V2 File Events

Warning

V1 file events, saved searches, and queries are deprecated.

For details on the updated File Event Model, see the V2 File Events API documentation on the Developer Portal.

V1 file event APIs were marked deprecated in May 2022 and will be no longer be supported after May 2023.

Use the --use-v2-file-events True option with the code42 profile create or code42 profile update commands to enable your code42 CLI profile to use the latest V2 file event data model.

Use code42 profile show to check the status of this setting on your profile:

% code42 profile update --use-v2-file-events True

% code42 profile show

test-user-profile:
        * username = test-user@code42.com
        * authority url = https://console.core-int.cloud.code42.com
        * ignore-ssl-errors = False
        * use-v2-file-events = True

For details on setting up a profile, see the profile set up user guide.

Enabling this setting will use the V2 data model for querying searches and saved searches with all code security-data commands. The response shape for these events has changed from V1 and contains various field remappings, renamings, additions and removals. Column names will also be different when using the Table format for outputting events.

V2 File Event Data Example

Below is an example of the new file event data model:

{
    "@timestamp": "2022-07-14T16:53:06.112Z",
    "event": {
        "id": "0_c4e43418-07d9-4a9f-a138-29f39a124d33_1068825680073059134_1068826271084047166_1_EPS",
        "inserted": "2022-07-14T16:57:00.913917Z",
        "action": "application-read",
        "observer": "Endpoint",
        "shareType": [],
        "ingested": "2022-07-14T16:55:04.723Z",
        "relatedEvents": []
    },
    "user": {
        "email": "engineer@example.com",
        "id": "1068824450489230065",
        "deviceUid": "1068825680073059134"
    },
    "file": {
        "name": "cat.jpg",
        "directory": "C:/Users/John Doe/Downloads/",
        "category": "Spreadsheet",
        "mimeTypeByBytes": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
        "categoryByBytes": "Spreadsheet",
        "mimeTypeByExtension": "image/jpeg",
        "categoryByExtension": "Image",
        "sizeInBytes": 4748,
        "owner": "John Doe",
        "created": "2022-07-14T16:51:06.186Z",
        "modified": "2022-07-14T16:51:07.419Z",
        "hash": {
            "md5": "8872dfa1c181b823d2c00675ae5926fd",
            "sha256": "14d749cce008711b4ad1381d84374539560340622f0e8b9eb2fe3bba77ddbd64",
            "md5Error": null,
            "sha256Error": null
        },
        "id": null,
        "url": null,
        "directoryId": [],
        "cloudDriveId": null,
        "classifications": []
    },
    "report": {
        "id": null,
        "name": null,
        "description": null,
        "headers": [],
        "count": null,
        "type": null
    },
    "source": {
        "category": "Device",
        "name": "DESKTOP-1",
        "domain": "192.168.00.000",
        "ip": "50.237.00.00",
        "privateIp": [
            "192.168.00.000",
            "127.0.0.1"
        ],
        "operatingSystem": "Windows 10",
        "email": {
            "sender": null,
            "from": null
        },
        "removableMedia": {
            "vendor": null,
            "name": null,
            "serialNumber": null,
            "capacity": null,
            "busType": null,
            "mediaName": null,
            "volumeName": [],
            "partitionId": []
        },
        "tabs": [],
        "domains": []
    },
    "destination": {
        "category": "Cloud Storage",
        "name": "Dropbox",
        "user": {
            "email": []
        },
        "ip": null,
        "privateIp": [],
        "operatingSystem": null,
        "printJobName": null,
        "printerName": null,
        "printedFilesBackupPath": null,
        "removableMedia": {
            "vendor": null,
            "name": null,
            "serialNumber": null,
            "capacity": null,
            "busType": null,
            "mediaName": null,
            "volumeName": [],
            "partitionId": []
        },
        "email": {
            "recipients": null,
            "subject": null
        },
        "tabs": [
            {
                "title": "Files - Dropbox and 1 more page - Profile 1 - Microsoft​ Edge",
                "url": "https://www.dropbox.com/home",
                "titleError": null,
                "urlError": null
            }
        ],
        "accountName": null,
        "accountType": null,
        "domains": [
            "dropbox.com"
        ]
    },
    "process": {
        "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
        "owner": "John doe"
    },
    "risk": {
        "score": 17,
        "severity": "CRITICAL",
        "indicators": [
            {
                "name": "First use of destination",
                "weight": 3
            },
            {
                "name": "File mismatch",
                "weight": 9
            },
            {
                "name": "Spreadsheet",
                "weight": 0
            },
            {
                "name": "Remote",
                "weight": 0
            },
            {
                "name": "Dropbox upload",
                "weight": 5
            }
        ],
        "trusted": false,
        "trustReason": null
    }
}