the event.
  • report: Report - A [Report] object containing metadata for reports from 3rd party sources, such Salesforce downloads.
  • risk: Risk - A [Risk] object containing metadata on risk factors associated with the event.
  • source: Source - A [Source] object containing metadata about the source of the file event.
  • user: User - A [User] object containing metadata Attributes of the Code42 username signed in to the Code42 app on the device.
  • git: Git - A [Git] object containing git details for the event (if applicable).

FileEventsPage model

class incydr.models.FileEventsPage(*, fileEvents=None, nextPgToken=None, problems=None, totalCount=None, **extra_data)

A model representing a page of FileEventV2 objects.

Fields:

  • file_events: List[FileEventsV2] - The list of n number of file events retrieved from the query, where n=pg_size.
  • next_pg_token: str - The pgToken value from another request to indicate the starting point the next page of results. nextPgToken is null if there are no more results or if pgToken was not supplied.
  • problems: List[QueryProblem] - "List of problems in the request. A problem with a search request could be an invalid filter value, an operator that can't be used on a term, etc.
  • total_count: int - Total count of file events found by the query.

SavedSearch model

class incydr.models.SavedSearch(*, apiVersion=None, columns=None, createdByUID=None, createdByUsername=None, creationTimestamp=None, groupClause=None, groups=None, id=None, modifiedByUID=None, modifiedByUsername=None, modifiedTimestamp=None, name=None, notes=None, srtDir=None, srtKey=None, **extra_data)

A model representing a saved search.

Fields:

  • api_version: int - The version of the API used to create the search.
  • columns: List[str] - The list of columns to be displayed in the web app for the search.
  • created_by_uid: str - The ID of the user who created the saved search.
  • created_by_username: str - The username of the user who created the saved search.
  • creation_timestamp: datetime - The time at which the saved search was created.
  • group_clause: GroupClause - AND or OR. Grouping clause for any specified groups. Defaults to AND.
  • groups: List[SearchFilterGroup] - One or more FilterGroups to be combined in a query.
  • id: str - The ID for the saved search.
  • modified_by_uid: str - The ID of the user who last modified the saved search.
  • modified_by_username: str - The username of the user who last modified the saved search.
  • modified_timestamp: datetime - The time at which the saved search was last modified.
  • name: str - The name given to the saved search.
  • notes: str - Optional notes about the search.
  • srt_dir: SortDirection - asc or desc. The direction in which to sort the response based on the corresponding key. Defaults to 'asc'.
  • srt_key: str - One or more values on which the response will be sorted. Defaults to event ID.

Roles

Role model

class incydr.models.Role(*, roleId=None, roleName=None, creationDate=None, modificationDate=None, permissions=None, **extra_data)

A model representing a role.

Fields:

  • role_id: str - A role ID.
  • role_name: str - A role name.
  • modification_date: str - The date and time this role for the user was last modified.
  • creation_date: str - The date and time this role for the user was created.
  • permission_ids: str - The permission IDs associated with this role.

UpdateRolesResponse model

class incydr.models.UpdateRolesResponse(*, processedReplacementRoleIds=None, newlyAssignedRolesIds=None, unassignedRolesIds=None, ignoredRolesIds=None, **extra_data)

A model representing the response to updating a user's role.

Fields:

  • processed_replacement_role_ids: List[str] - The role IDs processed.
  • newly_assigned_roles_ids: List[str] - The role IDs newly assigned to the user.
  • unassigned_roles_ids: List[str] - The role IDs unassigned from the user.
  • ignored_roles_ids: List[str] - The role IDs ignored.

Trusted Activities

TrustedActivity model

class incydr.models.TrustedActivity(*, activityActionGroups=None, activityId=None, isHighValueSource=None, description=None, principalType=None, type=None, updateTime=None, updatedByPrincipalId=None, updatedByPrincipalName=None, value=None, **extra_data)

A model representing an TrustedActivity.

Fields:

  • activity_action_groups: List[ActivityActionGroup] The list of activity actions associated with the activity.
  • activity_id: str The unique identifier of the trusted activity.
  • description: str A description of the trusted activity.
  • principal_type: PrincipalType | None
  • activity_type: ActivityType | None The type of the trusted activity.
  • update_time: datetime | None The time at which the trust activity was last created or modified.
  • updated_by_principal_id: str | None The unique identifier of the user who last updated the trust activity.
  • updated_by_principal_name: str | None The username of the user who last updated the trusted activity.
  • value: str The value of the trusted activity.

TrustedActivitiesPage model

class incydr.models.TrustedActivitiesPage(*, totalCount=None, trustedActivities=None, **extra_data)

A model representing a page of TrustedActivity objects.

Fields:

  • total_count: int Total count of trusted activities found by the query.
  • trusted_activities: List[TrustedActivity] The list of trusted activities retrieved from the query.

Users

User model

class incydr.models.User(*, deviceUid=None, email=None, id=None, **extra_data)

UsersPage model

class incydr.models.UsersPage(*, users=None, totalCount=None, **extra_data)

A model representing a page of User objects.

Fields:

  • users: List[User] - The list of n number of users retrieved from the query, where n=page_size.
  • total_count: int - Total count of users found by query.

Role model

class incydr.models.Role(*, roleId=None, roleName=None, creationDate=None, modificationDate=None, permissions=None, **extra_data)

A model representing a role.

Fields:

  • role_id: str - A role ID.
  • role_name: str - A role name.
  • modification_date: str - The date and time this role for the user was last modified.
  • creation_date: str - The date and time this role for the user was created.
  • permission_ids: str - The permission IDs associated with this role.

