alerts¶
Get and send alert data.
alerts [OPTIONS] COMMAND [ARGS]...
bulk¶
Tools for executing bulk alert actions.
alerts bulk [OPTIONS] COMMAND [ARGS]...
generate-template¶
Generate the CSV template needed for bulk alert commands.
alerts bulk generate-template [OPTIONS] [update]
Options
-
-p
,
--path
<path>
¶ Write template file to specific file path/name.
Arguments
-
CMD
¶
Required argument
update¶
Bulk update alerts using a CSV file with format: id,state,note
alerts bulk update [OPTIONS] CSV_FILE
Options
-
-d
,
--debug
¶
Turn on debug logging.
-
--totp
<totp>
¶ TOTP token for multi-factor authentication.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
Arguments
-
CSV_FILE
¶
Required argument
clear-checkpoint¶
Remove the saved alert checkpoint from –use-checkpoint/-c mode.
alerts clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options
-
-d
,
--debug
¶
Turn on debug logging.
-
--totp
<totp>
¶ TOTP token for multi-factor authentication.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
Arguments
-
CHECKPOINT_NAME
¶
Required argument
search¶
Search for alerts.
alerts search [OPTIONS]
Options
-
--state
<state>
¶ Filter alerts by status. Defaults to returning all statuses.
Options: RESOLVED|IN_PROGRESS|OPEN|PENDING
-
--severity
<severity>
¶ Filter alerts by severity. Defaults to returning all severities.
Options: HIGH|LOW|MEDIUM
-
--description
<description>
¶ Filter alerts by description. Does fuzzy search by default.
-
--exclude-rule-type
<exclude_rule_type>
¶ Filter alerts by excluding the given rule type(s).
-
--rule-type
<rule_type>
¶ Filter alerts by including the given rule type(s).
Options: FedCloudSharePermissions|FedEndpointExfiltration|FedFileTypeMismatch
-
--exclude-rule-id
<exclude_rule_id>
¶ Filter alerts by excluding the given rule id(s).
-
--rule-id
<rule_id>
¶ Filter alerts by including the given rule id(s).
-
--exclude-rule-name
<exclude_rule_name>
¶ Filter alerts by excluding the given rule name(s).
-
--rule-name
<rule_name>
¶ Filter alerts by including the given rule name(s).
-
--exclude-actor-contains
<exclude_actor_contains>
¶ Filter alerts by excluding actor(s) whose cloud alias contains the given string.
-
--exclude-actor
<exclude_actor>
¶ Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.
-
--actor-contains
<actor_contains>
¶ Filter alerts by including actor(s) whose cloud alias contains the given string.
-
--actor
<actor>
¶ Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.
-
-b
,
--begin
<begin>
¶ The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.
-
-e
,
--end
<end>
¶ The end of the date range in which to look for alerts, argument format options are the same as –begin.
-
--advanced-query
<QUERY_JSON>
¶ A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
-
-c
,
--use-checkpoint
<use_checkpoint>
¶ Only get alerts that were not previously retrieved.
-
--or-query
¶
-
-d
,
--debug
¶
Turn on debug logging.
-
--totp
<totp>
¶ TOTP token for multi-factor authentication.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
-
--include-all
¶
Display simple properties of the primary level of the nested response.
-
-f
,
--format
<format>
¶ The output format of the result. Defaults to table format.
Options: TABLE|CSV|JSON|RAW-JSON
send-to¶
Send alerts to the given server address.
HOSTNAME format: address:port where port is optional and defaults to 514.
alerts send-to [OPTIONS] HOSTNAME
Options
-
--state
<state>
¶ Filter alerts by status. Defaults to returning all statuses.
Options: RESOLVED|IN_PROGRESS|OPEN|PENDING
-
--severity
<severity>
¶ Filter alerts by severity. Defaults to returning all severities.
Options: HIGH|LOW|MEDIUM
-
--description
<description>
¶ Filter alerts by description. Does fuzzy search by default.
-
--exclude-rule-type
<exclude_rule_type>
¶ Filter alerts by excluding the given rule type(s).
-
--rule-type
<rule_type>
¶ Filter alerts by including the given rule type(s).
Options: FedCloudSharePermissions|FedEndpointExfiltration|FedFileTypeMismatch
-
--exclude-rule-id
<exclude_rule_id>
¶ Filter alerts by excluding the given rule id(s).
-
--rule-id
<rule_id>
¶ Filter alerts by including the given rule id(s).
-
--exclude-rule-name
<exclude_rule_name>
¶ Filter alerts by excluding the given rule name(s).
-
--rule-name
<rule_name>
¶ Filter alerts by including the given rule name(s).
-
--exclude-actor-contains
<exclude_actor_contains>
¶ Filter alerts by excluding actor(s) whose cloud alias contains the given string.
-
--exclude-actor
<exclude_actor>
¶ Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.
-
--actor-contains
<actor_contains>
¶ Filter alerts by including actor(s) whose cloud alias contains the given string.
-
--actor
<actor>
¶ Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.
-
-b
,
--begin
<begin>
¶ The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time.
-
-e
,
--end
<end>
¶ The end of the date range in which to look for alerts, argument format options are the same as –begin.
-
--advanced-query
<QUERY_JSON>
¶ A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
-
-c
,
--use-checkpoint
<use_checkpoint>
¶ Only get alerts that were not previously retrieved.
-
--or-query
¶
-
-d
,
--debug
¶
Turn on debug logging.
-
--totp
<totp>
¶ TOTP token for multi-factor authentication.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
-
--ignore-cert-validation
¶
Set to skip CA certificate validation. Incompatible with the ‘certs’ option.
-
--certs
<certs>
¶ A CA certificates-chain file for the TCP-TLS protocol.
-
-p
,
--protocol
<protocol>
¶ Protocol used to send logs to server. Use TCP-TLS for additional security. Defaults to UDP.
Options: TCP|UDP|TLS-TCP
-
--include-all
¶
Display simple properties of the primary level of the nested response.
-
-f
,
--format
<format>
¶ The output format of the result. Defaults to json format.
Options: JSON|RAW-JSON
Arguments
-
HOSTNAME
¶
Required argument
show¶
Display the details of a single alert.
alerts show [OPTIONS] ALERT_ID
Options
-
-d
,
--debug
¶
Turn on debug logging.
-
--totp
<totp>
¶ TOTP token for multi-factor authentication.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
-
--include-observations
¶
View observations of the alert.
Arguments
-
ALERT_ID
¶
Required argument
update¶
Update alert information.
alerts update [OPTIONS] ALERT_ID
Options
-
-d
,
--debug
¶
Turn on debug logging.
-
--totp
<totp>
¶ TOTP token for multi-factor authentication.
-
--profile
<profile>
¶ The name of the Code42 CLI profile to use when executing this command.
-
--state
<state>
¶ The state to give to the alert.
Options: RESOLVED|IN_PROGRESS|OPEN|PENDING
-
--note
<note>
¶ A note to attach to the alert.
Arguments
-
ALERT_ID
¶
Required argument