Alerts¶

class py42.clients.alerts.AlertClient(session, user_context)¶

Bases: py42.clients.BaseClient

A client for interacting with Code42 security alerts.

The AlertClient has the ability to search, resolve, and reopen alerts. Also, it can get the details for the file event query for the event that triggered the alert.

get_details(alert_ids, tenant_id=None)¶

Gets the details for the alerts with the given IDs, including the file event query that, when passed into a search, would result in events that could have triggered the alerts.

Parameters

alert_ids (iter[str]) – The identification numbers of the alerts for which you want to get details for.
tenant_id (str, optional) – The unique identifier of the tenant that the alerts belong to. When given None, it uses the currently logged in user’s tenant ID. Defaults to None.

Returns

A response containing the alert details.

Return type

py42.response.Py42Response

reopen(alert_ids, tenant_id=None, reason=None)¶

Reopens the resolved alerts with the given IDs.

Parameters

alert_ids (iter[str]) – The identification numbers for the alerts to reopen.
tenant_id (str, optional) – The unique identifier for the tenant that the alerts belong to. When given None, it uses the currently logged in user’s tenant ID. Defaults to None.
reason (str, optional) – The reason the alerts are reopened. Defaults to None.

Returns

py42.response.Py42Response

resolve(alert_ids, tenant_id=None, reason=None)¶

Resolves the alerts with the given IDs.

Parameters

alert_ids (iter[str]) – The identification numbers for the alerts to resolve.
tenant_id (str, optional) – The unique identifier for the tenant that the alerts belong to. When given None, it uses the currently logged in user’s tenant ID. Defaults to None.
reason (str, optional) – The reason the alerts are now resolved. Defaults to None.

Returns

py42.response.Py42Response

search(query)¶

Searches alerts using the given py42.sdk.queries.alerts.alert_query.AlertQuery.

Parameters: query (py42.sdk.queries.alerts.alert_query.AlertQuery) – An alert query. See the Executing Searches User Guide to learn more about how to construct a query.
Returns: A response containing the alerts that match the given query.
Return type: py42.response.Py42Response

class py42.sdk.queries.alerts.alert_query.AlertQuery(*args, **kwargs)¶

Bases: py42.sdk.queries.BaseQuery

Helper class for building Code42 Alert queries.

An AlertQuery instance’s all() and any() take one or more FilterGroup objects to construct a query that can be passed to the AlertClient.search() method. all() returns results that match all of the provided filter criteria, any() will return results that match any of the filters.

For convenience, the AlertQuery constructor does the same as all().

Usage example:

state_filter = AlertState.eq(AlertState.OPEN)
rule_name_filter = RuleName.contains("EmailRule")
query = AlertQuery.all(state_filter, rule_name_filter)

Filter Classes¶

The following classes construct filters for file event queries. Each filter class corresponds to an alert detail. Call the appropriate classmethod on your desired filter class with the value you want to match and it will return a FilterGroup object that can be passed to AlertQuery’s all() or any() methods to create complex queries that match multiple filter rules.

See Executing Searches for more on building search queries.

class py42.sdk.queries.alerts.filters.alert_filter.DateObserved¶

Bases: py42.sdk.queries.query_filter.QueryFilterTimestampField

Class that filters alerts based on the timestamp the alert was triggered.

classmethod in_range(start_value, end_value)¶: Returns a FilterGroup to find events where the filter timestamp is in range between the provided start_value and end_value.

classmethod on_or_after(value)¶: Returns a FilterGroup to find events where the filter timestamp is on or after the provided value.

classmethod on_or_before(value)¶: Returns a FilterGroup to find events where the filter timestamp is on or before the provided value.

classmethod on_same_day(value)¶: Returns a FilterGroup to find events where the filter timestamp is within the same calendar day as the provided value.

class py42.sdk.queries.alerts.filters.alert_filter.Actor¶

Bases: py42.sdk.queries.alerts.filters.alert_filter.AlertQueryFilterStringField

Class that filters alerts based on the username that originated the event(s) that triggered the alert.

classmethod eq(value)¶

Returns a FilterGroup to find events where the filter equals the provided value.

Parameters: value (str) – The value to match file events on.

classmethod is_in(value_list)¶

Returns a FilterGroup to find events where the filter is in the provided value_list.

Parameters: value_list (list) – The list of values to match file events on.

classmethod not_eq(value)¶

Returns a FilterGroup to find events where the filter is not equal to the provided value.

Parameters: value (str) – The value to exclude file events on.

classmethod not_in(value_list)¶

Returns a FilterGroup to find events where the filter is not in the provided value_list.

Parameters: value_list (list) – The list of values to exclude file events on.

class py42.sdk.queries.alerts.filters.alert_filter.RuleName¶

Bases: py42.sdk.queries.alerts.filters.alert_filter.AlertQueryFilterStringField

Class that filters alerts based on rule name.

classmethod eq(value)¶

Returns a FilterGroup to find events where the filter equals the provided value.

Parameters: value (str) – The value to match file events on.

classmethod is_in(value_list)¶

Returns a FilterGroup to find events where the filter is in the provided value_list.

Parameters: value_list (list) – The list of values to match file events on.

classmethod not_eq(value)¶

Returns a FilterGroup to find events where the filter is not equal to the provided value.

Parameters: value (str) – The value to exclude file events on.

classmethod not_in(value_list)¶

Returns a FilterGroup to find events where the filter is not in the provided value_list.

Parameters: value_list (list) – The list of values to exclude file events on.

class py42.sdk.queries.alerts.filters.alert_filter.Description¶

Bases: py42.sdk.queries.alerts.filters.alert_filter.AlertQueryFilterStringField

Class that filters alerts based on rule description text.

classmethod eq(value)¶

Returns a FilterGroup to find events where the filter equals the provided value.

Parameters: value (str) – The value to match file events on.

classmethod is_in(value_list)¶

Returns a FilterGroup to find events where the filter is in the provided value_list.

Parameters: value_list (list) – The list of values to match file events on.

classmethod not_eq(value)¶

Returns a FilterGroup to find events where the filter is not equal to the provided value.

Parameters: value (str) – The value to exclude file events on.

classmethod not_in(value_list)¶

Returns a FilterGroup to find events where the filter is not in the provided value_list.

Parameters: value_list (list) – The list of values to exclude file events on.

class py42.sdk.queries.alerts.filters.alert_filter.Severity¶

Bases: py42.sdk.queries.query_filter.QueryFilterStringField

Class that filters alerts based on severity.

Available options are:

Severity.HIGH
Severity.MEDIUM
Severity.LOW

classmethod eq(value)¶

Returns a FilterGroup to find events where the filter equals the provided value.

Parameters: value (str) – The value to match file events on.

classmethod is_in(value_list)¶

Returns a FilterGroup to find events where the filter is in the provided value_list.

Parameters: value_list (list) – The list of values to match file events on.

classmethod not_eq(value)¶

Returns a FilterGroup to find events where the filter is not equal to the provided value.

Parameters: value (str) – The value to exclude file events on.

classmethod not_in(value_list)¶

Returns a FilterGroup to find events where the filter is not in the provided value_list.

Parameters: value_list (list) – The list of values to exclude file events on.

class py42.sdk.queries.alerts.filters.alert_filter.AlertState¶

Bases: py42.sdk.queries.query_filter.QueryFilterStringField

Class that filters alerts based on alert state.

Available options are:

AlertState.OPEN
AlertState.DISMISSED

classmethod eq(value)¶

Returns a FilterGroup to find events where the filter equals the provided value.

Parameters: value (str) – The value to match file events on.

classmethod is_in(value_list)¶

Returns a FilterGroup to find events where the filter is in the provided value_list.

Parameters: value_list (list) – The list of values to match file events on.

classmethod not_eq(value)¶

Returns a FilterGroup to find events where the filter is not equal to the provided value.

Parameters: value (str) – The value to exclude file events on.

classmethod not_in(value_list)¶

Returns a FilterGroup to find events where the filter is not in the provided value_list.

Parameters: value_list (list) – The list of values to exclude file events on.