Models¶
Note
Incydr SDK's Pydantic models default to snake_case for all field attribute names for consistency, and by default will
convert names to the casing expected by the API endpoint when serializing the data using the model's .json()
and
.dict()
methods.
For example, if the server returns a response with a JSON key of createdAt
, the value will be accessible on the
model via Model.created_at
, but calling Model.json()
will output with a key of createdAt
so the data can be
used in further requests.
Fields where a transormation has been applied are marked with json_alias=<aliasName>
below.
See Pydantic documentation for full list of available model methods.
Agents¶
Agent
model¶
incydr.models.Agent
(*, agentId=None, name=None, userId=None, osHostname=None, osName=None, active=None, agentType=None, appVersion=None, productVersion=None, lastConnected=None, externalReference=None, creationDate=None, modificationDate=None, **extra_data)A model representing an Incydr agent.
Fields:
- agent_id:
str
The globally unique ID (guid) for this agent. - name:
str
The editable name of the agent. - user_id:
str
The unique ID of the user the agent is assigned to. - os_hostname:
str
The hostname reported by the OS the agent is running on. - os_name:
str
The name of the OS the agent is running on. - active:
bool
If the agent status is active. - agent_type:
AgentType
The type of agent. - app_version:
str
The app version of the agent. - product_version:
str
The product version of the agent. - last_connected:
datetime
The time the agent last connected to a Code42 Authority server. - external_reference:
str
Editable reference information (useful for identifying an agent in external systems). - creation_date:
datetime
The time the agent was first registered. - modification_date:
datetime
The time the agent's database entry was last updated.
AgentsPage
model¶
incydr.models.AgentsPage
(*, agents, totalCount, pageSize, page, **extra_data)A model representing a page of Agents.
Fields:
- agents:
List[Agent]
The list of agents returned from the query. - total_count:
int
Total number of agents found in query results. - page_size:
int
The maximum number of agents returned in query results page. - page_num:
int
The current page number of the query result set.
Alerts¶
AlertDetails
model¶
incydr.models.AlertDetails
(*, tenantId, type, id=None, createdAt, state, stateLastModifiedBy=None, stateLastModifiedAt=None, name=None, description=None, actor=None, actorId=None, target=None, severity=None, riskSeverity=None, ruleId=None, watchlists=None, observations=None, note=None, **extra_data)A model representing the full details of an alert. Includes all the fields from AlertSummary
plus file event
observations (the events that triggered the alert), and any notes that have been added to the alert.
Fields:
- observations:
List[Observation]
List of observed file events that triggered the alert. - note:
str
Most recent note added to the alert.
AlertSummary
model¶
incydr.models.AlertSummary
(*, tenantId, type, id=None, createdAt, state, stateLastModifiedBy=None, stateLastModifiedAt=None, name=None, description=None, actor=None, actorId=None, target=None, severity=None, riskSeverity=None, ruleId=None, watchlists=None, **extra_data)A model representing an alert summary.
Fields:
- tenant_id:
str
The unique identifier representing the tenant. - type:
RuleType
Rule type that generated the alert. - id:
str
The unique id of the alert. - created_at:
datetime
The timestamp when the alert was created. - state:
AlertState
The current state of the alert. - state_last_modified_by:
str
The actor who last modified the alert state. - state_last_modified_at:
datetime
The timestamp when the alert state was last modified. - name:
str
The name of the alert. Same as the name of the rule that triggered it. - description:
str
The description of the alert. Same as the description of the rule that triggered it. - actor:
str
The user who triggered the alert. - actor_id:
str
The user id who triggered the alert, if it is available. - target:
str
Unused legacy property. - severity:
AlertSeverity
Indicates static rule severity of the alert. (Deprecated) - risk_severity:
RiskSeverity
Indicates event risk severity of the alert. - rule_id:
str
The unique id corresponding to the rule which triggered the alert. - watchlists:
str
Watchlists the actor is on at the time of the alert (if any).
AlertQueryPage
model¶
incydr.models.AlertQueryPage
(*, type, alerts=None, totalCount, problems=None, **extra_data)A model representing a page of AlertSummary
objects resulting from an alert search query.
