Uptycs

Overview


Uptycs combines the open source universal agent, osquery, with a scalable security analytics platform for fleet visibility, intrusion detection, vulnerability monitoring and compliance. Uptycs deploys osquery to your entire infrastructure, regardless of operating system mix or hosting environment, collects, and stores system state data. Uptycs will stream that data over secure TLS protocol, storing it in your unique instance, and continuously monitoring for suspicious activity. Integrated third party feeds of known malware, threats and over 170,000 indicators of compromise (IOCs) further enhance threat visibility. Finally, take action with real-time alerts, dashboards and reports packaged for multiple security protocols.

The Demisto-Uptycs integration connects to the Uptycs backend via the Uptycs API. The integration allows the use of Uptycs data in existing workflows. Features include fetching and handling alerts, threat investigation, posting new threat sources, setting tags on assets, and the ability to run arbitrary SQL queries against your Uptycs database or in real-time against registered endpoints.

This integration was integrated and tested with version xx of Uptycs

Uptycs Playbook


  1. Uptycs - Bad IP Incident and Uptycs - Outbound Connection to Threat IOC Incident Get details about connections which have been opened to known bad IP addresses, including process and parent process information, IP addresses, ports, sockets, and the source of the threat intelligence.

Use Cases


  • Incident investigation
  • Fetch and handle alerts
  • Monitor asset activity
  • Audit and compliance
  • Vulnerability management
  • Mac EDR

Configure Uptycs on Demisto


How to get an API Key and API Secret

In order to create an instance of the integration, you need to download a user API key and secret from your Uptycs account.

  1. Go to your Uptycs environment.
  2. Navigate to Configuration > Users.
  3. In the User API key section, click download.
    The downloaded file will have all the information necessary to create the instance.

Parameters

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Uptycs.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • API key
    • API secret
    • API domain
    • API customer_id
    • Fetch incidents
    • Incident type
    • Trust any certificate (unsecure)
    • Use system proxy
    • First fetch since
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


The Demisto-Uptycs integration creates incients from Uptycs alerts using the Uptycs API

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. uptycs-get-assets
  2. uptycs-run-query
  3. uptycs-get-alerts
  4. uptycs-get-alert-rules
  5. uptycs-get-event-rules
  6. uptycs-get-events
  7. uptycs-get-process-open-sockets
  8. uptycs-get-process-information
  9. uptycs-get-process-child-processes
  10. uptycs-get-processes
  11. uptycs-get-process-open-files
  12. uptycs-set-alert-status
  13. uptycs-set-asset-tag
  14. uptycs-get-user-information
  15. uptycs-get-threat-indicators
  16. uptycs-get-threat-sources
  17. uptycs-get-threat-vendors
  18. uptycs-get-parent-information
  19. uptycs-post-threat-source
  20. uptycs-get-users
  21. uptycs-get-asset-groups
  22. uptycs-get-user-asset-groups
  23. uptycs-get-threat-indicator
  24. uptycs-get-threat-source
  25. uptycs-get-process-events
  26. uptycs-get-process-event-information
  27. uptycs-get-socket-events
  28. uptycs-get-parent-event-information
  29. uptycs-get-socket-event-information
  30. uptycs-get-asset-tags
  31. uptycs-get-saved-queries
  32. uptycs-run-saved-query
  33. uptycs-post-saved-query

1. uptycs-get-assets


return assets enrolled with Uptycs

Base Command

uptycs-get-assets

Input
Argument NameDescriptionRequired
asset_group_idOnly return assets which are a member of this asset groupOptional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
osOnly return assets with this type of operating system.Optional
asset_idOnly return the asset with this unique asset idOptional
Context Output
PathTypeDescription
Uptycs.Assets.idstringUptycs asset id
Uptycs.Assets.created_atdateTime asset was enrolled with Uptycs
Uptycs.Assets.host_namestringHostname in Uptycs DB
Uptycs.Assets.osstringos installed on asset (Windows, Linux, Mac OS X)
Uptycs.Assets.os_versionstringos version
Uptycs.Assets.last_activity_atdateLast activity
Uptycs.Assets.deleted_atdateTime asset was unenrolled from Uptycs
Uptycs.Assets.osquery_versionstringCurrent version of osquery installed on the asset
Command Example

uptycs-get-assets os="Mac OS X/Apple OS X/macOS" limit=1

Context Example
{
"Uptycs.Assets": [
{
"status": "active",
"last_enrolled_at": "2019-07-19 14:47:27.485",
"os_version": "10.14.5",
"osquery_version": "3.2.6.51-Uptycs",
"created_at": "2018-09-25 16:38:16.440",
"longitude": -97.822,
"os_flavor": "darwin",
"host_name": "kyle-mbp-work",
"latitude": 37.751,
"last_activity_at": "2019-07-19 17:02:41.704",
"os": "Mac OS X",
"id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"location": "United States"
}
]
}
Human Readable Output

Uptycs Assets

idhost_nameosos_versionosquery_versionlast_activity_at
984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-workMac OS X10.14.53.2.6.51-Uptycs2019-07-19 17:02:41.704

2. uptycs-run-query


enter a SQL query to run against your Uptycs database. A list of tables can be found at osquery.io/schema, or by using the query "select * from information_schema.tables"

Base Command

uptycs-run-query

Input
Argument NameDescriptionRequired
queryThis is the query that will be run. Queries should be written for a SQLite database. For example, "SELECT * FROM processes" returns the entire table named "processes".Required
query_typeThe query can be run globally (returns results for entire history stored in Uptycs DB) or real-time (returns results for queries run on endpoints at the time of query execution)Required
asset_idrealtime queries only This argument should be used when one wants to run a realtime query on a particular asset.Optional
host_name_isrealtime queries only Only return assets with this hostnameOptional
host_name_likerealtime queries only . Only return assets with this string in the hostname.Optional
Context Output
PathTypeDescription
Uptycs.QueryResultsunknownResults of executed query
Command Example

uptycs-run-query query="SELECT * FROM process_open_sockets LIMIT 10" query_type=global host_name_like="uptycs-osquery-"

Context Example
{
"Uptycs.QueryResults": [
{
"protocol": 6,
"family": 2,
"upt_counter": 20595,
"pid": 11,
"upt_asset_id": "a4991bf9-13e3-026b-7b46-af192746d556",
"upt_hostname": "uptycs-osquery-d4trq",
"local_port": 45864,
"upt_asset_tags": null,
"upt_hash": "1752f1a2-f773-5812-b611-577ee662b889",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 02:37:09.000",
"local_address": "10.8.0.29",
"upt_added": false,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 14,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 127377813,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": "4026532943"
},
{
"protocol": 6,
"family": 2,
"upt_counter": 20595,
"pid": 11,
"upt_asset_id": "a4991bf9-13e3-026b-7b46-af192746d556",
"upt_hostname": "uptycs-osquery-d4trq",
"local_port": 45864,
"upt_asset_tags": null,
"upt_hash": "70dce553-3bca-5701-834c-8f2b94afd8f3",
"state": "CLOSE_WAIT",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 02:37:09.000",
"local_address": "10.8.0.29",
"upt_added": true,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 14,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 127377813,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": "4026532943"
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1267,
"pid": 11,
"upt_asset_id": "a4991bf9-13e3-026b-7b46-af192746d556",
"upt_hostname": "uptycs-osquery-d4trq",
"local_port": 34164,
"upt_asset_tags": null,
"upt_hash": "f8d24a1b-15d5-5c41-9994-2f70920fdc39",
"state": "CLOSE_WAIT",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 20:52:05.000",
"local_address": "10.8.0.29",
"upt_added": false,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 14,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 128588161,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": "4026532943"
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1267,
"pid": 11,
"upt_asset_id": "a4991bf9-13e3-026b-7b46-af192746d556",
"upt_hostname": "uptycs-osquery-d4trq",
"local_port": 34754,
"upt_asset_tags": null,
"upt_hash": "0603bdcc-8e90-58d9-831e-8adb3ca35358",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 20:52:05.000",
"local_address": "10.8.0.29",
"upt_added": true,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 14,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 128594058,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": "4026532943"
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1024,
"pid": 2545,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_hostname": "kyle-mbp-work",
"local_port": 61925,
"upt_asset_tags": null,
"upt_hash": "754d2272-caf2-5d56-8638-984d7392e7f2",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 15:26:49.000",
"local_address": "192.168.1.161",
"upt_added": false,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 186,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 0,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": null
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1024,
"pid": 2545,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_hostname": "kyle-mbp-work",
"local_port": 61934,
"upt_asset_tags": null,
"upt_hash": "ce103524-0f5f-5aea-abad-b8529620b7bf",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 15:26:49.000",
"local_address": "192.168.1.161",
"upt_added": false,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 191,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 0,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": null
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1024,
"pid": 854,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_hostname": "kyle-mbp-work",
"local_port": 61573,
"upt_asset_tags": null,
"upt_hash": "c2f00244-9fa4-5c47-a49b-9bd0390d169f",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 15:26:49.000",
"local_address": "192.168.1.161",
"upt_added": false,
"upt_server_time": null,
"remote_address": "149.96.6.118",
"fd": 33,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 0,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": null
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1024,
"pid": 2545,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_hostname": "kyle-mbp-work",
"local_port": 61919,
"upt_asset_tags": null,
"upt_hash": "0439a9f5-130d-5ff4-a8df-d72275e4b9e2",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 15:26:49.000",
"local_address": "192.168.1.161",
"upt_added": false,
"upt_server_time": null,
"remote_address": "18.213.163.112",
"fd": 54,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 0,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": null
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1024,
"pid": 854,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_hostname": "kyle-mbp-work",
"local_port": 61573,
"upt_asset_tags": null,
"upt_hash": "fe0218c2-b337-5198-ac9c-a1f8784a2c08",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 15:26:49.000",
"local_address": "192.168.1.161",
"upt_added": false,
"upt_server_time": null,
"remote_address": "149.96.6.118",
"fd": 62,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 0,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": null
},
{
"protocol": 6,
"family": 2,
"upt_counter": 1024,
"pid": 854,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_hostname": "kyle-mbp-work",
"local_port": 61939,
"upt_asset_tags": null,
"upt_hash": "6194c89c-171c-55c8-9355-5b53a4a28a5a",
"state": "ESTABLISHED",
"upt_asset_group_id": null,
"upt_time": "2019-04-18 15:26:49.000",
"local_address": "192.168.1.161",
"upt_added": true,
"upt_server_time": null,
"remote_address": "149.96.6.118",
"fd": 7,
"upt_asset_group_name": null,
"path": "",
"upt_day": 20190418,
"socket": 0,
"upt_epoch": 0,
"remote_port": 443,
"net_namespace": null
}
]
}
Human Readable Output

