security-data¶

Tools for getting file event data.

security-data [OPTIONS] COMMAND [ARGS]...

clear-checkpoint¶

Remove the saved file event checkpoint from –use-checkpoint/-c mode.

security-data clear-checkpoint [OPTIONS] CHECKPOINT_NAME

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

Arguments

CHECKPOINT_NAME¶: Required argument

saved-search¶

security-data saved-search [OPTIONS] COMMAND [ARGS]...

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

list¶

List available saved searches.

security-data saved-search list [OPTIONS]

Options

-f, --format <format>¶

The output format of the result. Defaults to table format.

Options:	TABLE\|CSV\|JSON\|RAW-JSON

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

show¶

Get the details of a saved search.

security-data saved-search show [OPTIONS] SEARCH_ID

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

Arguments

SEARCH_ID¶: Required argument

search¶

Search for file events.

security-data search [OPTIONS]

Options

--saved-search <saved_search>¶: Get events from a saved search filter with the given ID.

--include-non-exposure¶: Get all events including non-exposure events.

--tab-url <tab_url>¶: Limits events to be exposure events with one of the specified destination tab URLs.

--process-owner <process_owner>¶: Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events

--file-category <file_category>¶

Limits events to file events where the file can be classified by one of these categories.

Options:	AUDIO\|DOCUMENT\|EXECUTABLE\|IMAGE\|PDF\|PRESENTATION\|SCRIPT\|SOURCE_CODE\|SPREADSHEET\|VIDEO\|VIRTUAL_DISK_IMAGE\|ARCHIVE

--file-path <file_path>¶: Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.

--file-name <file_name>¶: Limits events to file events where the file has one of these names.

--source <source>¶: Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.

--sha256 <sha256>¶: Limits events to file events where the file has one of these SHA256 hashes.

--md5 <md5>¶: Limits events to file events where the file has one of these MD5 hashes.

--actor <actor>¶: Limits events to only those enacted by the cloud service user of the person who caused the event.

--c42-username <c42_username>¶: Limits events to endpoint events for these Code42 users.

-t, --type <type>¶

Limits events to those with given exposure types.

Options:	ApplicationRead\|CloudStorage\|IsPublic\|OutsideTrustedDomains\|RemovableMedia\|SharedToDomain\|SharedViaLink

--advanced-query <advanced_query>¶: A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. WARNING: Using advanced queries is incompatible with other query-building arguments.

-c, --use-checkpoint <use_checkpoint>¶: Only get file events that were not previously retrieved.

-e, --end <end>¶: The end of the date range in which to look for file events, argument format options are the same as –begin.

-b, --begin <begin>¶: The beginning of the date range in which to look for file events, can be a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a short value representing days (30d), hours (24h) or minutes (15m) from current time.

--or-query¶

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

--include-all¶: Display simple properties of the primary level of the nested response.

-f, --format <format>¶

The output format of the result. Defaults to table format.

Options:	TABLE\|CSV\|JSON\|RAW-JSON\|CEF

send-to¶

Send events to the given server address.

security-data send-to [OPTIONS] HOSTNAME

Options

--saved-search <saved_search>¶: Get events from a saved search filter with the given ID.

--include-non-exposure¶: Get all events including non-exposure events.

--tab-url <tab_url>¶: Limits events to be exposure events with one of the specified destination tab URLs.

--process-owner <process_owner>¶: Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events

--file-category <file_category>¶

Limits events to file events where the file can be classified by one of these categories.

Options:	AUDIO\|DOCUMENT\|EXECUTABLE\|IMAGE\|PDF\|PRESENTATION\|SCRIPT\|SOURCE_CODE\|SPREADSHEET\|VIDEO\|VIRTUAL_DISK_IMAGE\|ARCHIVE

--file-path <file_path>¶: Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.

--file-name <file_name>¶: Limits events to file events where the file has one of these names.

--source <source>¶: Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.

--sha256 <sha256>¶: Limits events to file events where the file has one of these SHA256 hashes.

--md5 <md5>¶: Limits events to file events where the file has one of these MD5 hashes.

--actor <actor>¶: Limits events to only those enacted by the cloud service user of the person who caused the event.

--c42-username <c42_username>¶: Limits events to endpoint events for these Code42 users.

-t, --type <type>¶

Limits events to those with given exposure types.

Options:	ApplicationRead\|CloudStorage\|IsPublic\|OutsideTrustedDomains\|RemovableMedia\|SharedToDomain\|SharedViaLink

--advanced-query <advanced_query>¶: A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. WARNING: Using advanced queries is incompatible with other query-building arguments.

-c, --use-checkpoint <use_checkpoint>¶: Only get file events that were not previously retrieved.

-e, --end <end>¶: The end of the date range in which to look for file events, argument format options are the same as –begin.

-b, --begin <begin>¶: The beginning of the date range in which to look for file events, can be a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a short value representing days (30d), hours (24h) or minutes (15m) from current time.

--or-query¶

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

-p, --protocol <protocol>¶

Protocol used to send logs to server. Defaults to UDP

Options:	TCP\|UDP

--include-all¶: Display simple properties of the primary level of the nested response.

-f, --format <format>¶

The output format of the result. Defaults to json format.

Options:	CEF\|JSON\|RAW-JSON

Arguments

HOSTNAME¶: Required argument