Fields:
- alerts:
List[AlertSummary]
List of alerts that found by query. - total_count:
int
The count of alerts found. - problems:
List[QueryProblem]
Potential issues that were hit while trying to run the query.
Alert Rules¶
RuleUser
model¶
incydr.models.RuleUser
(*, userIdFromAuthority=None, aliases=None, **extra_data)A model representing a user assigned to a rule.
Fields:
- user_id_from_authority:
str
- A unique Code42 user ID. - user_alias_list:
List[str]
- List of user aliases associated with the user.
RuleUsersList
model¶
incydr.models.RuleUsersList
(*, id=None, users=None, mode=None, **extra_data)A model representing a list of users associated with a rule, as well as the rule's configuration mode to INCLUDE
or EXCLUDE
those users.
Fields:
- id:
str
- Unique ID of the rule. - users:
List[RuleUser]
- A list of users in the rule's username filter. - mode:
str
- Indicates how to filter on the user list. Specifies whether toINCLUDE
orEXCLUDE
the listed users from the rule.
RuleDetails
model¶
incydr.models.RuleDetails
(*, name=None, description=None, severity=None, isEnabled=None, source=None, notifications=None, education=None, vectors=None, filters=None, id=None, createdAt=None, createdBy=None, modifiedAt=None, modifiedBy=None, isSystemRule=None, **extra_data)Audit Log¶
AuditEventsPage
model¶
incydr.models.AuditEventsPage
(*, events=None, paginationRangeEndIndex=None, paginationRangeStartIndex=None, **extra_data)A model representing a page of audit events.
Fields:
- events:
List[Dict[Optional[str], Any]]
A list of zero or more events matching the given criteria. Each event is represented as a dictionary of property names associated with that event. These fields may differ from event to event. - pagination_range_end_index:
int
The index of the last result returned, in relation to total results found. - pagination_range_start_index:
int
The index of the first result returned, in relation to total results found.
Cases¶
Case
model¶
incydr.models.Case
(*, number=None, name=None, createdAt=None, updatedAt=None, subject=None, subjectUsername=None, status, assignee=None, assigneeUsername=None, createdByUserUid=None, createdByUsername=None, lastModifiedByUserUid=None, lastModifiedByUsername=None, archivalTime=None, **extra_data)A model representing an Incydr Case.
Fields:
- number:
int
Unique numeric identifier for the case. - name:
str
Unique name given to the case. - created_at:
datetime
Time at which the case was created. json_alias=createdAt
- updated_at:
datetime | None
Time at which the case was last updated. json_alias=updatedAt
- subject:
str | None
The user UID of the subject being investigated in this case. - subject_username:
str | None
The username of the subject being investigated in this case. json_alias=subjectUsername
- status:
CaseStatus
Indicates the status of the case. OPEN: The case is active and all aspects of the case are editable. CLOSED: The case is resolved. Closed cases cannot be re-opened or modified. Case data for closed cases is retained indefinitely. - assignee:
str | None
The user ID of the administrator assigned to investigate the case. - assignee_username:
str | None
The username of the administrator assigned to investigate the case. json_alias=assigneeUsername
- created_by_user_id:
str | None
User UID of the user who created the case. json_alias=createdByUserUid
- created_by_username:
str | None
Username of the user who created the case. json_alias=createdByUsername
- last_modified_by_user_id:
str | None
User UID of the user who last modified the case. json_alias=lastModifiedByUserUid
- last_modified_by_username:
str | None
Username of the user who last modified the case. json_alias=lastModifiedByUsername
- archival_time:
datetime
Time at which the case will be archived.
CasesPage
model¶
incydr.models.CasesPage
(*, cases, totalCount, **extra_data)A model representing a page of Case
objects.
Fields:
- cases:
List[Case]
The list ofn
number of cases retrieved from the query, wheren=page_size
. - total_count:
int
Total count of cases found by the query.
CaseFileEvents
model¶
incydr.models.CaseFileEvents
(*, events=None, totalCount=None, **extra_data)A model representing file events associated with a case.