Uptycs Query Result

protocolfamilyupt_counterpidupt_asset_idupt_hostnamelocal_portupt_asset_tagsupt_hashupt_asset_group_idstateupt_timelocal_addressupt_addedupt_server_timeremote_addressfdupt_asset_group_namepathupt_daysocketupt_epochremote_portnet_namespace
622059511a4991bf9-13e3-026b-7b46-af192746d556uptycs-osquery-d4trq458641752f1a2-f773-5812-b611-577ee662b889ESTABLISHED2019-04-18 02:37:09.00010.8.0.29false18.213.163.112142019041812737781304434026532943
622059511a4991bf9-13e3-026b-7b46-af192746d556uptycs-osquery-d4trq4586470dce553-3bca-5701-834c-8f2b94afd8f3CLOSE_WAIT2019-04-18 02:37:09.00010.8.0.29true18.213.163.112142019041812737781304434026532943
62126711a4991bf9-13e3-026b-7b46-af192746d556uptycs-osquery-d4trq34164f8d24a1b-15d5-5c41-9994-2f70920fdc39CLOSE_WAIT2019-04-18 20:52:05.00010.8.0.29false18.213.163.112142019041812858816104434026532943
62126711a4991bf9-13e3-026b-7b46-af192746d556uptycs-osquery-d4trq347540603bdcc-8e90-58d9-831e-8adb3ca35358ESTABLISHED2019-04-18 20:52:05.00010.8.0.29true18.213.163.112142019041812859405804434026532943
6210242545984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-work61925754d2272-caf2-5d56-8638-984d7392e7f2ESTABLISHED2019-04-18 15:26:49.000192.168.1.161false18.213.163.1121862019041800443
6210242545984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-work61934ce103524-0f5f-5aea-abad-b8529620b7bfESTABLISHED2019-04-18 15:26:49.000192.168.1.161false18.213.163.1121912019041800443
621024854984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-work61573c2f00244-9fa4-5c47-a49b-9bd0390d169fESTABLISHED2019-04-18 15:26:49.000192.168.1.161false149.96.6.118332019041800443
6210242545984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-work619190439a9f5-130d-5ff4-a8df-d72275e4b9e2ESTABLISHED2019-04-18 15:26:49.000192.168.1.161false18.213.163.112542019041800443
621024854984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-work61573fe0218c2-b337-5198-ac9c-a1f8784a2c08ESTABLISHED2019-04-18 15:26:49.000192.168.1.161false149.96.6.118622019041800443
621024854984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-work619396194c89c-171c-55c8-9355-5b53a4a28a5aESTABLISHED2019-04-18 15:26:49.000192.168.1.161true149.96.6.11872019041800443

3. uptycs-get-alerts


return alerts from Uptycs DB

Base Command

uptycs-get-alerts

Input
Argument NameDescriptionRequired
alert_idUnique Uptycs alert id which will retrieve a specific alert. Use this argument without any other arguments.Optional
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
codeAlert code to specify which types of alerts you would like to retrieveOptional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
valueVaries for different alerts. For example, a Bad IP alert would have the IP address as the value. A program crash alert would have the name of the program which crashed as the value.Optional
Context Output
PathTypeDescription
Uptycs.Alerts.descriptionstringDescription of alert
Uptycs.Alerts.upt_asset_idstringUptycs asset ID
Uptycs.Alerts.codestringAlert code in Uptycs DB
Uptycs.Alerts.severitystringThe severity of the alert
Uptycs.Alerts.alert_timedateTime alert was created at
Uptycs.Alerts.valuestringSpecific problem which caused an alert. It may be an IP address, a program that crashed, a file with a file hash known to be malware, etc.
Uptycs.Alerts.host_namestringHostname for the asset which fired the alert
Uptycs.Alerts.idstringunique Uptycs id for a particular alert
Uptycs.Alerts.threat_indicator_idstringunique Uptycs id that identifies the threat indicator which triggered this alert
Uptycs.Alerts.threat_source_namestringname of the source of the threat indicator that triggered this alert
Uptycs.Alerts.pidnumberpid of the process which was responsible for firing the alert
Command Example

uptycs-get-alerts limit=1 time_ago="30 days"

Context Example
{
"Uptycs.Alerts": [
{
"status": "open",
"code": "OSX_CRASHES",
"description": "Crash",
"threat_source_name": "No threat source for this alert",
"severity": "medium",
"created_at": "2019-07-02 11:41:25.915",
"pid": 437,
"updated_at": "2019-07-02 11:41:25.915",
"value": "Amazon Music Helper",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"threat_indicator_id": "No threat indicator for this alert",
"alert_time": "2019-07-02 11:41:22.000",
"host_name": "kyle-mbp-work",
"key": "identifier",
"assigned_to": null,
"metadata": "{\"type\":\"application\",\"pid\":437,\"path\":\"/Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper\",\"crash_path\":\"/Library/Logs/DiagnosticReports/Amazon Music Helper_2019-06-02-103630_Kyles-MacBook-Pro.crash\",\"parent\":1,\"responsible\":\"Amazon Music Helper [437]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\",\"identifier\":\"Amazon Music Helper\"}",
"id": "0049641c-1645-4b98-830f-7f1ce783bfcc",
"grouping": "OS X Crashes"
}
]
}
Human Readable Output

Uptycs Alerts:

upt_asset_idhost_namegroupingalert_timedescriptionvalueseveritythreat_indicator_idthreat_source_name
984d4a7a-9f3a-580a-a3ef-2841a561669bkyle-mbp-workOS X Crashes2019-07-02 11:41:22.000CrashAmazon Music HelpermediumNo threat indicator for this alertNo threat source for this alert

4. uptycs-get-alert-rules


retrieve a list of alert rules

Base Command

uptycs-get-alert-rules

Input
Argument NameDescriptionRequired
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output

There is no context output for this command.

Command Example

uptycs-get-alert-rules limit=1

Context Example
Human Readable Output

Uptycs Alert Rules

namedescriptiongroupingenabledupdatedAtcode
Bad Domain AlertBad Domain AlertBad Domaintrue2019-06-19T08:17:04.892ZBAD_DOMAIN

5. uptycs-get-event-rules


retrieve a list of event rules

Base Command

uptycs-get-event-rules

Input
Argument NameDescriptionRequired
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output

There is no context output for this command.

Command Example

uptycs-get-event-rules limit=1

Context Example
Human Readable Output

Uptycs Event Rules

namedescriptiongroupingenabledupdatedAtcode
Bad domainMalicious domain resolveddefaulttrue2019-06-19T08:17:05.115ZBAD_DOMAIN

6. uptycs-get-events


return events from Uptycs DB

Base Command

uptycs-get-events

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
codeEvent code to specify which types of events you would like to retrieveOptional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
Context Output
PathTypeDescription
Uptycs.Events.descriptionstringDescription of event
Uptycs.Events.asset_idstringUptycs asset ID
Uptycs.Events.codestringEvent code in Uptycs DB
Uptycs.Events.created_atdateTime event was created at
Uptycs.Events.idstringUptycs event id for this particular event
Uptycs.Events.host_namestringHostname for the assets this event occurred on
Uptycs.Events.groupingstringGroup that this event belongs to
Uptycs.Events.valuestringThe value will be different for different types of events. It is that which triggered the event. For example, a Bad IP connection will have the IP address here, and a program crash will have the name of the program that crashed here.
Uptycs.Events.severitystringThe severity of the event
Command Example

uptycs-get-events limit=10 time_ago="30 days"

