alerts

Tools for getting alert data.

alerts [OPTIONS] COMMAND [ARGS]...

clear-checkpoint

Remove the saved alert checkpoint from –use-checkpoint/-c mode.

alerts clear-checkpoint [OPTIONS] CHECKPOINT_NAME

Options

-d, --debug

Turn on debug logging.

--profile <profile>

The name of the Code42 CLI profile to use when executing this command.

Arguments

CHECKPOINT_NAME

Required argument

send-to

Send alerts to the given server address.

HOSTNAME format: address:port where port is optional and defaults to 514.

alerts send-to [OPTIONS] HOSTNAME

Options

--state <state>

Filter alerts by status. Defaults to returning all statuses.

Options:RESOLVED|IN_PROGRESS|OPEN|PENDING
--severity <severity>

Filter alerts by severity. Defaults to returning all severities.

Options:HIGH|LOW|MEDIUM
--description <description>

Filter alerts by description. Does fuzzy search by default.

--exclude-rule-type <exclude_rule_type>

Filter alerts by excluding the given rule type(s).

--rule-type <rule_type>

Filter alerts by including the given rule type(s).

Options:FedCloudSharePermissions|FedEndpointExfiltration|FedFileTypeMismatch
--exclude-rule-id <exclude_rule_id>

Filter alerts by excluding the given rule id(s).

--rule-id <rule_id>

Filter alerts by including the given rule id(s).

--exclude-rule-name <exclude_rule_name>

Filter alerts by excluding the given rule name(s).

--rule-name <rule_name>

Filter alerts by including the given rule name(s).

--exclude-actor-contains <exclude_actor_contains>

Filter alerts by excluding actor(s) whose cloud alias contains the given string.

--exclude-actor <exclude_actor>

Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.

--actor-contains <actor_contains>

Filter alerts by including actor(s) whose cloud alias contains the given string.

--actor <actor>

Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.

-b, --begin <begin>

The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.

-e, --end <end>

The end of the date range in which to look for alerts, argument format options are the same as –begin.

--advanced-query <QUERY_JSON>

A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-‘, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.

-c, --use-checkpoint <use_checkpoint>

Only get alerts that were not previously retrieved.

--or-query
-d, --debug

Turn on debug logging.

--profile <profile>

The name of the Code42 CLI profile to use when executing this command.

-p, --protocol <protocol>

Protocol used to send logs to server. Defaults to UDP.

Options:TCP|UDP
--include-all

Display simple properties of the primary level of the nested response.

-f, --format <format>

The output format of the result. Defaults to json format.

Options:JSON|RAW-JSON

Arguments

HOSTNAME

Required argument