Add v2 file events (#382)

* Add v2 file events

* check for profile setting in get_saved_search_option callback

* use boolean options for profile settings

* update changelog

* fix build

* Use risk.Severity.not_eq(NO_RISK_INDICATED) for --include-non-exposure option

* pr feedback

Author: tora-kozic

CHANGELOG.md

@@ -8,6 +8,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 The intended audience of this file is for py42 consumers -- as such, changes that don't affect
 how a consumer would use the library (e.g. adding unit tests, updating documentation, etc) are not captured here.
 
+## Unreleased
+
+### Added
+- Support for the V2 file event data model.
+  - V1 file event APIs were marked deprecated in May 2022 and will be no longer be supported after May 2023.
+  - Use the `--use-v2-file-events True` option with the `code42 profile create` or `code42 profile update` commands to enable your code42 CLI profile to use the latest V2 file event data model.
+  - See the [V2 File Events User Guide](https://clidocs.code42.com/en/latest/userguides/siemexample.html) for more information.
+
+### Changed
+- The `--disable-ssl-errors` options for the `code42 profile create` and `code42 profile update` commands is no longer a flag and now takes a boolean `True/False` arg.
 ## 1.14.5 - 2022-08-01
 
 ### Added

docs/commands/securitydata.rst

@@ -1,3 +1,11 @@
+*************
+Security Data
+*************
+
+.. warning:: V1 file events, saved searches, and queries are **deprecated**.
+
+See more information in the `Enable V2 File Events User Guide <../userguides/v2apis.html>`_.
+
 .. click:: code42cli.cmds.securitydata:security_data
   :prog: security-data
   :nested: full

docs/guides.md

@@ -8,6 +8,7 @@
 
     Get started with the Code42 command-line interface (CLI) <userguides/gettingstarted.md>
     Configure a profile <userguides/profile.md>
+    Enable V2 File Events <userguides/v2apis.md>
     Ingest data into a SIEM <userguides/siemexample.md>
     Manage legal hold users <userguides/legalhold.md>
     Clean up your environment by deactivating devices <userguides/deactivatedevices.md>
@@ -23,6 +24,7 @@
 
 * [Get started with the Code42 command-line interface (CLI)](userguides/gettingstarted.md)
 * [Configure a profile](userguides/profile.md)
+* [Enable V2 File Events](userguides/v2apis.md)
 * [Ingest data into a SIEM](userguides/siemexample.md)
 * [Manage legal hold users](userguides/legalhold.md)
 * [Clean up your environment by deactivating devices](userguides/deactivatedevices.md)