Context Example
{
"Uptycs.Events": [
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-07-07 13:03:11.000",
"severity": "medium",
"created_at": "2019-07-07 13:03:16.000",
"value": "mediaremoted",
"upt_asset_id": "a9bf504c-6bdc-5e56-8c8e-efeec2b1497d",
"host_name": "brandons-mini.fios-router.home",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":11895,\"path\":\"/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted\",\"crash_path\":\"/Library/Logs/DiagnosticReports/mediaremoted_2019-06-09-101301_Brandons-Mac-mini.crash\",\"parent\":1,\"responsible\":\"mediaremoted [11895]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "8c99676b-02b6-4806-a1d8-a8dff3c55d1e",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-07-02 11:41:22.000",
"severity": "medium",
"created_at": "2019-07-02 11:41:25.000",
"value": "Amazon Music Helper",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":437,\"path\":\"/Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper\",\"crash_path\":\"/Library/Logs/DiagnosticReports/Amazon Music Helper_2019-06-02-103630_Kyles-MacBook-Pro.crash\",\"parent\":1,\"responsible\":\"Amazon Music Helper [437]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "19237e6f-b5b4-4ec7-b0dc-6b6b011f1038",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-27 09:26:25.000",
"severity": "medium",
"created_at": "2019-06-27 09:26:31.000",
"value": "Amazon Music Helper",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":437,\"path\":\"/Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper\",\"crash_path\":\"/Library/Logs/DiagnosticReports/Amazon Music Helper_2019-06-02-103630_Kyles-MacBook-Pro.crash\",\"parent\":1,\"responsible\":\"Amazon Music Helper [437]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "7d9e815a-4739-4608-936f-f0cfa5968e3d",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-27 09:26:25.000",
"severity": "medium",
"created_at": "2019-06-27 09:26:31.000",
"value": "osqueryd",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":11602,\"path\":\"/usr/local/bin/osqueryd\",\"crash_path\":\"/Library/Logs/DiagnosticReports/osqueryd_2019-05-27-195843_Kyles-MacBook-Pro.crash\",\"parent\":11596,\"responsible\":\"osqueryd [11602]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "d066187e-18a7-4ff1-8e9a-7e87346391dc",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-27 00:08:17.000",
"severity": "medium",
"created_at": "2019-06-27 00:08:22.000",
"value": "mediaremoted",
"upt_asset_id": "a9bf504c-6bdc-5e56-8c8e-efeec2b1497d",
"host_name": "brandons-mini.fios-router.home",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":11895,\"path\":\"/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted\",\"crash_path\":\"/Library/Logs/DiagnosticReports/mediaremoted_2019-06-09-101301_Brandons-Mac-mini.crash\",\"parent\":1,\"responsible\":\"mediaremoted [11895]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "c3838f00-2358-46ef-a558-4417cce2e59e",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-25 15:19:08.000",
"severity": "medium",
"created_at": "2019-06-25 15:19:22.000",
"value": "Amazon Music Helper",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":437,\"path\":\"/Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper\",\"crash_path\":\"/Library/Logs/DiagnosticReports/Amazon Music Helper_2019-06-02-103630_Kyles-MacBook-Pro.crash\",\"parent\":1,\"responsible\":\"Amazon Music Helper [437]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "7e1a3764-31ed-49cc-9cd0-23159d3d40c0",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-25 15:19:08.000",
"severity": "medium",
"created_at": "2019-06-25 15:19:22.000",
"value": "osqueryd",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":11602,\"path\":\"/usr/local/bin/osqueryd\",\"crash_path\":\"/Library/Logs/DiagnosticReports/osqueryd_2019-05-27-195843_Kyles-MacBook-Pro.crash\",\"parent\":11596,\"responsible\":\"osqueryd [11602]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "6ece8d0b-7498-46e5-b8f0-d14773c96aa2",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-24 19:25:30.000",
"severity": "medium",
"created_at": "2019-06-24 19:25:35.000",
"value": "mediaremoted",
"upt_asset_id": "a9bf504c-6bdc-5e56-8c8e-efeec2b1497d",
"host_name": "brandons-mini.fios-router.home",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":11895,\"path\":\"/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted\",\"crash_path\":\"/Library/Logs/DiagnosticReports/mediaremoted_2019-06-09-101301_Brandons-Mac-mini.crash\",\"parent\":1,\"responsible\":\"mediaremoted [11895]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "8c14a1a5-0f86-4a50-a4ca-973a83003482",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-23 22:23:49.000",
"severity": "medium",
"created_at": "2019-06-23 22:23:51.000",
"value": "Amazon Music Helper",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":437,\"path\":\"/Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper\",\"crash_path\":\"/Library/Logs/DiagnosticReports/Amazon Music Helper_2019-06-02-103630_Kyles-MacBook-Pro.crash\",\"parent\":1,\"responsible\":\"Amazon Music Helper [437]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "26464fa2-6dc2-4e01-9b0f-f7d57b9d1b3d",
"grouping": "OS X Crashes"
},
{
"code": "OSX_CRASHES",
"description": "Crash",
"event_time": "2019-06-23 22:23:49.000",
"severity": "medium",
"created_at": "2019-06-23 22:23:51.000",
"value": "osqueryd",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"host_name": "kyle-mbp-work",
"key": "identifier",
"metadata": "{\"type\":\"application\",\"pid\":11602,\"path\":\"/usr/local/bin/osqueryd\",\"crash_path\":\"/Library/Logs/DiagnosticReports/osqueryd_2019-05-27-195843_Kyles-MacBook-Pro.crash\",\"parent\":11596,\"responsible\":\"osqueryd [11602]\",\"exception_type\":\"EXC_BAD_ACCESS (SIGSEGV)\"}",
"id": "3a0f7ef8-9c3e-4267-8fbc-cc148e0edc9b",
"grouping": "OS X Crashes"
}
]
}
Human Readable Output

Uptycs Events

host_namegroupingevent_timedescriptionvalueseverity
brandons-mini.fios-router.homeOS X Crashes2019-07-07 13:03:11.000Crashmediaremotedmedium
kyle-mbp-workOS X Crashes2019-07-02 11:41:22.000CrashAmazon Music Helpermedium
kyle-mbp-workOS X Crashes2019-06-27 09:26:25.000CrashAmazon Music Helpermedium
kyle-mbp-workOS X Crashes2019-06-27 09:26:25.000Crashosquerydmedium
brandons-mini.fios-router.homeOS X Crashes2019-06-27 00:08:17.000Crashmediaremotedmedium
kyle-mbp-workOS X Crashes2019-06-25 15:19:08.000CrashAmazon Music Helpermedium
kyle-mbp-workOS X Crashes2019-06-25 15:19:08.000Crashosquerydmedium
brandons-mini.fios-router.homeOS X Crashes2019-06-24 19:25:30.000Crashmediaremotedmedium
kyle-mbp-workOS X Crashes2019-06-23 22:23:49.000CrashAmazon Music Helpermedium
kyle-mbp-workOS X Crashes2019-06-23 22:23:49.000Crashosquerydmedium

7. uptycs-get-process-open-sockets


find processes which opened a socket

Base Command

uptycs-get-process-open-sockets

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
ipIP address which process opened a socket to.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
timeExact time at which the socket was opened.Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
Context Output
PathTypeDescription
Uptycs.Sockets.pidnumberpid of process which opened a connection to a specified IP
Uptycs.Sockets.upt_hostnamestringhostname of the asset which ran the specified process
Uptycs.Sockets.upt_timedatetime at which the connection was opened
Uptycs.Sockets.pathstringfile path to the process being run
Uptycs.Sockets.local_addressstringlocal IP for specified connection
Uptycs.Sockets.remote_addressstringremote IP for specified connection
Uptycs.Sockets.local_portnumberlocal port for specified connection
Uptycs.Sockets.remote_portnumberremote port for specified connection
Uptycs.Sockets.upt_asset_idstringasset id for asset which ran the specified process
Uptycs.Sockets.socketnumbersocket used to open the connection
Uptycs.Sockets.familynumbernetwork protocol
Uptycs.Sockets.statestringstate of the connection
Uptycs.Sockets.protocolnumbertransport protocol
Command Example

uptycs-get-process-open-sockets limit=1

Context Example
{
"Uptycs.Sockets": [
{
"protocol": 6,
"socket": 0,
"family": 2,
"local_port": 54755,
"remote_port": 443,
"pid": 704,
"remote_address": "69.147.92.12",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_time": "2019-07-19 17:03:31.000",
"state": "ESTABLISHED",
"upt_hostname": "kyle-mbp-work",
"path": null,
"local_address": "192.168.86.61"
}
]
}
Human Readable Output

process_open_sockets

upt_hostnamepidlocal_addressremote_addressupt_timelocal_portremote_portsocket
kyle-mbp-work704192.168.86.6169.147.92.122019-07-19 17:03:31.000547554430

8. uptycs-get-process-information


get information for a particular process

Base Command

uptycs-get-process-information

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time.Optional
host_name_isHostname for asset which spawned the specified process.Optional
pidpid for the process.Required
timeTime that the specified process was spawned.Required
Context Output
PathTypeDescription
Uptycs.Proc.pidnumberpid for the process
Uptycs.Proc.upt_hostnamestringhostname for asset which spawned the specified process
Uptycs.Proc.upt_asset_idstringasset id for asset which spawned the specified process
Uptycs.Proc.parentnumberpid for the parent process
Uptycs.Proc.upt_add_timedatetime that the process was spawned
Uptycs.Proc.upt_remove_timedatetime that the process was removed
Uptycs.Proc.pathstringpath to the process binary
Uptycs.Proc.namestringname of the process
Uptycs.Proc.cmdlinestringcomplete argv of the process
Uptycs.Proc.pgroupnumberprocess group
Uptycs.Proc.cwdstringprocess current working directory
Command Example

uptycs-get-process-information asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" pid=5119 time="2019-01-29 17:05:07.000"

