alerts
Get and send alert data.
alerts [OPTIONS] COMMAND [ARGS]...
bulk
Tools for executing bulk alert actions.
alerts bulk [OPTIONS] COMMAND [ARGS]...
generate-template
Generate the CSV template needed for bulk alert commands.
alerts bulk generate-template [OPTIONS] [update]
Options
- -p, --path <path>
Write template file to specific file path/name.
Arguments
- CMD
Required argument
update
Bulk update alerts using a CSV file with format: id,state,note
alerts bulk update [OPTIONS] CSV_FILE
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
Arguments
- CSV_FILE
Required argument
clear-checkpoint
Remove the saved alert checkpoint from –use-checkpoint/-c mode.
alerts clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
Arguments
- CHECKPOINT_NAME
Required argument
search
Search for alerts.
alerts search [OPTIONS]
Options
- --state <state>
Filter alerts by status. Defaults to returning all statuses.
- Options
RESOLVED | IN_PROGRESS | OPEN | PENDING
- --severity <severity>
Filter alerts by severity. Defaults to returning all severities.
- Options
CRITICAL | HIGH | LOW | MODERATE | MODERATE
- --description <description>
Filter alerts by description. Does fuzzy search by default.
- --exclude-rule-type <exclude_rule_type>
Filter alerts by excluding the given rule type(s).
- --rule-type <rule_type>
Filter alerts by including the given rule type(s).
- Options
FedCloudSharePermissions | FedEndpointExfiltration | FedFileTypeMismatch
- --exclude-rule-id <exclude_rule_id>
Filter alerts by excluding the given rule id(s).
- --rule-id <rule_id>
Filter alerts by including the given rule id(s).
- --exclude-rule-name <exclude_rule_name>
Filter alerts by excluding the given rule name(s).
- --rule-name <rule_name>
Filter alerts by including the given rule name(s).
- --exclude-actor-contains <exclude_actor_contains>
Filter alerts by excluding actor(s) whose cloud alias contains the given string.
- --exclude-actor <exclude_actor>
Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.
- --actor-contains <actor_contains>
Filter alerts by including actor(s) whose cloud alias contains the given string.
- --actor <actor>
Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.
- -b, --begin <begin>
The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time. [required unless –use-checkpoint option used]
- -e, --end <end>
The end of the date range in which to look for alerts, argument format options are the same as –begin.
- --advanced-query <QUERY_JSON>
A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
- -c, --use-checkpoint <use_checkpoint>
Use a checkpoint with the given name to only get alerts that were not previously retrieved.If a checkpoint for alerts with the given name doesn’t exist, it will be created on the first run.Subsequent CLI runs with this flag and the same name will use the stored checkpoint to modify the search query and then update the stored checkpoint
- --or-query
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
- --include-all
Display simple properties of the primary level of the nested response.
- -f, --format <format>
The output format of the result. Defaults to table format.
- Options
TABLE | CSV | JSON | RAW-JSON
send-to
Send alerts to the given server address.
HOSTNAME format: address:port where port is optional and defaults to 514.
alerts send-to [OPTIONS] HOSTNAME
Options
- --state <state>
Filter alerts by status. Defaults to returning all statuses.
- Options
RESOLVED | IN_PROGRESS | OPEN | PENDING
- --severity <severity>
Filter alerts by severity. Defaults to returning all severities.
- Options
CRITICAL | HIGH | LOW | MODERATE | MODERATE
- --description <description>
Filter alerts by description. Does fuzzy search by default.
- --exclude-rule-type <exclude_rule_type>
Filter alerts by excluding the given rule type(s).
- --rule-type <rule_type>
Filter alerts by including the given rule type(s).
- Options
FedCloudSharePermissions | FedEndpointExfiltration | FedFileTypeMismatch
- --exclude-rule-id <exclude_rule_id>
Filter alerts by excluding the given rule id(s).
- --rule-id <rule_id>
Filter alerts by including the given rule id(s).
- --exclude-rule-name <exclude_rule_name>
Filter alerts by excluding the given rule name(s).
- --rule-name <rule_name>
Filter alerts by including the given rule name(s).
- --exclude-actor-contains <exclude_actor_contains>
Filter alerts by excluding actor(s) whose cloud alias contains the given string.
- --exclude-actor <exclude_actor>
Filter alerts by excluding the given actor(s) who triggered the alert. Arguments must match actor’s cloud alias exactly.
- --actor-contains <actor_contains>
Filter alerts by including actor(s) whose cloud alias contains the given string.
- --actor <actor>
Filter alerts by including the given actor(s) who triggered the alert. Arguments must match the actor’s cloud alias exactly.
- -b, --begin <begin>
The beginning of the date range in which to look for alerts. Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where the ‘time’ portion of the string can be partial (e.g. ‘2020-01-01 12’ or ‘2020-01-01 01:15’) or a ‘short time’ value representing days (30d), hours (24h) or minutes (15m) from the current time. [required unless –use-checkpoint option used]
- -e, --end <end>
The end of the date range in which to look for alerts, argument format options are the same as –begin.
- --advanced-query <QUERY_JSON>
A raw JSON alerts query. Useful for when the provided query parameters do not satisfy your requirements. Argument can be passed as a string, read from stdin by passing ‘-’, or from a filename if prefixed with ‘@’, e.g. ‘–advanced-query @query.json’. WARNING: Using advanced queries is incompatible with other query-building arguments.
- -c, --use-checkpoint <use_checkpoint>
Use a checkpoint with the given name to only get alerts that were not previously retrieved.If a checkpoint for alerts with the given name doesn’t exist, it will be created on the first run.Subsequent CLI runs with this flag and the same name will use the stored checkpoint to modify the search query and then update the stored checkpoint
- --or-query
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
- --ignore-cert-validation
Set to skip CA certificate validation. Incompatible with the ‘certs’ option.
- --certs <certs>
A CA certificates-chain file for the TCP-TLS protocol.
- -p, --protocol <protocol>
Protocol used to send logs to server. Use TCP-TLS for additional security. Defaults to UDP.
- Options
TCP | UDP | TLS-TCP
- --include-all
Display simple properties of the primary level of the nested response.
- -f, --format <format>
The output format of the result. Defaults to json format.
- Options
JSON | RAW-JSON
Arguments
- HOSTNAME
Required argument
show
Display the details of a single alert.
alerts show [OPTIONS] ALERT_ID
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
- --include-observations
View observations of the alert.
Arguments
- ALERT_ID
Required argument
update
Update alert information.
alerts update [OPTIONS] ALERT_ID
Options
- -d, --debug
Turn on debug logging.
- --totp <totp>
TOTP token for multi-factor authentication.
- --profile <profile>
The name of the Code42 CLI profile to use when executing this command.
- --state <state>
The state to give to the alert.
- Options
RESOLVED | IN_PROGRESS | OPEN | PENDING
- --note <note>
A note to attach to the alert.
Arguments
- ALERT_ID
Required argument