security-data

Get and send file event data.

security-data [OPTIONS] COMMAND [ARGS]...

clear-checkpoint

Remove the saved file event checkpoint from –use-checkpoint/-c mode.

security-data clear-checkpoint [OPTIONS] CHECKPOINT_NAME

Options

-d, --debug

Turn on debug logging.

--profile <profile>

The name of the Code42 CLI profile to use when executing this command.

Arguments

CHECKPOINT_NAME

Required argument

send-to

Send events to the given server address.

HOSTNAME format: address:port where port is optional and defaults to 514.

security-data send-to [OPTIONS] HOSTNAME

Options

Get events from a saved search filter with the given ID.

--include-non-exposure

Get all events including non-exposure events.

--tab-url <tab_url>

Limits events to be exposure events with one of the specified destination tab URLs.

--process-owner <process_owner>

Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events.

--file-category <file_category>

Limits events to file events where the file can be classified by one of these categories.

Options:Audio|Document|Executable|Image|Pdf|Presentation|Script|SourceCode|Spreadsheet|Video|VirtualDiskImage|Archive
--file-path <file_path>

Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.

--file-name <file_name>

Limits events to file events where the file has one of these names.

--source <source>

Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.

--sha256 <sha256>

Limits events to file events where the file has one of these SHA256 hashes.

--md5 <md5>

Limits events to file events where the file has one of these MD5 hashes.

--actor <actor>

Limits events to only those enacted by the cloud service user of the person who caused the event.

--c42-username <c42_username>

Limits events to endpoint events for these Code42 users.

-t, --type <type>

Limits events to those with given exposure types.

Options:ApplicationRead|CloudStorage|IsPublic|OutsideTrustedDomains|RemovableMedia|SharedToDomain|SharedViaLink
-b, --begin <begin>

The beginning of the date range in which to look for file events. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.

-e, --end <end>

The end of the date range in which to look for file events, argument format options are the same as –begin.

--advanced-query <QUERY_JSON>

A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.

-c, --use-checkpoint <use_checkpoint>

Only get file events that were not previously retrieved.

--or-query

Combine query filter options with ‘OR’ logic instead of the default ‘AND’.

-d, --debug

Turn on debug logging.

--profile <profile>

The name of the Code42 CLI profile to use when executing this command.

--ignore-cert-validation

Set to skip CA certificate validation. Incompatible with the ‘certs’ option.

--certs <certs>

A CA certificates-chain file for the TCP-TLS protocol.

-p, --protocol <protocol>

Protocol used to send logs to server. Use TCP-TLS for additional security. Defaults to UDP.

Options:TCP|UDP|TLS-TCP
--include-all

Display simple properties of the primary level of the nested response.

-f, --format <format>

The output format of the result. Defaults to RAW-JSON format.

Options:CEF|JSON|RAW-JSON

Arguments

HOSTNAME

Required argument