Context Example
{
"Uptycs.Proc": [
{
"name": "VBoxHeadless",
"parent": 484,
"upt_add_time": "2019-01-29 16:14:27.000",
"pid": 5119,
"upt_remove_time": "2019-01-29 19:21:31.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --vrde config",
"upt_hostname": "kyle-mbp-work",
"pgroup": 5119,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless",
"cwd": "/Applications",
"upt_day": 20190129
}
]
}
Human Readable Output

Process information

upt_hostnameparentpidnamepathcmdline
kyle-mbp-work4845119VBoxHeadless/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --vrde config

9. uptycs-get-process-child-processes


get all the child processes for a given parent process

Base Command

uptycs-get-process-child-processes

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset_id. Do not use arguments "asset_id" and "host_name_is" at the same time.Optional
host_name_ishostname for the asset which executed these processes.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
parentThe pid for which all child processes will be foundRequired
parent_start_timetime at which the parent process was spawnedRequired
parent_end_timetime at which the parent process was killed, if it exists.Optional
Context Output
PathTypeDescription
Uptycs.Children.pidnumberpid of a child process
Uptycs.Children.upt_asset_idstringasset id for asset which this process was run on
Uptycs.Children.upt_hostnamestringhostname for asset which spawned the specified process
Uptycs.Children.upt_add_timedatetime that the process was spawned
Uptycs.Children.upt_remove_timedatetime that the process was removed
Uptycs.Children.pathstringpath to the process binary
Uptycs.Children.parentnumberparent pid
Uptycs.Children.namestringname of the process
Uptycs.Children.cmdlinestringcomplete argv for the process
Uptycs.Children.pgroupnumberprocess group
Uptycs.Children.cwdstringprocess current working directory
Command Example

uptycs-get-process-child-processes asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" parent=484 parent_start_time="2019-01-28 14:16:58.000" parent_end_time="2019-01-29 19:21:31.000"

Context Example
{
"Uptycs.Children": [
{
"name": "VBoxHeadless",
"parent": 484,
"upt_add_time": "2019-01-29 16:14:27.000",
"pid": 5119,
"upt_remove_time": "2019-01-29 19:21:31.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --vrde config",
"upt_hostname": "kyle-mbp-work",
"pgroup": 5119,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless",
"cwd": "/Applications",
"upt_day": 20190129
},
{
"name": "VirtualBoxVM",
"parent": 484,
"upt_add_time": "2019-01-29 16:00:17.000",
"pid": 5008,
"upt_remove_time": "2019-01-29 16:13:55.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --no-startvm-errormsgbox",
"upt_hostname": "kyle-mbp-work",
"pgroup": 5008,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM",
"cwd": "/Applications",
"upt_day": 20190129
},
{
"name": "VirtualBoxVM",
"parent": 484,
"upt_add_time": "2019-01-29 15:58:10.000",
"pid": 5002,
"upt_remove_time": "2019-01-29 16:00:17.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment basevm_centos_7_orig --startvm 58264539-0e7a-418f-91be-365aa0f20854 --no-startvm-errormsgbox",
"upt_hostname": "kyle-mbp-work",
"pgroup": 5002,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM",
"cwd": "/Applications",
"upt_day": 20190129
},
{
"name": "VirtualBoxVM",
"parent": 484,
"upt_add_time": "2019-01-29 15:55:32.000",
"pid": 4994,
"upt_remove_time": "2019-01-29 15:57:38.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --no-startvm-errormsgbox",
"upt_hostname": "kyle-mbp-work",
"pgroup": 4994,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM",
"cwd": "/Applications",
"upt_day": 20190129
},
{
"name": "VirtualBoxVM",
"parent": 484,
"upt_add_time": "2019-01-28 17:00:39.000",
"pid": 3448,
"upt_remove_time": "2019-01-28 22:27:17.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment ova-31822- --startvm d7414d11-5764-4583-aeb6-94e5527c851c --no-startvm-errormsgbox",
"upt_hostname": "kyle-mbp-work",
"pgroup": 3448,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM",
"cwd": "/Applications",
"upt_day": 20190128
}
]
}
Human Readable Output

Child processes of a specified pid

upt_hostnamepidnamepathcmdlineupt_add_time
kyle-mbp-work5119VBoxHeadless/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless/Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --vrde config2019-01-29 16:14:27.000
kyle-mbp-work5008VirtualBoxVM/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --no-startvm-errormsgbox2019-01-29 16:00:17.000
kyle-mbp-work5002VirtualBoxVM/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment basevm_centos_7_orig --startvm 58264539-0e7a-418f-91be-365aa0f20854 --no-startvm-errormsgbox2019-01-29 15:58:10.000
kyle-mbp-work4994VirtualBoxVM/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --no-startvm-errormsgbox2019-01-29 15:55:32.000
kyle-mbp-work3448VirtualBoxVM/Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment ova-31822- --startvm d7414d11-5764-4583-aeb6-94e5527c851c --no-startvm-errormsgbox2019-01-28 17:00:39.000

10. uptycs-get-processes


find processes which are running or have run on a registered Uptycs asset

Base Command

uptycs-get-processes

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
timeExact time at which the process was spawned.Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
Context Output
PathTypeDescription
Uptycs.Process.pidnumberpid for a particular process
Uptycs.Process.parentnumberpid for the parent of a particular process
Uptycs.Process.upt_asset_idstringuptycs asset id for the asset which is running (or ran) the process
Uptycs.Process.upt_hostnamestringhost name for the asset which is running (or ran) the process
Uptycs.Process.upt_timedatetime at which the process was spawned
Uptycs.Process.namestringname of the process
Uptycs.Process.pathstringpath to the process binary
Uptycs.Process.cmdlinestringcomeplete argv for the process
Uptycs.Process.pgroupnumberprocess group
Uptycs.Process.cwdstringprocess current working directory
Command Example

uptycs-get-processes limit=1

Context Example
{
"Uptycs.Process": [
{
"name": "SCHelper",
"parent": 1,
"upt_time": "2019-07-19 07:29:32.000",
"pid": 60051,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper",
"upt_hostname": "kyle-mbp-work",
"pgroup": 60051,
"path": "/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper",
"cwd": "/"
}
]
}
Human Readable Output

Processes

upt_hostnamepidnamepathupt_timeparentcmdline
kyle-mbp-work60051SCHelper/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper2019-07-19 07:29:32.0001/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper

11. uptycs-get-process-open-files


find processes which have opened files

Base Command

uptycs-get-process-open-files

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
timeExact time at which the process was spawned.Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
Context Output
PathTypeDescription
Uptycs.Files.pidnumberpid for the process which opened a file
Uptycs.Files.fdnumberprocess specific file descriptor number
Uptycs.Files.upt_asset_idstringUptycs asset id for the the asset on which the file was opened
Uptycs.Files.upt_hostnamestringHost name for the asset on which the file was opened
Uptycs.Files.upt_timedatetime at which the file was opened
Uptycs.Files.pathstringfilesystem path of the file descriptor
Command Example

uptycs-get-process-open-files limit=1

Context Example
{
"Uptycs.Files": [
{
"pid": 30143,
"upt_asset_id": "a4991bf9-13e3-026b-7b46-af192746d556",
"upt_hostname": "uptycs-osquery-mhntm",
"fd": 35,
"upt_time": "2019-07-19 17:00:38.000",
"path": "/var/osquery/osquery.db/001951.log"
}
]
}
Human Readable Output

Process which has opened a file

upt_hostnamepidpathfdupt_time
uptycs-osquery-mhntm30143/var/osquery/osquery.db/001951.log352019-07-19 17:00:38.000

12. uptycs-set-alert-status


Set the status of an alert to new, assigned, resolved, or closed

Base Command

uptycs-set-alert-status

Input
Argument NameDescriptionRequired
alert_idUptycs alert id used to identify a particular alertRequired
statusStatus of the alert can be new, assigned, resolved, or closedRequired
Context Output

There is no context output for this command.

Command Example

uptycs-set-alert-status alert_id="9cb18abd-2c9a-43a8-988a-0601e9140f6c" status=assigned

Context Example
{
"Uptycs.AlertStatus": {
"status": "assigned",
"code": "OUTBOUND_CONNECTION_TO_THREAT_IOC",
"updatedAt": "2019-07-19T17:07:27.447Z",
"updatedByEmail": "goo@test.com",
"updatedByAdmin": true,
"updatedBy": "B schmoll",
"id": "9cb18abd-2c9a-43a8-988a-0601e9140f6c",
"createdAt": "2019-02-22T21:13:21.238Z"
}
}
Human Readable Output

Uptycs Alert Status

idcodestatuscreatedAtupdatedAt
9cb18abd-2c9a-43a8-988a-0601e9140f6cOUTBOUND_CONNECTION_TO_THREAT_IOCassigned2019-02-22T21:13:21.238Z2019-07-19T17:07:27.447Z

13. uptycs-set-asset-tag


Sets a tag on a particular asset

Base Command

uptycs-set-asset-tag

Input
Argument NameDescriptionRequired
asset_idUptycs asset id for the asset that the tag should be set onRequired
tag_keyTag key that will be set on the assetRequired
tag_valueTag value that will be set on the assetRequired
Context Output

There is no context output for this command.

