Skip to main content

The official command line tool for interacting with Code42

Project description

The Code42 CLI

Build status codecov.io versions Code style: black Documentation Status

Use the code42 command to interact with your Code42 environment.

  • code42 security-data is a CLI tool for extracting AED events. Additionally, you can choose to only get events that Code42 previously did not observe since you last recorded a checkpoint (provided you do not change your query).
  • code42 watchlists is a collection of tools for managing your employee watchlists.

Requirements

  • Python 3.6.2+

Installation

Install the code42 CLI using:

$ python3 -m pip install code42cli

Usage

First, create your profile:

code42 profile create --name MY_FIRST_PROFILE --server example.authority.com --username security.admin@example.com

Your profile contains the necessary properties for logging into Code42 servers. After running code42 profile create, the program prompts you about storing a password. If you agree, you are then prompted to input your password.

Your password is not shown when you do code42 profile show. However, code42 profile show will confirm that a password exists for your profile. If you do not set a password, you will be securely prompted to enter a password each time you run a command.

For development purposes, you may need to ignore ssl errors. If you need to do this, use the --disable-ssl-errors option when creating your profile:

code42 profile create -n MY_FIRST_PROFILE -s https://example.authority.com -u security.admin@example.com --disable-ssl-errors

You can add multiple profiles with different names and the change the default profile with the use command:

code42 profile use MY_SECOND_PROFILE

When the --profile flag is available on other commands, such as those in security-data, it will use that profile instead of the default one. For example,

code42 security-data search -b 2020-02-02 --profile MY_SECOND_PROFILE

To see all your profiles, do:

code42 profile list

Security Data and Alerts

Using the CLI, you can query for security events and alerts just like in the admin console, but the results are output to stdout so they can be written to a file or piped out to another process (for sending to an external syslog server, for example).

The following examples pertain to security events, but can also be used for alerts by replacing security-data with alerts:

To print events to stdout, do:

code42 security-data search -b <begin_date>

Note that -b or --begin is usually required.

And end date can also be given with -e or --end to query for a specific date range (if end is not passed, it will get all events up to the present time).

To specify a begin/end time, you can pass a date or a date w/ time as a string:

code42 security-data search -b '2020-02-02 12:51:00'
code42 security-data search -b '2020-02-02 12:30'
code42 security-data search -b '2020-02-02 12'
code42 security-data search -b 2020-02-02

or a shorthand string specifying either days, hours, or minutes back from the current time:

code42 security-data search -b 30d
code42 security-data search -b 10d -e 12h

Begin date will be ignored if provided on subsequent queries using -c/--use-checkpoint.

Use other formats with -f:

code42 security-data search -b 2020-02-02 -f CEF

The available formats are CEF, JSON, and RAW-JSON. Currently, CEF format is only supported for security events.

To write events to a file, just redirect your output:

code42 security-data search -b 2020-02-02 > filename.txt

To send events to an external server, use the send-to command, which behaves the same as search except for defaulting to RAW-JSON output and sending results to an external server instead of to stdout:

The default port (if none is specified on the address) is the standard syslog port 514, and default protocol is UDP:

code42 security-data send-to 10.10.10.42 -b 1d

Results can also be sent over TCP to any port by using the -p/--protocol flag and adding a port to the address argument:

code42 security-data send-to 10.10.10.42:8080 -p TCP -b 1d

Note: For more complex requirements when sending to an external server (SSL, special formatting, etc.), use a dedicated syslog forwarding tool like rsyslog or connection tunneling tool like stunnel.

If you want to periodically run the same query, but only retrieve the new events each time, use the -c/--use-checkpoint option with a name for your checkpoint. This stores the timestamp of the query's last event to a file on disk and uses that as the "begin date" timestamp filter on the next query that uses the same checkpoint name. Checkpoints are stored per profile.

Initial run requires a begin date:

code42 security-data search -b 30d --use-checkpoint my_checkpoint

Subsequent runs do not:

code42 security-data search --use-checkpoint my_checkpoint

You can also use wildcard for queries, but note, if they are not in quotes, you may get unexpected behavior.

code42 security-data search --actor "*"

The search query parameters are as follows:

  • -t/--type (exposure types)
  • -b/--begin (begin date)
  • -e/--end (end date)
  • --c42-username
  • --actor
  • --md5
  • --sha256
  • --source
  • --file-name
  • --file-path
  • --process-owner
  • --tab-url
  • --include-non-exposure (does not work with -t)
  • --advanced-query (raw JSON query)

You cannot use other query parameters if you use --advanced-query. To learn more about acceptable arguments, add the -h flag to code42 security-data

Saved Searches:

The CLI can also access "saved searches" that are stored in the admin console, and run them via their saved search ID.

Use the saved-search list subcommand to list existing searches with their IDs:

code42 security-data saved-search list

The show subcommand will give details about the search with the provided ID:

code42 security-data saved-search show <ID>

To get the results of a saved search, use the --saved-search option with your search ID on the search subcommand:

code42 security-data search --saved-search <ID>

Troubleshooting

If you keep getting prompted for your password, try resetting with code42 profile reset-pw. If that doesn't work, delete your credentials file located at ~/.code42cli or the entry in keychain.

Shell tab completion

To enable shell autocomplete when you hit tab after the first few characters of a command name, do the following:

For Bash, add this to ~/.bashrc:

eval "$(_CODE42_COMPLETE=source_bash code42)"

For Zsh, add this to ~/.zshrc:

eval "$(_CODE42_COMPLETE=source_zsh code42)"

For Fish, add this to ~/.config/fish/completions/code42.fish:

eval (env _CODE42_COMPLETE=source_fish code42)

Open a new shell to enable completion. Or run the eval command directly in your current shell to enable it temporarily.

Writing Extensions

The CLI exposes a few helpers for writing custom extension scripts powered by the CLI. Read the user-guide here.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

code42cli-1.18.0.tar.gz (80.8 kB view details)

Uploaded Source

Built Distribution

code42cli-1.18.0-py2.py3-none-any.whl (83.3 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file code42cli-1.18.0.tar.gz.

File metadata

  • Download URL: code42cli-1.18.0.tar.gz
  • Upload date:
  • Size: 80.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.18

File hashes

Hashes for code42cli-1.18.0.tar.gz
Algorithm Hash digest
SHA256 5419ff0cb70794b5c2288c19a0730eacbfab8603684b186051f1f3fa1da17077
MD5 b402266814ef29afe373b629ca895211
BLAKE2b-256 f8f55a57630f238182e28088f584909391d945d5493053de24e8146179d1c2d0

See more details on using hashes here.

File details

Details for the file code42cli-1.18.0-py2.py3-none-any.whl.

File metadata

  • Download URL: code42cli-1.18.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 83.3 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.18

File hashes

Hashes for code42cli-1.18.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 9928b49e97639f3d2a52699f8b49a489feb9c17f10a1f931ff5420af8df5004f
MD5 bf427d77639c5aad5f515a2139dba774
BLAKE2b-256 c6cecfcb0ad05e413ceed9f4f6f13378131cdbc527ca301f51419fde2cac3d0d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page