Fields:
- events:
List[FileEvent]
- List of events in the response.. - total_count:
int
- Total number of events associated with the case.
Customer¶
Customer
model¶
incydr.models.Customer
(*, name=None, registrationKey=None, tenantId=None, **extra_data)A model providing details of an Incydr customer account.
Fields:
- name:
str
The Code42 account name. - registration_key:
str
The Code42 registration key (primarily for licensing purposes). - tenant_id:
str
The unique identifier for the account within Code42.
Departments¶
DepartmentsPage
model¶
incydr.models.DepartmentsPage
(*, departments=None, totalCount=None, **extra_data)A model representing a list of departments.
Fields:
- departments:
List[str]
- The list ofn
department names retrieved by the query, wheren=page_size
. - total_count:
int
- Total count of departments retrieved by the query.
Devices¶
Device
model¶
incydr.models.Device
(*, deviceId=None, legacyDeviceId=None, name=None, osHostname=None, status=None, active=None, blocked=None, alertState=None, userId=None, legacyUserId=None, orgId=None, legacyOrgId=None, orgGuid=None, externalReferenceInfo=None, notes=None, lastConnected=None, osVersion=None, osArch=None, address=None, remoteAddress=None, timeZone=None, version=None, build=None, creationDate=None, modificationDate=None, loginDate=None, **extra_data)A model representing a device.
Fields:
- device_id:
str
- The globally unique ID (guid) for this device. - legacy_device_id:
str
- The device ID to use for older console-based APIs that require a device ID. - name:
str
- The device name. - os_hostname:
str
- The device hostname according to the device's OS. - status:
str
- The device status. One of [Active, Deactivated, Blocked, Deauthorized (Active/Deactivated followed by optional Blocked and/or Deauthorized). - active:
bool
- Whether or not the device is active. If true, the device will show up on reports, etc. - blocked:
bool
- Whether or not the device is blocked. If true, restores and logins are disabled. - alert_state:
int
- The device's alert state. One of [0=ok, 1=connection warning, 2=connection critical]. - user_id:
str
- The globally unique ID for this user. - legacy_user_id:
str
- The user ID to use for older console-based APIs that require a user ID. - org_id:
str
- An ID for the Code42 organization of the user owning this device. - legacy_org_id:
str
- The org ID to use for older console-based APIs that require an org ID. - org_guid:
str
- The globally unique org ID. This is the org identifier that should be used for all org-related API actions. - external_reference:
str
- Optional external reference information, such as a serial number, asset tag, employee ID, or help desk issue ID. - notes:
str
- Optional descriptive information for the device. - last_connected:
datetime
- The last day and time this device was connected to the server. - os_name:
str
- The device's operating system name. Ex: Windows, Mac OS X, Linux, Android, iOS, SunOS, etc. - os_version:
str
- The device's operating system version. Ex: 10.5.1, 6.2, etc. - *address:
str
- The device's internal IP address and port. Ex: 192.168.42.1:4282 - remote_address:
str
- The device's external IP address and port. Example: 171.22.110.41:13958 - time_zone:
str
- The device's time zone. Ex: Asia/Calcutta - version:
str
- The device product display version. - build:
int
- The device build version long number, will only be applicable to CP4/SP devices. - creation_date:
datetime
- The date and time this device was created. - modification_date:
datetime
- The date and time this device was last modified. - login_date:
datetime
- The date and time this device was last logged in.
DevicesPage
model¶
incydr.models.DevicesPage
(*, totalCount=None, devices=None, **extra_data)A model representing a page of Device
objects.
Fields:
- devices:
List[Device]
- The list ofn
number of devices retrieved from the query, wheren=page_size
. - total_count:
int
- Total count of devices found by query.
Directory Groups¶
DirectoryGroup
model¶
incydr.models.DirectoryGroup
(*, groupId=None, name=None, **extra_data)DirectoryGroupsPage
model¶
incydr.models.DirectoryGroupsPage
(*, directoryGroups=None, totalCount=None, **extra_data)A model representing a list of directory groups.