Command Example

uptycs-set-asset-tag asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" tag_key="Uptycs" tag_value="work laptop"

Context Example
{
"Uptycs.AssetTags": {
"hostName": "kyle-mbp-work",
"tags": [
"Uptycs=work laptop",
"owner=Uptycs office",
"network=low",
"cpu=unknown",
"memory=unknown",
"disk=high"
]
}
}
Human Readable Output

Uptycs Asset Tag

hostNametags
kyle-mbp-workUptycs=work laptop,
owner=Uptycs office,
network=low,
cpu=unknown,
memory=unknown,
disk=high

14. uptycs-get-user-information


get info for an Uptycs user

Base Command

uptycs-get-user-information

Input
Argument NameDescriptionRequired
user_idUnique Uptycs id for the userRequired
Context Output
PathTypeDescription
Uptycs.UserInfo.idstringunique Uptycs id for the user
Uptycs.UserInfo.namestringUptycs user's name
Uptycs.UserInfo.emailstringUptycs user's email address
Command Example

uptycs-get-user-information user_id="33436e24-f30f-42d0-8438-d948be12b5af"

Context Example
{
"Uptycs.UserInfo": {
"userObjectGroups": [
{
"userId": "33436e24-f30f-42d0-8438-d948be12b5af",
"updatedBy": null,
"objectGroupId": "106eef5e-c3a6-44eb-bb3d-1a2087cded3d",
"customerId": "e8213ef3-ef92-460e-a542-46dccd700c16",
"object_group_id": "106eef5e-c3a6-44eb-bb3d-1a2087cded3d",
"createdBy": null,
"updatedAt": "2018-09-24T17:24:45.606Z",
"id": "e10d6fbb-366c-4b89-86b3-89a1cd4ee83c",
"createdAt": "2018-09-24T17:24:45.606Z"
}
],
"userRoles": {
"admin": {
"description": "Default admin role",
"updatedBy": null,
"custom": false,
"createdBy": null,
"updatedAt": "2019-06-19T08:15:49.286Z",
"id": "01b8ce5d-c93a-41a6-ba63-2e26c7d2cd79",
"hidden": false,
"permissions": [
"ALERT:READ",
"ALERT_RULE:READ",
"ASSET:READ",
"CUSTOMER:READ",
"DESTINATION:READ",
"EVENT:READ",
"EVENT_RULE:READ",
"EXCEPTION:READ",
"FIM:READ",
"FLAG:READ",
"OBJECT_GROUP:READ",
"PROFILE:READ",
"PROMETHEUS_TARGET:READ",
"QUERY:READ",
"QUERY_PACK:READ",
"REPORT:READ",
"REPORT_RUN:READ",
"SCHEMA:READ",
"SCHEDULED_GROUP:READ",
"SCHEDULED_QUERY:READ",
"SNAPSHOT:READ",
"TAG:READ",
"TAG_RULE:READ",
"TEMPLATE:READ",
"THREAT:READ",
"USER:READ",
"USER_ROLE:READ",
"CURRENT_USER:UPDATE",
"CUSTOMER:QUERY",
"ASSET:QUERY",
"OSQUERY:DOWNLOAD",
"OSQUERY:READ",
"FEATURE_SET:READ",
"DASHBOARD:READ",
"CURRENT_USER_PREFERENCE:READ",
"CURRENT_USER_PREFERENCE:CREATE",
"CURRENT_USER_PREFERENCE:UPDATE",
"CURRENT_USER_PREFERENCE:DELETE",
"CURRENT_USER_REPORT_SCHEDULE:CREATE",
"CURRENT_USER_REPORT_SCHEDULE:READ",
"CURRENT_USER_REPORT_SCHEDULE:UPDATE",
"CURRENT_USER_REPORT_SCHEDULE:DELETE",
"COMPLIANCE_FAILURE:READ",
"COMPLIANCE_FAILURE:UPDATE",
"CUSTOM_PROFILE:READ",
"QUERY_JOB:CREATE",
"QUERY_JOB:READ",
"QUERY_JOB:UPDATE",
"QUERY_JOB:DELETE",
"EVENT_EXCLUDE_PROFILE:READ",
"ATC_QUERY:READ",
"REGISTRY_PATH:READ",
"AUDIT_RULE:READ",
"EXTERNAL_DASHBOARD:READ",
"ALERT:CREATE",
"ALERT:UPDATE",
"ALERT:DELETE",
"ALERT_RULE:CREATE",
"ALERT_RULE:UPDATE",
"ALERT_RULE:DELETE",
"API_KEY:CREATE",
"API_KEY:READ",
"API_KEY:UPDATE",
"API_KEY:DELETE",
"ASSET:UPDATE",
"ASSET:DELETE",
"ASSET_GROUP_RULE:CREATE",
"ASSET_GROUP_RULE:READ",
"ASSET_GROUP_RULE:UPDATE",
"ASSET_GROUP_RULE:DELETE",
"CUSTOMER:UPDATE",
"DESTINATION:CREATE",
"DESTINATION:UPDATE",
"DESTINATION:DELETE",
"EVENT:CREATE",
"EVENT:UPDATE",
"EVENT:DELETE",
"EVENT_RULE:CREATE",
"EVENT_RULE:UPDATE",
"EVENT_RULE:DELETE",
"EXCEPTION:CREATE",
"EXCEPTION:UPDATE",
"EXCEPTION:DELETE",
"FIM:CREATE",
"FIM:UPDATE",
"FIM:DELETE",
"FLAG:CREATE",
"FLAG:UPDATE",
"FLAG:DELETE",
"OBJECT_GROUP:CREATE",
"OBJECT_GROUP:UPDATE",
"OBJECT_GROUP:DELETE",
"PROMETHEUS_TARGET:CREATE",
"PROMETHEUS_TARGET:UPDATE",
"PROMETHEUS_TARGET:DELETE",
"QUERY:CREATE",
"QUERY:UPDATE",
"QUERY:DELETE",
"QUERY_PACK:CREATE",
"QUERY_PACK:UPDATE",
"QUERY_PACK:DELETE",
"REPORT:CREATE",
"REPORT:UPDATE",
"REPORT:DELETE",
"REPORT_RUN:CREATE",
"REPORT_RUN:UPDATE",
"REPORT_RUN:DELETE",
"SCHEDULED_GROUP:UPDATE",
"SCHEDULED_GROUP:DELETE",
"SCHEDULED_QUERY:CREATE",
"SCHEDULED_QUERY:UPDATE",
"SCHEDULED_QUERY:DELETE",
"SNAPSHOT:CREATE",
"SNAPSHOT:UPDATE",
"SNAPSHOT:DELETE",
"TAG:CREATE",
"TAG:UPDATE",
"TAG:DELETE",
"TAG_RULE:CREATE",
"TAG_RULE:UPDATE",
"TAG_RULE:DELETE",
"TEMPLATE:CREATE",
"TEMPLATE:UPDATE",
"TEMPLATE:DELETE",
"THREAT:CREATE",
"THREAT:UPDATE",
"THREAT:DELETE",
"USER:CREATE",
"USER:UPDATE",
"USER:DELETE",
"USER_ROLE:CREATE",
"USER_ROLE:UPDATE",
"USER_ROLE:DELETE",
"CURRENT_USER:READ",
"CURRENT_USER:UPDATE",
"CUSTOMER_FEATURE_SET:UPDATE",
"USER_PREFERENCE:CREATE",
"USER_PREFERENCE:READ",
"USER_PREFERENCE:UPDATE",
"USER_PREFERENCE:DELETE",
"REPORT_SCHEDULE:CREATE",
"REPORT_SCHEDULE:READ",
"REPORT_SCHEDULE:UPDATE",
"REPORT_SCHEDULE:DELETE",
"AUDIT_LOGS:READ",
"CUSTOM_PROFILE:CREATE",
"CUSTOM_PROFILE:UPDATE",
"CUSTOM_PROFILE:DELETE",
"EVENT_EXCLUDE_PROFILE:CREATE",
"EVENT_EXCLUDE_PROFILE:UPDATE",
"EVENT_EXCLUDE_PROFILE:DELETE",
"ATC_QUERY:CREATE",
"ATC_QUERY:UPDATE",
"ATC_QUERY:DELETE",
"REGISTRY_PATH:CREATE",
"REGISTRY_PATH:UPDATE",
"REGISTRY_PATH:DELETE",
"AUDIT_RULE:UPDATE",
"AUDIT_RULE:DELETE",
"AUDIT_RULE:CREATE",
"EXTERNAL_DASHBOARD:CREATE",
"EXTERNAL_DASHBOARD:UPDATE",
"EXTERNAL_DASHBOARD:DELETE"
],
"customerId": "e8213ef3-ef92-460e-a542-46dccd700c16",
"createdAt": "2018-09-24T17:24:41.194Z",
"name": "admin"
}
},
"email": "goo@test.com",
"name": "B schmoll",
"id": "33436e24-f30f-42d0-8438-d948be12b5af"
}
}
Human Readable Output

Uptycs User Information

nameemailid
B schmollgoo@test.com33436e24-f30f-42d0-8438-d948be12b5af

15. uptycs-get-threat-indicators


get Uptycs threat indicators

Base Command

uptycs-get-threat-indicators

Input
Argument NameDescriptionRequired
indicatorthe specific indicator you wish to search for. This can be an IP address, a Bad Domain, etc. as well ass any indicators you have added.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output

There is no context output for this command.