User Risk Profiles

UserRiskProfile model

class incydr.models.UserRiskProfile(*, active=None, cloudAliases=None, country=None, deleted=None, department=None, displayName=None, division=None, employmentType=None, endDate=None, locality=None, managerDisplayName=None, managerId=None, managerUsername=None, notes=None, region=None, startDate=None, supportUser=None, tenantId=None, title=None, userId=None, username=None, **extra_data)

A model representing a user risk profile.

Fields:

  • active: bool - Whether the user is active.
  • cloud_alias: List[str] - List of cloud aliases for the user.
  • country: str - The user's country.
  • deleted: bool - Whether the user has been deleted.
  • department: str - The user's department.
  • display_name: str - The user's display name.
  • division: str - The user's division.
  • employment_type: str - The user's employment type.
  • end_date: Date - Departure date for the user
  • locality: str - The user's locality (city).
  • manager_display_name: str - The user's manager's display name.
  • manager_id: str - Unique user ID of the user's manager.
  • manager_username: str - The Code42 username of the user's manager.
  • notes: str - Additional notes about the user.
  • region: str - The user's region (state).
  • start_date: Date - Starting date for the user.
  • support_user: bool - Whether the user is a support user.
  • tenant_id: str - Unique tenant ID.
  • title: str - The user's job title.
  • user_id: str - Unique user ID.
  • username: str - User's Code42 username.

UserRiskProfilesPage model

class incydr.models.UserRiskProfilesPage(*, totalCount=None, userRiskProfiles=None, **extra_data)

A model representing a page of UserRiskProfile objects.

Fields:

  • total_count: int The total count of all user risk profiles.
  • user_risk_profiles: List[UserRiskProfile] The list of n number of user risk profiles retrieved from the query, where n=page_size.

Watchlists

Watchlist model

class incydr.models.Watchlist(*, description=None, listType, stats=None, tenantId=None, title=None, watchlistId=None, **extra_data)

A model representing an Incydr Watchlist.

Fields:

  • description: str - Optional description for a custom watchlist.
  • list_type: WatchlistType - The watchlist type.
  • stats: WatchlistStats - Watchlist membership information. Includes included_user_count, included_department_count, included_directory_groups_count, and excluded_users_count.
  • tenant_id: str - A unique tenant ID.
  • title: str - Title for a custom watchlist.
  • watchlist_id: str - A unique watchlist ID.

WatchlistsPage model

class incydr.models.WatchlistsPage(*, totalCount=None, watchlists=None, **extra_data)

A model representing a page of Watchlist objects.

Fields:

  • total_count: int - Total count of watchlists found by the query.
  • watchlists: List[Watchlist] - The list n number of watchlists retrieved from the query, where n=page_size.

WatchlistUser model

class incydr.models.WatchlistUser(*, addedTime=None, userId=None, username=None, **extra_data)

A model representing a user whose associated with a watchlist.

Fields:

  • added_time: datetime - The time the user was associated with the watchlist.
  • user_id: str - Unique user ID.
  • username: `str - Username.

WatchlistMembersList model

class incydr.models.WatchlistMembersList(*, totalCount=None, watchlistMembers=None, **extra_data)

A model representing a list of watchlist members. Watchlist members are users who are on a list, whether it is because they are individually included, or because they are part of a department or directory group that is included.

Fields:

  • watchlist_members: List[WatchlistUser] - The list of watchlist members.
  • total_count: int - Total count of members on the watchlist.

IncludedUsersList model

class incydr.models.IncludedUsersList(*, includedUsers=None, totalCount=None, **extra_data)

A model representing a list of users included on a watchlist. Included users are those that have been individually included on that list.

  • included_users: List[WatchlistUser] - The list of included users.
  • total_count: int - The total count of all included users.

ExcludedUsersList model

class incydr.models.ExcludedUsersList(*, excludedUsers=None, totalCount=None, **extra_data)

A model representing a list of users excluded from a watchlist. Excluded users are those that have been individually excluded from that list.

Fields:

  • excluded_users: List[WatchlistUser] - The list of excluded users.
  • total_count: int

IncludedDepartmentsList model

class incydr.models.IncludedDepartmentsList(*, includedDepartments=None, totalCount=None, **extra_data)

A model representing a list of departments included on a watchlist.

Fields:

  • included_departments: List[IncludedDepartment] - The list of included departments.
  • total_count: int - The total count of all included departments.

IncludedDepartment model

class incydr.models.IncludedDepartment(*, addedTime=None, name=None, **extra_data)

A model representing a department included on a watchlist.

Fields:

  • added_time: datetime - The time the department was included on the watchlist.
  • name: str - Department name. Example: "Engineering".

IncludedDirectoryGroupsList model

class incydr.models.IncludedDirectoryGroupsList(*, includedDirectoryGroups=None, totalCount=None, **extra_data)

A model representing a list of directory groups included on a watchlist.

Fields:

  • included_directory_groups: List[IncludedDirectoryGroup] - The list of included directory groups.
  • total_count: int - The total count of all included directory groups.

IncludedDirectoryGroup model

class incydr.models.IncludedDirectoryGroup(*, addedTime=None, groupId=None, isDeleted=None, name=None, **extra_data)

A model representing a directory group included on a watchlist.

Fields:

  • added_time: datetime - The time the directory group was included on the watchlist.
  • group_id: str - A unique group ID for the directory group.
  • is_deleted: bool - Whether the included group was deleted by the directory provider but still referenced by the watchlist
  • name: str - The name of directory group. Example: "Research and Development".