Fields:
- directory_groups:
List[DirectoryGroup
] - The list ofn
directory groups retrieved by the query, wheren=page_size
. - total_count:
int
- Total count of directory groups retrieved by the query.
File Events¶
FileEvent
model¶
incydr.models.FileEventV2
(*, timestamp=None, destination=None, event=None, file=None, process=None, report=None, risk=None, source=None, user=None, git=None, **extra_data)Fields:
- timestamp: - The date and time that the Code42 service on the device detected the event. This timestamp is based on the device’s system clock and reported in Coordinated Universal Time (UTC).
- destination:
Destination
- A [Destination
] object containing metadata about the destination of the file event. - event:
Event
- An [Event
] object containing summary information about the event. - file:
File
- A [File
] object containing metadata about the file for this event. - process:
Process
- A [Process
] object containing metadata about the process associated with the event. - report:
Report
- A [Report
] object containing metadata for reports from 3rd party sources, such Salesforce downloads. - risk:
Risk
- A [Risk
] object containing metadata on risk factors associated with the event. - source:
Source
- A [Source
] object containing metadata about the source of the file event. - user:
User
- A [User
] object containing metadata Attributes of the Code42 username signed in to the Code42 app on the device. - git:
Git
- A [Git
] object containing git details for the event (if applicable).
FileEventsPage
model¶
incydr.models.FileEventsPage
(*, fileEvents=None, nextPgToken=None, problems=None, totalCount=None, **extra_data)A model representing a page of FileEventV2
objects.
Fields:
- file_events:
List[FileEventsV2]
- The list ofn
number of file events retrieved from the query, wheren=pg_size
. - next_pg_token:
str
- The pgToken value from another request to indicate the starting point the next page of results.nextPgToken
is null if there are no more results or if pgToken was not supplied. - problems:
List[QueryProblem]
- "List of problems in the request. A problem with a search request could be an invalid filter value, an operator that can't be used on a term, etc. - total_count:
int
- Total count of file events found by the query.
SavedSearch
model¶
incydr.models.SavedSearch
(*, apiVersion=None, columns=None, createdByUID=None, createdByUsername=None, creationTimestamp=None, groupClause=None, groups=None, id=None, modifiedByUID=None, modifiedByUsername=None, modifiedTimestamp=None, name=None, notes=None, srtDir=None, srtKey=None, **extra_data)A model representing a saved search.
Fields:
- api_version:
int
- The version of the API used to create the search. - columns:
List[str]
- The list of columns to be displayed in the web app for the search. - created_by_uid:
str
- The ID of the user who created the saved search. - created_by_username:
str
- The username of the user who created the saved search. - creation_timestamp:
datetime
- The time at which the saved search was created. - group_clause:
GroupClause
-AND
orOR
. Grouping clause for any specified groups. Defaults toAND
. - groups:
List[SearchFilterGroup]
- One or more FilterGroups to be combined in a query. - id:
str
- The ID for the saved search. - modified_by_uid:
str
- The ID of the user who last modified the saved search. - modified_by_username:
str
- The username of the user who last modified the saved search. - modified_timestamp:
datetime
- The time at which the saved search was last modified. - name:
str
- The name given to the saved search. - notes:
str
- Optional notes about the search. - srt_dir:
SortDirection
-asc
ordesc
. The direction in which to sort the response based on the corresponding key. Defaults to 'asc'. - srt_key:
str
- One or more values on which the response will be sorted. Defaults to event ID.
Roles¶
Role
model¶
incydr.models.Role
(*, roleId=None, roleName=None, creationDate=None, modificationDate=None, permissions=None, **extra_data)A model representing a role.
Fields:
- role_id:
str
- A role ID. - role_name:
str
- A role name. - modification_date:
str
- The date and time this role for the user was last modified. - creation_date:
str
- The date and time this role for the user was created. - permission_ids:
str
- The permission IDs associated with this role.
UpdateRolesResponse
model¶
incydr.models.UpdateRolesResponse
(*, processedReplacementRoleIds=None, newlyAssignedRolesIds=None, unassignedRolesIds=None, ignoredRolesIds=None, **extra_data)A model representing the response to updating a user's role.