Command Example

uptycs-get-threat-indicators limit=1

Context Example
{
"Uptycs.ThreatIndicators": [
{
"indicator": "54.165.17.209",
"description": "malware.com",
"threatId": "b3f44b34-f6a1-46bc-88f1-9755e3ac1a65",
"indicatorType": "IPv4",
"createdAt": "2019-07-19T16:44:17.511Z",
"id": "8e54f94c-469a-4737-9eef-4e650a93ab58",
"isActive": true
}
]
}
Human Readable Output

Uptycs Threat Indicators

idindicatordescriptionindicatorTypecreatedAtisActivethreatId
8e54f94c-469a-4737-9eef-4e650a93ab5854.165.17.209malware.comIPv42019-07-19T16:44:17.511Ztrueb3f44b34-f6a1-46bc-88f1-9755e3ac1a65

16. uptycs-get-threat-sources


get Uptycs threat sources

Base Command

uptycs-get-threat-sources

Input
Argument NameDescriptionRequired
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output

There is no context output for this command.

Command Example

uptycs-get-threat-sources limit=1

Context Example
{
"Uptycs.ThreatSources": [
{
"name": "AlienVault Open Threat Exchange Malicious Domains and IPs",
"url": "4533da856e43f06ee00bb5f1adf170a0ce5cacaca5992ab1279733c2bdd0a88c",
"enabled": true,
"custom": false,
"lastDownload": "2019-05-13T01:00:05.934Z",
"createdAt": "2019-05-12T01:01:04.154Z",
"description": "A feed of malicious domains and IP addresses"
}
]
}
Human Readable Output

Uptycs Threat Sources

namedescriptionurlenabledcustomcreatedAtlastDownload
AlienVault Open Threat Exchange Malicious Domains and IPsA feed of malicious domains and IP addresses4533da856e43f06ee00bb5f1adf170a0ce5cacaca5992ab1279733c2bdd0a88ctruefalse2019-05-12T01:01:04.154Z2019-05-13T01:00:05.934Z

17. uptycs-get-threat-vendors


get Uptycs threat vendors

Base Command

uptycs-get-threat-vendors

Input
Argument NameDescriptionRequired
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output

There is no context output for this command.

Command Example

uptycs-get-threat-vendors

Context Example
{
"Uptycs.ThreatVendors": [
{
"name": "Bschmoll Inc.-Threats",
"url": null,
"updatedAt": "2018-11-20T19:15:05.611Z",
"customerId": "e8213ef3-ef92-460e-a542-46dccd700c16",
"numThreats": null,
"numIocs": null,
"lastDownload": null,
"id": "42b9220c-7e29-4fd8-9cf7-9f811e851f8e",
"createdAt": "2018-11-20T19:15:05.611Z",
"description": null
}
]
}
Human Readable Output

Uptycs Threat Vendors

descriptionurlupdatedAtcustomerIdnumIocsnumThreatslastDownloadidcreatedAtname
2018-11-20T19:15:05.611Ze8213ef3-ef92-460e-a542-46dccd700c1642b9220c-7e29-4fd8-9cf7-9f811e851f8e2018-11-20T19:15:05.611ZBschmoll Inc.-Threats

18. uptycs-get-parent-information


get the parent process information for a particular child process

Base Command

uptycs-get-parent-information

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time.Optional
child_add_timeTime that the specified process was spawned.Required
host_name_isHostname for asset which spawned the specified process.Optional
parentpid for the parent process.Required
Context Output
PathTypeDescription
Uptycs.Parent.pidnumberpid of the process (this is the same number as the input argument 'parent')
Uptycs.Parent.upt_hostnamestringhostname for asset which spawned the specified process
Uptycs.Parent.upt_asset_idstringasset id for asset which spawned the specified process
Uptycs.Parent.parentnumberpid for the parent process (this is the parent of the input argument 'parent')
Uptycs.Parent.upt_add_timedatetime that the process was spawned
Uptycs.Parent.upt_remove_timedatetime that the process was removed
Uptycs.Parent.namestringname of the process
Uptycs.Parent.pathstringpath to the process binary
Uptycs.Parent.cmdlinestringcomplete argv for the process
Uptycs.Parent.pgroupnumberprocess group
Uptycs.Parent.cwdstringprocess current working directory
Command Example

uptycs-get-parent-information asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" child_add_time="2019-01-29 16:14:27.000" parent=484

Context Example
{
"Uptycs.Parent": [
{
"name": "VBoxSVC",
"parent": 1,
"upt_add_time": "2019-01-28 14:16:58.000",
"pid": 484,
"upt_remove_time": "2019-01-29 19:21:31.000 UTC",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/Applications/VirtualBox.app/Contents/MacOS/VBoxSVC --auto-shutdown",
"upt_hostname": "kyle-mbp-work",
"pgroup": 484,
"path": "/Applications/VirtualBox.app/Contents/MacOS/VBoxSVC",
"cwd": "/Applications",
"upt_day": 20190128
}
]
}
Human Readable Output

Parent process information

upt_hostnameparentpidnamepathcmdline
kyle-mbp-work1484VBoxSVC/Applications/VirtualBox.app/Contents/MacOS/VBoxSVC/Applications/VirtualBox.app/Contents/MacOS/VBoxSVC --auto-shutdown

19. uptycs-post-threat-source


post a new threat source to your threat sources in Uptycs

Base Command

uptycs-post-threat-source

Input
Argument NameDescriptionRequired
descriptionA short description for the threat sourceRequired
entry_identry_id for the file with threat information. This file should be uploaded to demisto in the Playground War Room using the paperclip icon next to the CLI.Required
filenameThe name of the file being uploadedRequired
nameThe name for the threat sourceRequired
Context Output

There is no context output for this command.

Command Example

uptycs-post-threat-source name="testThreatSources" description="testing Uptycs API" entry_id="4322@27d41dbb-9676-4408-88bf-51193334caf7" filename="threatSourcesTest.csv"

Context Example
Human Readable Output

Uptycs Posted Threat Source

20. uptycs-get-users


get a list of Uptycs users

Base Command

uptycs-get-users

Input
Argument NameDescriptionRequired
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output
PathTypeDescription
Uptycs.Users.idstringunique Uptycs id for the user
Uptycs.Users.namestringUptycs user's name
Uptycs.Users.emailstringUptycs user's email address
Uptycs.Users.createdAtdatedatetime this user was added
Uptycs.Users.updatedAtdatelast time this user was updated
Uptycs.Users.adminbooleantrue if this user has admin privileges, false otherwise
Uptycs.Users.activebooleantrue if this user is currently active, false otherwise
Command Example

uptycs-get-users limit=1

Context Example
{
"Uptycs.Users": [
{
"name": "B schmoll",
"admin": true,
"id": "33436e24-f30f-42d0-8438-d948be12b5af",
"updatedAt": "2018-09-25T16:10:28.140Z",
"active": true,
"email": "goo@test.com",
"createdAt": "2018-09-24T17:24:38.635Z"
}
]
}
Human Readable Output

Uptycs Users

nameemailidadminactivecreatedAtupdatedAt
B schmollgoo@test.com33436e24-f30f-42d0-8438-d948be12b5aftruetrue2018-09-24T17:24:38.635Z2018-09-25T16:10:28.140Z

21. uptycs-get-asset-groups


get Uptycs asset groups

Base Command

uptycs-get-asset-groups

Input
Argument NameDescriptionRequired
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
Context Output
PathTypeDescription
Uptycs.AssetGroups.idstringunique Uptycs id for a particular object group
Uptycs.AssetGroups.custombooleantrue if this is a custom asset group, false otherwise
Uptycs.AssetGroups.createdAtdatedatetime the group was created
Uptycs.AssetGroups.updatedAtdatedatetime the group was last updated
Command Example

uptycs-get-asset-groups

Context Example
{
"Uptycs.AssetGroups": [
{
"name": "assets",
"description": "Default asset group",
"custom": false,
"updatedAt": "2018-09-24T17:24:45.604Z",
"id": "106eef5e-c3a6-44eb-bb3d-1a2087cded3d",
"createdAt": "2018-09-24T17:24:45.604Z",
"objectType": "ASSET"
},
{
"name": "enrolling",
"description": "Enrolling asset group",
"custom": false,
"updatedAt": "2018-09-24T17:24:45.601Z",
"id": "a73353c1-1b27-4eea-9a7c-d2f946cca030",
"createdAt": "2018-09-24T17:24:45.601Z",
"objectType": "ASSET"
}
]
}
Human Readable Output

Uptycs Users

idnamedescriptionobjectTypecustomcreatedAtupdatedAt
106eef5e-c3a6-44eb-bb3d-1a2087cded3dassetsDefault asset groupASSETfalse2018-09-24T17:24:45.604Z2018-09-24T17:24:45.604Z
a73353c1-1b27-4eea-9a7c-d2f946cca030enrollingEnrolling asset groupASSETfalse2018-09-24T17:24:45.601Z2018-09-24T17:24:45.601Z

22. uptycs-get-user-asset-groups


get a list of users in a particular asset group

Base Command

uptycs-get-user-asset-groups

Input
Argument NameDescriptionRequired
asset_group_idreturn a list of users with access to this asset groupRequired
Context Output

There is no context output for this command.

