Security Data
Warning
V1 file events, saved searches, and queries are deprecated.
See more information in the Enable V2 File Events User Guide.
security-data
Get and send file event data.
security-data [OPTIONS] COMMAND [ARGS]...
clear-checkpoint
Remove the saved file event checkpoint from –use-checkpoint/-c mode.
security-data clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
Arguments
- CHECKPOINT_NAME
Required argument
saved-search
Search for file events using saved searches.
security-data saved-search [OPTIONS] COMMAND [ARGS]...
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
list
List available saved searches.
security-data saved-search list [OPTIONS]
Options
- -f, --format <format>
The output format of the result. Defaults to table format.
- Options
TABLE | CSV | JSON | RAW-JSON
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
show
Get the details of a saved search.
security-data saved-search show [OPTIONS] SEARCH_ID
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
Arguments
- SEARCH_ID
Required argument
search
Search for file events.
security-data search [OPTIONS]
Options
- --saved-search <saved_search>
Get events from a saved search filter with the given ID.WARNING: Using a saved search is incompatible with other query-building arguments.
- --risk-severity <risk_severity>
Limits events to those classified by the given risk severity.
- Options
CRITICAL | HIGH | LOW | MODERATE | NO_RISK_INDICATED
- --risk-indicator <risk_indicator>
Limits events to those classified by the given risk indicator categories.
- Options
PUBLIC_CORPORATE_BOX | PUBLIC_CORPORATE_GOOGLE | PUBLIC_CORPORATE_ONEDRIVE | SENT_CORPORATE_GMAIL | SHARED_CORPORATE_BOX | SHARED_CORPORATE_GOOGLE_DRIVE | SHARED_CORPORATE_ONEDRIVE | AMAZON_DRIVE | BOX | DROPBOX | GOOGLE_DRIVE | ICLOUD | MEGA | ONEDRIVE | ZOHO | BITBUCKET | GITHUB | GITLAB | SOURCEFORGE | STASH | 163.COM | 126.COM | AOL | COMCAST | GMAIL | ICLOUD_MAIL | MAIL.COM | OUTLOOK | PROTONMAIL | QQMAIL | SINA_MAIL | SOHU_MAIL | YAHOO | ZOHO_MAIL | AIRDROP | REMOVABLE_MEDIA | AUDIO | DOCUMENT | EXECUTABLE | IMAGE | PDF | PRESENTATION | SCRIPT | SOURCE_CODE | SPREADSHEET | VIDEO | VIRTUAL_DISK_IMAGE | ZIP | FACEBOOK_MESSENGER | MICROSOFT_TEAMS | SLACK | WHATSAPP | OTHER | UNKNOWN | FACEBOOK | LINKEDIN | REDDIT | TWITTER | FILE_MISMATCH | OFF_HOURS | REMOTE | FIRST_DESTINATION_USE | RARE_DESTINATION_USE
- --include-non-exposure
Get all events including non-exposure events.
- --tab-url <tab_url>
Limits events to be exposure events with one of the specified destination tab URLs.
- --process-owner <process_owner>
Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events.
- --file-category <file_category>
Limits events to file events where the file can be classified by one of these categories.
- Options
Audio | Document | Executable | Image | Pdf | Presentation | Script | SourceCode | Spreadsheet | Video | VirtualDiskImage | Archive
- --file-path <file_path>
Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.
- --file-name <file_name>
Limits events to file events where the file has one of these names.
- --source <source>
Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.
- --sha256 <sha256>
Limits events to file events where the file has one of these SHA256 hashes.
- --md5 <md5>
Limits events to file events where the file has one of these MD5 hashes.
- --actor <actor>
Limits events to only those enacted by the cloud service user of the person who caused the event.
- --c42-username <c42_username>
Limits events to endpoint events for these Code42 users.
- --event-action <event_action>
Limits events to those with given event action. Only compatible with V2 file events.
- Options
application-read | file-created | file-deleted | file-downloaded | file-emailed | file-modified | file-printed | file-shared | removable-media-created | removable-media-deleted | removable-media-modified | sync-app-created | sync-app-deleted | sync-app-modified
- -t, --type <type>
Limits events to those with given exposure types. Only compatible with V1 file events.
- Options
ApplicationRead | CloudStorage | IsPublic | OutsideTrustedDomains | RemovableMedia | SharedToDomain | SharedViaLink
- -b, --begin <begin>
The beginning of the date range in which to look for file events. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time. [required unless –use-checkpoint option used]
- -e, --end <end>
The end of the date range in which to look for file events, argument format options are the same as –begin.
- --or-query
Combine query filter options with ‘OR’ logic instead of the default ‘AND’.
- --advanced-query <QUERY_JSON>
A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
- -c, --use-checkpoint <use_checkpoint>
Use a checkpoint with the given name to only get file events that were not previously retrieved.If a checkpoint for file events with the given name doesn’t exist, it will be created on the first run.Subsequent CLI runs with this flag and the same name will use the stored checkpoint to modify the search query and then update the stored checkpoint
- --columns <columns>
Filter output to include only specified columns. Accepts comma-separated list of column names (case-insensitive).
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
- --columns <columns>
Filter output to include only specified columns. Accepts comma-separated list of column names (case-insensitive).
- --include-all
Display simple properties of the primary level of the nested response.