Fields:
- processed_replacement_role_ids:
List[str]
- The role IDs processed. - newly_assigned_roles_ids:
List[str]
- The role IDs newly assigned to the user. - unassigned_roles_ids:
List[str]
- The role IDs unassigned from the user. - ignored_roles_ids:
List[str]
- The role IDs ignored.
Trusted Activities¶
TrustedActivity
model¶
incydr.models.TrustedActivity
(*, activityActionGroups=None, activityId=None, isHighValueSource=None, description=None, principalType=None, type=None, updateTime=None, updatedByPrincipalId=None, updatedByPrincipalName=None, value=None, **extra_data)A model representing an TrustedActivity.
Fields:
- activity_action_groups:
List[ActivityActionGroup]
The list of activity actions associated with the activity. - activity_id:
str
The unique identifier of the trusted activity. - description:
str
A description of the trusted activity. - principal_type:
PrincipalType | None
- activity_type:
ActivityType | None
The type of the trusted activity. - update_time:
datetime | None
The time at which the trust activity was last created or modified. - updated_by_principal_id:
str | None
The unique identifier of the user who last updated the trust activity. - updated_by_principal_name:
str | None
The username of the user who last updated the trusted activity. - value:
str
The value of the trusted activity.
TrustedActivitiesPage
model¶
incydr.models.TrustedActivitiesPage
(*, totalCount=None, trustedActivities=None, **extra_data)A model representing a page of TrustedActivity
objects.
Fields:
- total_count:
int
Total count of trusted activities found by the query. - trusted_activities:
List[TrustedActivity]
The list of trusted activities retrieved from the query.
Users¶
User
model¶
incydr.models.User
(*, deviceUid=None, email=None, id=None, **extra_data)UsersPage
model¶
incydr.models.UsersPage
(*, users=None, totalCount=None, **extra_data)A model representing a page of User
objects.
Fields:
- users:
List[User]
- The list ofn
number of users retrieved from the query, wheren=page_size
. - total_count:
int
- Total count of users found by query.
Role
model¶
incydr.models.Role
(*, roleId=None, roleName=None, creationDate=None, modificationDate=None, permissions=None, **extra_data)A model representing a role.
Fields:
- role_id:
str
- A role ID. - role_name:
str
- A role name. - modification_date:
str
- The date and time this role for the user was last modified. - creation_date:
str
- The date and time this role for the user was created. - permission_ids:
str
- The permission IDs associated with this role.
User Risk Profiles¶
UserRiskProfile
model¶
incydr.models.UserRiskProfile
(*, active=None, cloudAliases=None, country=None, deleted=None, department=None, displayName=None, division=None, employmentType=None, endDate=None, locality=None, managerDisplayName=None, managerId=None, managerUsername=None, notes=None, region=None, startDate=None, supportUser=None, tenantId=None, title=None, userId=None, username=None, **extra_data)A model representing a user risk profile.
Fields:
- active:
bool
- Whether the user is active. - cloud_alias:
List[str]
- List of cloud aliases for the user. - country:
str
- The user's country. - deleted:
bool
- Whether the user has been deleted. - department:
str
- The user's department. - display_name:
str
- The user's display name. - division:
str
- The user's division. - employment_type:
str
- The user's employment type. - end_date:
Date
- Departure date for the user - locality:
str
- The user's locality (city). - manager_display_name:
str
- The user's manager's display name. - manager_id:
str
- Unique user ID of the user's manager. - manager_username:
str
- The Code42 username of the user's manager. - notes:
str
- Additional notes about the user. - region:
str
- The user's region (state). - start_date:
Date
- Starting date for the user. - support_user:
bool
- Whether the user is a support user. - tenant_id:
str
- Unique tenant ID. - title:
str
- The user's job title. - user_id:
str
- Unique user ID. - username:
str
- User's Code42 username.
UserRiskProfilesPage
model¶
incydr.models.UserRiskProfilesPage
(*, totalCount=None, userRiskProfiles=None, **extra_data)A model representing a page of UserRiskProfile
objects.