docs/userguides/v2apis.md

@@ -0,0 +1,186 @@
+# V2 File Events
+
+```{eval-rst}
+.. warning:: V1 file events, saved searches, and queries are **deprecated**.
+```
+
+For details on the updated File Event Model, see the V2 File Events API documentation on the [Developer Portal](https://developer.code42.com/api/#tag/File-Events).
+
+V1 file event APIs were marked deprecated in May 2022 and will be no longer be supported after May 2023.
+
+Use the `--use-v2-file-events True` option with the `code42 profile create` or `code42 profile update` commands to enable your code42 CLI profile to use the latest V2 file event data model.
+
+Use `code42 profile show` to check the status of this setting on your profile:
+```bash
+% code42 profile update --use-v2-file-events
+
+% code42 profile show
+
+test-user-profile:
+        * username = [email protected]
+        * authority url = https://console.core-int.cloud.code42.com
+        * ignore-ssl-errors = False
+        * use-v2-file-events = True
+
+```
+
+For details on setting up a profile, see the [profile set up user guide](./profile.md).
+
+Enabling this setting will use the V2 data model for querying searches and saved searches with all `code security-data` commands.
+The response shape for these events has changed from V1 and contains various field remappings, renamings, additions and removals.  Column names will also be different when using the `Table` format for outputting events.
+
+### V2 File Event Data Example ###
+
+Below is an example of the new file event data model:
+
+```json
+{
+    "@timestamp": "2022-07-14T16:53:06.112Z",
+    "event": {
+        "id": "0_c4e43418-07d9-4a9f-a138-29f39a124d33_1068825680073059134_1068826271084047166_1_EPS",
+        "inserted": "2022-07-14T16:57:00.913917Z",
+        "action": "application-read",
+        "observer": "Endpoint",
+        "shareType": [],
+        "ingested": "2022-07-14T16:55:04.723Z",
+        "relatedEvents": []
+    },
+    "user": {
+        "email": "[email protected]",
+        "id": "1068824450489230065",
+        "deviceUid": "1068825680073059134"
+    },
+    "file": {
+        "name": "cat.jpg",
+        "directory": "C:/Users/John Doe/Downloads/",
+        "category": "Spreadsheet",
+        "mimeTypeByBytes": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        "categoryByBytes": "Spreadsheet",
+        "mimeTypeByExtension": "image/jpeg",
+        "categoryByExtension": "Image",
+        "sizeInBytes": 4748,
+        "owner": "John Doe",
+        "created": "2022-07-14T16:51:06.186Z",
+        "modified": "2022-07-14T16:51:07.419Z",
+        "hash": {
+            "md5": "8872dfa1c181b823d2c00675ae5926fd",
+            "sha256": "14d749cce008711b4ad1381d84374539560340622f0e8b9eb2fe3bba77ddbd64",
+            "md5Error": null,
+            "sha256Error": null
+        },
+        "id": null,
+        "url": null,
+        "directoryId": [],
+        "cloudDriveId": null,
+        "classifications": []
+    },
+    "report": {
+        "id": null,
+        "name": null,
+        "description": null,
+        "headers": [],
+        "count": null,
+        "type": null
+    },
+    "source": {
+        "category": "Device",
+        "name": "DESKTOP-1",
+        "domain": "192.168.00.000",
+        "ip": "50.237.00.00",
+        "privateIp": [
+            "192.168.00.000",
+            "127.0.0.1"
+        ],
+        "operatingSystem": "Windows 10",
+        "email": {
+            "sender": null,
+            "from": null
+        },
+        "removableMedia": {
+            "vendor": null,
+            "name": null,
+            "serialNumber": null,
+            "capacity": null,
+            "busType": null,
+            "mediaName": null,
+            "volumeName": [],
+            "partitionId": []
+        },
+        "tabs": [],
+        "domains": []
+    },
+    "destination": {
+        "category": "Cloud Storage",
+        "name": "Dropbox",
+        "user": {
+            "email": []
+        },
+        "ip": null,
+        "privateIp": [],
+        "operatingSystem": null,
+        "printJobName": null,
+        "printerName": null,
+        "printedFilesBackupPath": null,
+        "removableMedia": {
+            "vendor": null,
+            "name": null,
+            "serialNumber": null,
+            "capacity": null,
+            "busType": null,
+            "mediaName": null,
+            "volumeName": [],
+            "partitionId": []
+        },
+        "email": {
+            "recipients": null,
+            "subject": null
+        },
+        "tabs": [
+            {
+                "title": "Files - Dropbox and 1 more page - Profile 1 - Microsoft​ Edge",
+                "url": "https://www.dropbox.com/home",
+                "titleError": null,
+                "urlError": null
+            }
+        ],
+        "accountName": null,
+        "accountType": null,
+        "domains": [
+            "dropbox.com"
+        ]
+    },
+    "process": {
+        "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+        "owner": "John doe"
+    },
+    "risk": {
+        "score": 17,
+        "severity": "CRITICAL",
+        "indicators": [
+            {
+                "name": "First use of destination",
+                "weight": 3
+            },
+            {
+                "name": "File mismatch",
+                "weight": 9
+            },
+            {
+                "name": "Spreadsheet",
+                "weight": 0
+            },
+            {
+                "name": "Remote",
+                "weight": 0
+            },
+            {
+                "name": "Dropbox upload",
+                "weight": 5
+            }
+        ],
+        "trusted": false,
+        "trustReason": null
+    }
+}
+
+```