- -f, --format <format>
The output format of the result. Defaults to table format.
- Options
TABLE | CSV | JSON | RAW-JSON | CEF
send-to
Send events to the given server address.
HOSTNAME format: address:port where port is optional and defaults to 514.
security-data send-to [OPTIONS] HOSTNAME
Options
- --saved-search <saved_search>
Get events from a saved search filter with the given ID.WARNING: Using a saved search is incompatible with other query-building arguments.
- --risk-severity <risk_severity>
Limits events to those classified by the given risk severity.
- Options
CRITICAL | HIGH | LOW | MODERATE | NO_RISK_INDICATED
- --risk-indicator <risk_indicator>
Limits events to those classified by the given risk indicator categories.
- Options
PUBLIC_CORPORATE_BOX | PUBLIC_CORPORATE_GOOGLE | PUBLIC_CORPORATE_ONEDRIVE | SENT_CORPORATE_GMAIL | SHARED_CORPORATE_BOX | SHARED_CORPORATE_GOOGLE_DRIVE | SHARED_CORPORATE_ONEDRIVE | AMAZON_DRIVE | BOX | DROPBOX | GOOGLE_DRIVE | ICLOUD | MEGA | ONEDRIVE | ZOHO | BITBUCKET | GITHUB | GITLAB | SOURCEFORGE | STASH | 163.COM | 126.COM | AOL | COMCAST | GMAIL | ICLOUD_MAIL | MAIL.COM | OUTLOOK | PROTONMAIL | QQMAIL | SINA_MAIL | SOHU_MAIL | YAHOO | ZOHO_MAIL | AIRDROP | REMOVABLE_MEDIA | AUDIO | DOCUMENT | EXECUTABLE | IMAGE | PDF | PRESENTATION | SCRIPT | SOURCE_CODE | SPREADSHEET | VIDEO | VIRTUAL_DISK_IMAGE | ZIP | FACEBOOK_MESSENGER | MICROSOFT_TEAMS | SLACK | WHATSAPP | OTHER | UNKNOWN | FACEBOOK | LINKEDIN | REDDIT | TWITTER | FILE_MISMATCH | OFF_HOURS | REMOTE | FIRST_DESTINATION_USE | RARE_DESTINATION_USE
- --include-non-exposure
Get all events including non-exposure events.
- --tab-url <tab_url>
Limits events to be exposure events with one of the specified destination tab URLs.
- --process-owner <process_owner>
Limits exposure events by process owner, as reported by the device’s operating system. Applies only to Printed and Browser or app read events.
- --file-category <file_category>
Limits events to file events where the file can be classified by one of these categories.
- Options
Audio | Document | Executable | Image | Pdf | Presentation | Script | SourceCode | Spreadsheet | Video | VirtualDiskImage | Archive
- --file-path <file_path>
Limits events to file events where the file is located at one of these paths. Applies to endpoint file events only.
- --file-name <file_name>
Limits events to file events where the file has one of these names.
- --source <source>
Limits events to only those from one of these sources. For example, Gmail, Box, or Endpoint.
- --sha256 <sha256>
Limits events to file events where the file has one of these SHA256 hashes.
- --md5 <md5>
Limits events to file events where the file has one of these MD5 hashes.
- --actor <actor>
Limits events to only those enacted by the cloud service user of the person who caused the event.
- --c42-username <c42_username>
Limits events to endpoint events for these Code42 users.
- --event-action <event_action>
Limits events to those with given event action. Only compatible with V2 file events.
- Options
application-read | file-created | file-deleted | file-downloaded | file-emailed | file-modified | file-printed | file-shared | removable-media-created | removable-media-deleted | removable-media-modified | sync-app-created | sync-app-deleted | sync-app-modified
- -t, --type <type>
Limits events to those with given exposure types. Only compatible with V1 file events.
- Options
ApplicationRead | CloudStorage | IsPublic | OutsideTrustedDomains | RemovableMedia | SharedToDomain | SharedViaLink
- -b, --begin <begin>
The beginning of the date range in which to look for file events. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time. [required unless –use-checkpoint option used]
- -e, --end <end>
The end of the date range in which to look for file events, argument format options are the same as –begin.
- --or-query
Combine query filter options with ‘OR’ logic instead of the default ‘AND’.
- --advanced-query <QUERY_JSON>
A raw JSON file events query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
- -c, --use-checkpoint <use_checkpoint>
Use a checkpoint with the given name to only get file events that were not previously retrieved.If a checkpoint for file events with the given name doesn’t exist, it will be created on the first run.Subsequent CLI runs with this flag and the same name will use the stored checkpoint to modify the search query and then update the stored checkpoint
- --columns <columns>
Filter output to include only specified columns. Accepts comma-separated list of column names (case-insensitive).
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
- --ignore-cert-validation
Set to skip CA certificate validation. Incompatible with the ‘certs’ option.
- --certs <certs>
A CA certificates-chain file for the TCP-TLS protocol.
- -p, --protocol <protocol>
Protocol used to send logs to server. Use TCP-TLS for additional security. Defaults to UDP.
- Options
TCP | UDP | TLS-TCP
- -f, --format <format>
The output format of the result. Defaults to RAW-JSON format.
- Options
CEF | JSON | RAW-JSON
Arguments
- HOSTNAME
Required argument