Fields:
- total_count:
int
The total count of all user risk profiles. - user_risk_profiles:
List[UserRiskProfile]
The list ofn
number of user risk profiles retrieved from the query, wheren=page_size
.
Watchlists¶
Watchlist
model¶
incydr.models.Watchlist
(*, description=None, listType, stats=None, tenantId=None, title=None, watchlistId=None, **extra_data)A model representing an Incydr Watchlist.
Fields:
- description:
str
- Optional description for a custom watchlist. - list_type:
WatchlistType
- The watchlist type. - stats:
WatchlistStats
- Watchlist membership information. Includesincluded_user_count
,included_department_count
,included_directory_groups_count
, andexcluded_users_count
. - tenant_id:
str
- A unique tenant ID. - title:
str
- Title for a custom watchlist. - watchlist_id:
str
- A unique watchlist ID.
WatchlistsPage
model¶
incydr.models.WatchlistsPage
(*, totalCount=None, watchlists=None, **extra_data)A model representing a page of Watchlist
objects.
Fields:
- total_count:
int
- Total count of watchlists found by the query. - watchlists:
List[Watchlist]
- The listn
number of watchlists retrieved from the query, wheren=page_size
.
WatchlistUser
model¶
incydr.models.WatchlistUser
(*, addedTime=None, userId=None, username=None, **extra_data)A model representing a user whose associated with a watchlist.
Fields:
- added_time:
datetime
- The time the user was associated with the watchlist. - user_id:
str
- Unique user ID. - username: `str - Username.
WatchlistMembersList
model¶
incydr.models.WatchlistMembersList
(*, totalCount=None, watchlistMembers=None, **extra_data)A model representing a list of watchlist members. Watchlist members are users who are on a list, whether it is because they are individually included, or because they are part of a department or directory group that is included.
Fields:
- watchlist_members:
List[WatchlistUser]
- The list of watchlist members. - total_count:
int
- Total count of members on the watchlist.
IncludedUsersList
model¶
incydr.models.IncludedUsersList
(*, includedUsers=None, totalCount=None, **extra_data)A model representing a list of users included on a watchlist. Included users are those that have been individually included on that list.
- included_users:
List[WatchlistUser]
- The list of included users. - total_count:
int
- The total count of all included users.
ExcludedUsersList
model¶
incydr.models.ExcludedUsersList
(*, excludedUsers=None, totalCount=None, **extra_data)A model representing a list of users excluded from a watchlist. Excluded users are those that have been individually excluded from that list.
Fields:
- excluded_users:
List[WatchlistUser]
- The list of excluded users. - total_count:
int
IncludedDepartmentsList
model¶
incydr.models.IncludedDepartmentsList
(*, includedDepartments=None, totalCount=None, **extra_data)A model representing a list of departments included on a watchlist.
Fields:
- included_departments:
List[IncludedDepartment]
- The list of included departments. - total_count:
int
- The total count of all included departments.
IncludedDepartment
model¶
incydr.models.IncludedDepartment
(*, addedTime=None, name=None, **extra_data)A model representing a department included on a watchlist.
Fields:
- added_time:
datetime
- The time the department was included on the watchlist. - name:
str
- Department name. Example: "Engineering".
IncludedDirectoryGroupsList
model¶
incydr.models.IncludedDirectoryGroupsList
(*, includedDirectoryGroups=None, totalCount=None, **extra_data)A model representing a list of directory groups included on a watchlist.
Fields:
- included_directory_groups:
List[IncludedDirectoryGroup]
- The list of included directory groups. - total_count:
int
- The total count of all included directory groups.
IncludedDirectoryGroup
model¶
incydr.models.IncludedDirectoryGroup
(*, addedTime=None, groupId=None, isDeleted=None, name=None, **extra_data)A model representing a directory group included on a watchlist.
Fields:
- added_time:
datetime
- The time the directory group was included on the watchlist. - group_id:
str
- A unique group ID for the directory group. - is_deleted:
bool
- Whether the included group was deleted by the directory provider but still referenced by the watchlist - name:
str
- The name of directory group. Example: "Research and Development".