Command Example

uptycs-get-user-asset-groups asset_group_id="106eef5e-c3a6-44eb-bb3d-1a2087cded3d"

Context Example
{
"Uptycs.UserGroups": {
"B schmoll": {
"email": "goo@test.com",
"id": "33436e24-f30f-42d0-8438-d948be12b5af"
},
"Mike Boldi": {
"email": "woo@test.com",
"id": "e43b0119-8d23-4ea2-9fd9-3a9ff14fc195"
},
"Milan Shah": {
"email": "foo@test.com",
"id": "89d26aa4-f0a8-48d9-a174-ce5285d9dd60"
}
}
}
Human Readable Output

Uptycs User Asset Groups

B schmollMike BoldiMilan Shah
email: goo@test.com
id: 33436e24-f30f-42d0-8438-d948be12b5af
email: woo@test.com
id: e43b0119-8d23-4ea2-9fd9-3a9ff14fc195
email: foo@test.com
id: 89d26aa4-f0a8-48d9-a174-ce5285d9dd60

23. uptycs-get-threat-indicator


retrieve information about a specific threat indicator using a unique threat indicator id

Base Command

uptycs-get-threat-indicator

Input
Argument NameDescriptionRequired
indicator_idunique Uptycs id which identifies a specific threat indicatorRequired
Context Output
PathTypeDescription
Uptycs.ThreatIndicator.threat_source_idstringunique Uptycs id which identifies the source of this specific threat indicator
Uptycs.ThreatIndicator.threat_vendor_idstringunique Uptycs id which identifies the vendor of this specific threat source
Uptycs.ThreatIndicator.indicatorTypestringtype of threat indicator (IPv4, domain,...)
Uptycs.ThreatIndicator.indicatorstringthreat indicator
Uptycs.ThreatIndicator.createdAtdatedatetime the threat indicator was created
Uptycs.ThreatIndicator.threadIdstringunique id for the group of threat indicators this thread indicator belongs to
Uptycs.ThreatIndicator.idstringunique id for this particular threat indicator
Command Example

uptycs-get-threat-indicator indicator_id="0ab619bb-cfe0-4db0-8a31-0a71fcc2a362"

Context Example
{
"Uptycs.ThreatIndicator": {
"indicator": "92.242.140.21",
"description": "nishant.uptycs.io",
"threatId": "60e2e9eb-f756-4a4d-a85d-55aa8167d59d",
"threat_source_name": "test-bad-ips",
"threat_vendor_id": "42b9220c-7e29-4fd8-9cf7-9f811e851f8e",
"indicatorType": "IPv4",
"createdAt": "2019-01-10T21:25:49.280Z",
"updatedAt": "2019-01-10T21:25:49.280Z",
"threat_source_id": "c67d0821-f2f2-44ee-b3a8-a0bae5b04e55",
"id": "0ab619bb-cfe0-4db0-8a31-0a71fcc2a362",
"isActive": true
}
}
Human Readable Output

Uptycs Threat Indicator

idindicatordescriptionindicatorTypecreatedAtisActivethreatId
0ab619bb-cfe0-4db0-8a31-0a71fcc2a36292.242.140.21nishant.uptycs.ioIPv42019-01-10T21:25:49.280Ztrue60e2e9eb-f756-4a4d-a85d-55aa8167d59d

24. uptycs-get-threat-source


retrieve information about a specific threat source

Base Command

uptycs-get-threat-source

Input
Argument NameDescriptionRequired
threat_source_idunique Uptycs id for the threat source you wish to retriveRequired
Context Output

There is no context output for this command.

Command Example

uptycs-get-threat-source threat_source_id="20ee2177-4fdc-4070-a046-945048373dd1"

Context Example
{
"Uptycs.ThreatSources": {
"name": "Debian Linux vulnerabilities",
"url": "https://vulners.com/api/v3/archive/collection/?type=debian",
"enabled": true,
"custom": false,
"lastDownload": null,
"createdAt": "2018-09-14T18:43:54.832Z",
"description": "Debian Linux vulnerabilities"
}
}
Human Readable Output

Uptycs Threat Sources

namedescriptionurlenabledcustomcreatedAtlastDownload
Debian Linux vulnerabilitiesDebian Linux vulnerabilitieshttps://vulners.com/api/v3/archive/collection/?type=debiantruefalse2018-09-14T18:43:54.832Z

25. uptycs-get-process-events


find process events which are running or have run on a registered Uptycs asset

Base Command

uptycs-get-process-events

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
timeExact time at which the process was spawned.Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
Context Output
PathTypeDescription
Uptycs.ProcessEvents.pidnumberpid for a particular process
Uptycs.ProcessEvents.parentnumberpid for the parent of a particular process
Uptycs.ProcessEvents.upt_asset_idstringuptycs asset id for the asset which is running (or ran) the process
Uptycs.ProcessEvents.upt_hostnamestringhost name for the asset which is running (or ran) the process
Uptycs.ProcessEvents.upt_timedatetime at which the process was spawned
Uptycs.ProcessEvents.pathstringpath to the process binary
Uptycs.ProcessEvents.cmdlinestringcomeplete argv for the process
Uptycs.ProcessEvents.cwdstringprocess current working directory
Command Example

uptycs-get-process-events limit=1

Context Example
{
"Uptycs.ProcessEvents": [
{
"parent": 60065,
"pid": 60067,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/usr/sbin/spctl --status ",
"upt_hostname": "kyle-mbp-work",
"upt_time": "2019-07-19 09:29:47.000",
"path": "/usr/sbin/spctl",
"cwd": null
}
]
}
Human Readable Output

Process events

upt_hostnamepidpathupt_timeparentcmdline
kyle-mbp-work60067/usr/sbin/spctl2019-07-19 09:29:47.00060065/usr/sbin/spctl --status

26. uptycs-get-process-event-information


get information for a particular process event

Base Command

uptycs-get-process-event-information

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time.Optional
host_name_isHostname for asset which spawned the specified process.Optional
pidpid for the process.Required
timeTime that the specified process was spawned.Required
Context Output
PathTypeDescription
Uptycs.ProcEvent.pidnumberpid for the process
Uptycs.ProcEvent.upt_hostnamestringhostname for asset which spawned the specified process
Uptycs.ProcEvent.upt_asset_idstringasset id for asset which spawned the specified process
Uptycs.ProcEvent.parentnumberpid for the parent process
Uptycs.ProcEvent.upt_timedatetime that the process was spawned
Uptycs.ProcEvent.pathstringpath to the process binary
Uptycs.ProcEvent.cmdlinestringcomeplete argv for the process
Uptycs.ProcEvent.cwdstringprocess current working directory
Command Example

uptycs-get-process-event-information asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" pid=3318 time="2019-02-28 18:43:04.000"

Context Example
{
"Uptycs.ProcEvent": [
{
"parent": 1,
"pid": 3318,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "xpcproxy com.apple.WebKit.WebContent.024FB342-0ECE-4E09-82E1-B9C9CF5F9CDF 3266 ",
"upt_hostname": "kyle-mbp-work",
"upt_time": "2019-02-28 18:43:04.000",
"path": "/dev/console",
"cwd": null
}
]
}
Human Readable Output

Process event information

upt_hostnameparentpidpathcmdline
kyle-mbp-work13318/dev/consolexpcproxy com.apple.WebKit.WebContent.024FB342-0ECE-4E09-82E1-B9C9CF5F9CDF 3266

27. uptycs-get-socket-events


find processes which opened a socket

Base Command

uptycs-get-socket-events

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time.Optional
host_name_isOnly return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
host_name_likeOnly return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time.Optional
ipIP address which process opened a socket to.Optional
limitLimit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out).Optional
start_windowBeginning of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
end_windowEnd of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000".Optional
timeExact time at which the socket was opened.Optional
time_agoSpecifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc.Optional
Context Output
PathTypeDescription
Uptycs.SocketEvents.pidnumberpid of process which opened a connection to a specified IP
Uptycs.SocketEvents.upt_hostnamestringhostname of the asset which ran the specified process
Uptycs.SocketEvents.upt_timedatetime at which the connection was opened
Uptycs.SocketEvents.pathstringfile path to the process being run
Uptycs.SocketEvents.local_addressstringlocal IP for specified connection
Uptycs.SocketEvents.remote_addressstringremote IP for specified connection
Uptycs.SocketEvents.local_portnumberlocal port for specified connection
Uptycs.SocketEvents.remote_portnumberremote port for specified connection
Uptycs.SocketEvents.upt_asset_idstringasset id for asset which ran the specified process
Uptycs.SocketEvents.socketnumbersocket used to open the connection
Uptycs.SocketEvents.familynumbernetwork protocol
Uptycs.SocketEvents.actionstringtype of socket event (accept, connect, or bind)
Uptycs.SocketEvents.protocolnumbertransfer protocol
Command Example

uptycs-get-socket-events limit=1 remote_address="98.239.146.208"

