alerts¶

Get and send alert data.

alerts [OPTIONS] COMMAND [ARGS]...

bulk¶

Tools for executing bulk alert actions.

alerts bulk [OPTIONS] COMMAND [ARGS]...

generate-template¶

Generate the CSV template needed for bulk alert commands.

alerts bulk generate-template [OPTIONS] [update]

Options

-p, --path <path>¶: Write template file to specific file path/name.

Arguments

CMD¶: Required argument

update¶

Bulk update alerts using a CSV file with format: id,state,note

alerts bulk update [OPTIONS] CSV_FILE

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

Arguments

CSV_FILE¶: Required argument

clear-checkpoint¶

Remove the saved alert checkpoint from –use-checkpoint/-c mode.

alerts clear-checkpoint [OPTIONS] CHECKPOINT_NAME

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

Arguments

CHECKPOINT_NAME¶: Required argument

search¶

Search for alerts.

alerts search [OPTIONS]

Options

--state <state>¶

Filter alerts by status. Defaults to returning all statuses.

Options:	RESOLVED\|IN_PROGRESS\|OPEN\|PENDING

--severity <severity>¶

Filter alerts by severity. Defaults to returning all severities.

Options:	HIGH\|LOW\|MEDIUM

--description <description>¶: Filter alerts by description. Does fuzzy search by default.

--exclude-rule-type <exclude_rule_type>¶: Filter alerts by excluding the given rule type(s).

--rule-type <rule_type>¶

Filter alerts by including the given rule type(s).

Options:	FedCloudSharePermissions\|FedEndpointExfiltration\|FedFileTypeMismatch

--exclude-rule-id <exclude_rule_id>¶: Filter alerts by excluding the given rule id(s).

--rule-id <rule_id>¶: Filter alerts by including the given rule id(s).

--exclude-rule-name <exclude_rule_name>¶: Filter alerts by excluding the given rule name(s).

--rule-name <rule_name>¶: Filter alerts by including the given rule name(s).

--exclude-actor-contains <exclude_actor_contains>¶: Filter alerts by excluding actor(s) whose cloud alias contains the given string.

--exclude-actor <exclude_actor>¶: Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.

--actor-contains <actor_contains>¶: Filter alerts by including actor(s) whose cloud alias contains the given string.

--actor <actor>¶: Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.

-b, --begin <begin>¶: The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.

-e, --end <end>¶: The end of the date range in which to look for alerts, argument format options are the same as –begin.

--advanced-query <QUERY_JSON>¶: A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.

-c, --use-checkpoint <use_checkpoint>¶: Only get alerts that were not previously retrieved.

--or-query¶

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

--include-all¶: Display simple properties of the primary level of the nested response.

-f, --format <format>¶

The output format of the result. Defaults to table format.

Options:	TABLE\|CSV\|JSON\|RAW-JSON

send-to¶

Send alerts to the given server address.

HOSTNAME format: address:port where port is optional and defaults to 514.

alerts send-to [OPTIONS] HOSTNAME

Options

--state <state>¶

Filter alerts by status. Defaults to returning all statuses.

Options:	RESOLVED\|IN_PROGRESS\|OPEN\|PENDING

--severity <severity>¶

Filter alerts by severity. Defaults to returning all severities.

Options:	HIGH\|LOW\|MEDIUM

--description <description>¶: Filter alerts by description. Does fuzzy search by default.

--exclude-rule-type <exclude_rule_type>¶: Filter alerts by excluding the given rule type(s).

--rule-type <rule_type>¶

Filter alerts by including the given rule type(s).

Options:	FedCloudSharePermissions\|FedEndpointExfiltration\|FedFileTypeMismatch

--exclude-rule-id <exclude_rule_id>¶: Filter alerts by excluding the given rule id(s).

--rule-id <rule_id>¶: Filter alerts by including the given rule id(s).

--exclude-rule-name <exclude_rule_name>¶: Filter alerts by excluding the given rule name(s).

--rule-name <rule_name>¶: Filter alerts by including the given rule name(s).

--exclude-actor-contains <exclude_actor_contains>¶: Filter alerts by excluding actor(s) whose cloud alias contains the given string.

--exclude-actor <exclude_actor>¶: Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.

--actor-contains <actor_contains>¶: Filter alerts by including actor(s) whose cloud alias contains the given string.

--actor <actor>¶: Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.

-b, --begin <begin>¶: The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.

-e, --end <end>¶: The end of the date range in which to look for alerts, argument format options are the same as –begin.

--advanced-query <QUERY_JSON>¶: A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.

-c, --use-checkpoint <use_checkpoint>¶: Only get alerts that were not previously retrieved.

--or-query¶

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

--ignore-cert-validation¶: Set to skip CA certificate validation. Incompatible with the ‘certs’ option.

--certs <certs>¶: A CA certificates-chain file for the TCP-TLS protocol.

-p, --protocol <protocol>¶

Protocol used to send logs to server. Use TCP-TLS for additional security. Defaults to UDP.

Options:	TCP\|UDP\|TLS-TCP

--include-all¶: Display simple properties of the primary level of the nested response.

-f, --format <format>¶

The output format of the result. Defaults to json format.

Options:	JSON\|RAW-JSON

Arguments

HOSTNAME¶: Required argument

show¶

Display the details of a single alert.

alerts show [OPTIONS] ALERT_ID

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

--include-observations¶: View observations of the alert.

Arguments

ALERT_ID¶: Required argument

update¶

Update alert information.

alerts update [OPTIONS] ALERT_ID

Options

-d, --debug¶: Turn on debug logging.

--profile <profile>¶: The name of the Code42 CLI profile to use when executing this command.

--state <state>¶

The state to give to the alert.

Options:	RESOLVED\|IN_PROGRESS\|OPEN\|PENDING

--note <note>¶: A note to attach to the alert.

Arguments

ALERT_ID¶: Required argument