security-data¶
Tools for getting file event data.
security-data [OPTIONS] COMMAND [ARGS]...
clear-checkpoint¶
Remove the saved file event checkpoint from –use-checkpoint/-c mode.
security-data clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options
-
-d
,
--debug
¶
Turn on debug logging.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
Arguments
-
CHECKPOINT_NAME
¶
Required argument
saved-search¶
Search for file events using saved searches.
security-data saved-search [OPTIONS] COMMAND [ARGS]...
Options
-
-d
,
--debug
¶
Turn on debug logging.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
list¶
List available saved searches.
security-data saved-search list [OPTIONS]
Options
-
-f
,
--format
<format>
¶ The output format of the result. Defaults to table format.
Options: TABLE|CSV|JSON|RAW-JSON
-
-d
,
--debug
¶
Turn on debug logging.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
search¶
Search for file events.
security-data search [OPTIONS]
Options
-
--saved-search
<saved_search>
¶ Get events from a saved search filter with the given ID.
-
--include-non-exposure
¶
Get all events including non-exposure events.
-
--tab-url
<tab_url>
¶ Limits events to be exposure events with one of the specified destination tab URLs.
-
--process-owner
<process_owner>
¶ Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events.
-
--file-category
<file_category>
¶ Limits events to file events where the file can be classified by one of these categories.
Options: AUDIO|DOCUMENT|EXECUTABLE|IMAGE|PDF|PRESENTATION|SCRIPT|SOURCE_CODE|SPREADSHEET|VIDEO|VIRTUAL_DISK_IMAGE|ARCHIVE
-
--file-path
<file_path>
¶ Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.
-
--file-name
<file_name>
¶ Limits events to file events where the file has one of these names.
-
--source
<source>
¶ Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.
-
--sha256
<sha256>
¶ Limits events to file events where the file has one of these SHA256 hashes.
-
--md5
<md5>
¶ Limits events to file events where the file has one of these MD5 hashes.
-
--actor
<actor>
¶ Limits events to only those enacted by the cloud service user of the person who caused the event.
-
--c42-username
<c42_username>
¶ Limits events to endpoint events for these Code42 users.
-
-t
,
--type
<type>
¶ Limits events to those with given exposure types.
Options: ApplicationRead|CloudStorage|IsPublic|OutsideTrustedDomains|RemovableMedia|SharedToDomain|SharedViaLink
-
-b
,
--begin
<begin>
¶ The beginning of the date range in which to look for file events. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.
-
-e
,
--end
<end>
¶ The end of the date range in which to look for file events, argument format options are the same as –begin.
-
--advanced-query
<QUERY_JSON>
¶ A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-‘, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
-
-c
,
--use-checkpoint
<use_checkpoint>
¶ Only get file events that were not previously retrieved.
-
--or-query
¶
-
-d
,
--debug
¶
Turn on debug logging.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
-
--include-all
¶
Display simple properties of the primary level of the nested response.
-
-f
,
--format
<format>
¶ The output format of the result. Defaults to table format.
Options: TABLE|CSV|JSON|RAW-JSON|CEF
send-to¶
Send events to the given server address.
HOSTNAME format: address:port where port is optional and defaults to 514.
security-data send-to [OPTIONS] HOSTNAME
Options
-
--saved-search
<saved_search>
¶ Get events from a saved search filter with the given ID.
-
--include-non-exposure
¶
Get all events including non-exposure events.
-
--tab-url
<tab_url>
¶ Limits events to be exposure events with one of the specified destination tab URLs.
-
--process-owner
<process_owner>
¶ Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events.
-
--file-category
<file_category>
¶ Limits events to file events where the file can be classified by one of these categories.
Options: AUDIO|DOCUMENT|EXECUTABLE|IMAGE|PDF|PRESENTATION|SCRIPT|SOURCE_CODE|SPREADSHEET|VIDEO|VIRTUAL_DISK_IMAGE|ARCHIVE
-
--file-path
<file_path>
¶ Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.
-
--file-name
<file_name>
¶ Limits events to file events where the file has one of these names.
-
--source
<source>
¶ Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.
-
--sha256
<sha256>
¶ Limits events to file events where the file has one of these SHA256 hashes.
-
--md5
<md5>
¶ Limits events to file events where the file has one of these MD5 hashes.
-
--actor
<actor>
¶ Limits events to only those enacted by the cloud service user of the person who caused the event.
-
--c42-username
<c42_username>
¶ Limits events to endpoint events for these Code42 users.
-
-t
,
--type
<type>
¶ Limits events to those with given exposure types.
Options: ApplicationRead|CloudStorage|IsPublic|OutsideTrustedDomains|RemovableMedia|SharedToDomain|SharedViaLink
-
-b
,
--begin
<begin>
¶ The beginning of the date range in which to look for file events. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.
-
-e
,
--end
<end>
¶ The end of the date range in which to look for file events, argument format options are the same as –begin.
-
--advanced-query
<QUERY_JSON>
¶ A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-‘, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
-
-c
,
--use-checkpoint
<use_checkpoint>
¶ Only get file events that were not previously retrieved.
-
--or-query
¶
Combine query filter options with ‘OR’ logic instead of the default ‘AND’.
-
-d
,
--debug
¶
Turn on debug logging.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
-
-p
,
--protocol
<protocol>
¶ Protocol used to send logs to server. Defaults to UDP.
Options: TCP|UDP
-
--include-all
¶
Display simple properties of the primary level of the nested response.
-
-f
,
--format
<format>
¶ The output format of the result. Defaults to json format.
Options: CEF|JSON|RAW-JSON
Arguments
-
HOSTNAME
¶
Required argument