setup.py

@@ -39,7 +39,7 @@
         "keyrings.alt==3.2.0",
         "ipython==7.16.3",
         "pandas>=1.1.3",
-        "py42>=1.23.0",
+        "py42>=1.24.0",
     ],
     extras_require={
         "dev": [

src/code42cli/cmds/profile.py

@@ -70,9 +70,16 @@ def username_option(required=False):
 
 disable_ssl_option = click.option(
     "--disable-ssl-errors",
-    is_flag=True,
+    type=click.types.BOOL,
     help="For development purposes, do not validate the SSL certificates of Code42 servers. "
-    "This is not recommended, except for specific scenarios like testing.",
+    "This is not recommended, except for specific scenarios like testing. Attach this flag to the update command to toggle the setting.",
+    default=None,
+)
+
+use_v2_file_events_option = click.option(
+    "--use-v2-file-events",
+    type=click.types.BOOL,
+    help="Opts to use the V2 file event data model. Attach this flag to the update command to toggle the setting",
     default=None,
 )
 
@@ -86,6 +93,7 @@ def show(profile_name):
     echo(f"\t* username = {c42profile.username}")
     echo(f"\t* authority url = {c42profile.authority_url}")
     echo(f"\t* ignore-ssl-errors = {c42profile.ignore_ssl_errors}")
+    echo(f"\t* use-v2-file-events = {c42profile.use_v2_file_events}")
     if cliprofile.get_stored_password(c42profile.name) is not None:
         echo("\t* A password is set.")
     echo("")
@@ -100,10 +108,22 @@ def show(profile_name):
 @totp_option
 @yes_option(hidden=True)
 @disable_ssl_option
+@use_v2_file_events_option
 @debug_option
-def create(name, server, username, password, disable_ssl_errors, debug, totp):
+def create(
+    name,
+    server,
+    username,
+    password,
+    disable_ssl_errors,
+    use_v2_file_events,
+    debug,
+    totp,
+):
     """Create profile settings. The first profile created will be the default."""
-    cliprofile.create_profile(name, server, username, disable_ssl_errors)
+    cliprofile.create_profile(
+        name, server, username, disable_ssl_errors, use_v2_file_events
+    )
     password = password or _prompt_for_password(name)
     if password:
         _set_pw(name, password, debug, totp=totp)
@@ -117,18 +137,35 @@ def create(name, server, username, password, disable_ssl_errors, debug, totp):
 @password_option
 @totp_option
 @disable_ssl_option
+@use_v2_file_events_option
 @debug_option
-def update(name, server, username, password, disable_ssl_errors, debug, totp):
+def update(
+    name,
+    server,
+    username,
+    password,
+    disable_ssl_errors,
+    use_v2_file_events,
+    debug,
+    totp,
+):
     """Update an existing profile."""
     c42profile = cliprofile.get_profile(name)
 
-    if not server and not username and not password and disable_ssl_errors is None:
+    if (
+        not server
+        and not username
+        and not password
+        and disable_ssl_errors is None
+        and use_v2_file_events is None
+    ):
         raise click.UsageError(
-            "Must provide at least one of `--username`, `--server`, `--password`, or "
+            "Must provide at least one of `--username`, `--server`, `--password`, `--use-v2-file-events` or "
             "`--disable-ssl-errors` when updating a profile."
         )
-
-    cliprofile.update_profile(c42profile.name, server, username, disable_ssl_errors)
+    cliprofile.update_profile(
+        c42profile.name, server, username, disable_ssl_errors, use_v2_file_events
+    )
     if not password and not c42profile.has_stored_password:
         password = _prompt_for_password(c42profile.name)
     if password: