Security Data

class py42.clients.securitydata.SecurityDataClient(security_service, file_event_service, preservation_data_service, saved_search_service, storage_service_factory)

Bases: object

get_all_plan_security_events(plan_storage_info, cursor=None, include_files=True, event_types=None, min_timestamp=None, max_timestamp=None)

Gets events for legacy Endpoint Monitoring file activity on removable media, in cloud sync folders, and browser uploads. Support Article

Parameters:
  • plan_storage_info (py42.clients.securitydata.PlanStorageInfo) – Information about storage nodes for a plan to get file event activity for.
  • cursor (str, optional) – A cursor position for only getting file events you did not previously get. Defaults to None.
  • include_files (bool, optional) – Whether to include the files related to the file events.
  • to None. (Defaults) –
  • event_types

    (str, optional): A comma-separated list of event types to filter by.

    Available options are:
    • DEVICE_APPEARED
    • DEVICE_DISAPPEARED
    • DEVICE_FILE_ACTIVITY
    • PERSONAL_CLOUD_FILE_ACTIVITY
    • RESTORE_JOB
    • RESTORE_FILE
    • FILE_OPENED
    • RULE_MATCH
    • DEVICE_SCAN_RESULT
    • PERSONAL_CLOUD_SCAN_RESULT

    Defaults to None.

  • min_timestamp (int or float or str or datetime, optional) – Timestamp in milliseconds or str format “yyyy-MM-DD HH:MM:SS” or a datetime instance. Defaults to None.
  • max_timestamp (int or float or str or datetime, optional) – Timestamp in milliseconds or str format “yyyy-MM-DD HH:MM:SS” or a datetime instance. Defaults to None.
Returns:

An object that iterates over py42.response.Py42Response objects that each contain a page of events.

Return type:

generator

get_all_user_security_events(user_uid, cursor=None, include_files=True, event_types=None, min_timestamp=None, max_timestamp=None)

Gets legacy Endpoint Monitoring file activity events for the user with the given UID.

Parameters:
  • user_uid (str) – The UID of the user to get security events for.
  • cursor (str, optional) – A cursor position for only getting events you did not previously get. Defaults to None.
  • include_files (bool, optional) – Whether to include the files related to the file activity events. Defaults to None.
  • event_types

    (str, optional): A comma-separated list of event types to filter by.

    Available options are:
    • DEVICE_APPEARED
    • DEVICE_DISAPPEARED
    • DEVICE_FILE_ACTIVITY
    • PERSONAL_CLOUD_FILE_ACTIVITY
    • RESTORE_JOB
    • RESTORE_FILE
    • FILE_OPENED
    • RULE_MATCH
    • DEVICE_SCAN_RESULT
    • PERSONAL_CLOUD_SCAN_RESULT

    Defaults to None.

  • min_timestamp (int or float or str or datetime, optional) – Timestamp in milliseconds or str format “yyyy-MM-DD HH:MM:SS” or a datetime instance. Defaults to None.
  • max_timestamp (int or float or str or datetime, optional) – Timestamp in milliseconds or str format “yyyy-MM-DD HH:MM:SS” or a datetime instance. Defaults to None.
Returns:

An object that iterates over py42.response.Py42Response objects that each contain a page of events.

Return type:

generator

get_security_plan_storage_info_list(user_uid)

Gets IDs (plan UID, node GUID, and destination GUID) for the storage nodes containing the file activity event data for the user with the given UID. REST Documentation

Parameters:user_uid (str) – The UID of the user to get plan storage information for.
Returns:list[py42.clients.securitydata.PlanStorageInfo]
savedsearches

A collection of methods related to retrieving forensic search data.

Returns:class: py42._internal.services.securitydata.SavedSearchService
search_all_file_events(query, page_token='')

Searches for all file events, returning a page of events with a token in the response to retrieve next page.

REST Documentation

Parameters:
  • query (str or py42.sdk.queries.fileevents.file_event_query.FileEventQuery) – The file event query to filter search results.
  • page_token (str, optional) – A token used to indicate the starting point for additional page results. For the first page, do not pass page_token. For all consecutive pages, pass the token from the previous response from field nextPgToken. When using page_token, any sorting parameters from the FileEventQuery will be ignored. Defaults to empty string.
Returns:

A response containing page of events.

Return type:

py42.response.Py42Response

search_file_events(query)

Searches for file events, returns up to the first 10,000 events. REST Documentation

Parameters:query (str or py42.sdk.queries.fileevents.file_event_query.FileEventQuery) – The file event query to filter search results.
Returns:A response containing the first 10,000 events.
Return type:py42.response.Py42Response
stream_file_by_md5(checksum)

Stream file based on MD5 checksum.

Parameters:checksum (str) – MD5 hash of the file.
Returns:Returns a stream of the requested file.
stream_file_by_sha256(checksum)

Stream file based on SHA256 checksum.

Parameters:checksum (str) – SHA256 hash of the file.
Returns:Returns a stream of the requested file.
class py42.clients.securitydata.PlanStorageInfo(plan_uid, destination_guid, node_guid)

Bases: object

destination_guid

The GUID of the destination containing the storage archive.

node_guid

The GUID of the storage node containing the archive.

plan_uid

The UID of the storage plan.