Context Example
{
"Uptycs.SocketEvents": [
{
"protocol": null,
"socket": null,
"family": 2,
"local_port": 47873,
"remote_port": null,
"pid": 89,
"remote_address": "17.142.171.8",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_time": "2019-07-19 09:29:52.000",
"upt_hostname": "kyle-mbp-work",
"path": null,
"action": "connect",
"local_address": "0.0.0.0"
}
]
}
Human Readable Output

Socket events

upt_hostnamepidlocal_addressremote_addressupt_timelocal_portaction
kyle-mbp-work890.0.0.017.142.171.82019-07-19 09:29:52.00047873connect

28. uptycs-get-parent-event-information


find information for parent process events which are running or have run on a registered Uptycs assert

Base Command

uptycs-get-parent-event-information

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time.Optional
child_add_timeTime that the specified process was spawned.Required
host_name_isHostname for asset which spawned the specified process.Optional
parentpid for the parent process.Required
Context Output
PathTypeDescription
Uptycs.ParentEvent.pidnumberpid of the process (this is the same number as the input argument 'parent')
Uptycs.ParentEvent.upt_hostnamestringhostname for asset which spawned the specified process
Uptycs.ParentEvent.upt_asset_idstringasset id for asset which spawned the specified process
Uptycs.ParentEvent.parentnumberpid for the parent process (this is the parent of the input argument 'parent')
Uptycs.ParentEvent.upt_timedatetime that the process was spawned
Uptycs.ParentEvent.pathstringpath to the parent process binary
Uptycs.ParentEvent.cmdlinestringcomplete argv for the parent process
Uptycs.ParentEvent.cwdstringparent process current working cirectory
Command Example

uptycs-get-parent-event-information child_add_time="2019-05-07 12:24:34.000" parent=9347 host_name_is="kyle-mbp-work"

Context Example
{
"Uptycs.ParentEvent": [
{
"parent": 75,
"pid": 9347,
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"cmdline": "/sbin/mount -t hfs -o -u=99,-g=99,-m=755,nodev,noowners,nosuid,owners,nobrowse,-t=4m /dev/disk2s2 /Volumes/Time Machine Backups ",
"upt_hostname": "kyle-mbp-work",
"upt_time": "2019-05-07 12:24:34.000",
"path": "/sbin/mount",
"cwd": null
}
]
}
Human Readable Output

Parent process event information

upt_hostnameparentpidpathcmdline
kyle-mbp-work759347/sbin/mount/sbin/mount -t hfs -o -u=99,-g=99,-m=755,nodev,noowners,nosuid,owners,nobrowse,-t=4m /dev/disk2s2 /Volumes/Time Machine Backups

29. uptycs-get-socket-event-information


get information for a particular socket event

Base Command

uptycs-get-socket-event-information

Input
Argument NameDescriptionRequired
asset_idOnly return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time.Optional
host_name_isHostname for asset which spawned the specified process.Optional
ipIP address which process opened a socket to.Required
timeTime that the specified connection was opened.Required
Context Output
PathTypeDescription
Uptycs.SocketEvents.pidnumberpid of process which opened a connection to a specified IP
Uptycs.SocketEvents.upt_hostnamestringhostname of the asset which ran the specified process
Uptycs.SocketEvents.upt_timedatetime at which the connection was opened
Uptycs.SocketEvents.pathstringfile path to the process being run
Uptycs.SocketEvents.local_addressstringlocal IP for specified connection
Uptycs.SocketEvents.remote_addressstringremote IP for specified connection
Uptycs.SocketEvents.local_portnumberlocal port for specified connection
Uptycs.SocketEvents.remote_portnumberremote port for specified connection
Uptycs.SocketEvents.upt_asset_idstringasset id for asset which ran the specified process
Uptycs.SocketEvents.actionstringtype of socket event (accept, connect, or bind)
Uptycs.SocketEvents.familynumbernetwork protocol
Uptycs.SocketEvents.socketnumbersocket used to open the connection
Uptycs.SocketEvents.protocolnumbertransfer protocol
Command Example

uptycs-get-socket-event-information ip="18.213.163.112" time="2019-03-18 14:34:31.000"

Context Example
{
"Uptycs.SocketEvent": [
{
"protocol": null,
"socket": "",
"family": 2,
"local_port": 47873,
"remote_port": null,
"pid": 16570,
"remote_address": "18.213.163.112",
"upt_asset_id": "984d4a7a-9f3a-580a-a3ef-2841a561669b",
"upt_time": "2019-03-18 14:34:31.000",
"upt_hostname": "kyle-mbp-work",
"path": null,
"action": "connect",
"local_address": "0.0.0.0"
}
]
}
Human Readable Output

Socket event information

upt_hostnamepidlocal_addressremote_addressupt_timelocal_portaction
kyle-mbp-work165700.0.0.018.213.163.1122019-03-18 14:34:31.00047873connect

30. uptycs-get-asset-tags


Retrieve a list of tags for a particular asset

Base Command

uptycs-get-asset-tags

Input
Argument NameDescriptionRequired
asset_idUptycs asset id for the asset you are looking for.Required
Context Output

There is no context output for this command.

Command Example

uptycs-get-asset-tags asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b"

Context Example
{
"Uptycs.AssetTags": [
"Uptycs=work laptop",
"owner=Uptycs office",
"network=low",
"cpu=unknown",
"memory=unknown",
"disk=high"
]
}
Human Readable Output

Uptycs Asset Tags for asset id: 984d4a7a-9f3a-580a-a3ef-2841a561669b

Tags
Uptycs=work laptop
owner=Uptycs office
network=low
cpu=unknown
memory=unknown
disk=high

31. uptycs-get-saved-queries


Retrieve a saved query or list of all saved queries

Base Command

uptycs-get-saved-queries

Input
Argument NameDescriptionRequired
limitlimit the number of entries returnedOptional
query_idOnly return the query with this unique idOptional
nameOnly return the query with this nameOptional
Context Output

There is no context output for this command.

Command Example

uptycs-get-saved-queries name="test_saved_query"

Context Example
{
"Uptycs.SavedQueries": [
{
"seedId": "fec83a16-7c2a-4c9e-8621-7f030a14dfa4",
"updatedAt": "2019-05-10T19:07:46.480Z",
"query": "select * from upt_assets limit 1",
"viewConfig": null,
"id": "16de057d-6f69-46b0-80d0-46cb9348c8fe",
"createdAt": "2019-05-10T19:07:46.480Z",
"deleted_at": null,
"resultView": "TABLE",
"custom": true,
"shared": true,
"customerId": "e8213ef3-ef92-460e-a542-46dccd700c16",
"type": "default",
"assetView": "LIST",
"description": "this is a test query",
"deletedAt": null,
"createdBy": "33436e24-f30f-42d0-8438-d948be12b5af",
"updatedBy": "33436e24-f30f-42d0-8438-d948be12b5af",
"name": "test_saved_query",
"executionType": "global",
"parameters": null,
"deletedBy": null,
"grouping": "\"\""
}
]
}
Human Readable Output

Uptycs Saved Queries

namedescriptionqueryexecutionTypegroupingid
test_saved_querythis is a test queryselect * from upt_assets limit 1global""16de057d-6f69-46b0-80d0-46cb9348c8fe

32. uptycs-run-saved-query


Run a saved query

Base Command

uptycs-run-saved-query

Input
Argument NameDescriptionRequired
nameThe name of the query you want to runOptional
query_idThe unique id for the query you want to runOptional
asset_idrealtime queries only This argument should be used when one wants to run a realtime query on a particular asset.Optional
host_name_isrealtime queries only Only return assets with this hostnameOptional
host_name_likerealtime queries only . Only return assets with this string in the hostname.Optional
variable_argumentsIf your saved query has variable arguments, write them here in a json format where the key is the name of the variable argument and value is the value you want to use for this particular query.Optional
Context Output

There is no context output for this command.

Command Example

uptycs-run-saved-query name="test_saved_query"

Context Example
{
"Uptycs.RunQuery": [
{
"city_id": "6ee1f7ef-ad7d-46b1-9f74-384299c90830",
"updated_at": "2018-09-25 16:14:28.898",
"hardware_vendor": "Dell Inc.",
"disabled": false,
"os_key": "windows_10.0",
"deleted_at": null,
"id": "4c4c4544-0044-3910-8033-c8c04f5a4832",
"os_version": "10.0.14393",
"osquery_version": "3.2.6.15-Uptycs",
"gateway": "50.79.168.117",
"hardware_model": "PowerEdge T30",
"cpu_brand": "Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz",
"live": false,
"location": "United States",
"latitude": 37.751,
"host_name": "caol",
"status": "active",
"last_enrolled_at": "2018-09-25 16:14:28.863",
"description": null,
"object_group_id": "106eef5e-c3a6-44eb-bb3d-1a2087cded3d",
"last_activity_at": "2018-09-26 17:03:16.187",
"os": "Microsoft Windows Server 2016 Datacenter",
"created_at": "2018-09-25 16:14:28.881",
"longitude": -97.822,
"memory_mb": 16250,
"logical_cores": 4,
"os_flavor": "windows",
"cores": 4,
"hardware_serial": "HD93ZH2"
}
]
}
Human Readable Output

Uptycs Query Results

city_idupdated_athardware_vendordisabledlast_enrolled_atdeleted_atgatewaycpu_brandosquery_versionidhardware_modelos_versionlivelocationlatitudehost_namestatusos_keydescriptionobject_group_idlast_activity_athardware_serialcreated_atlongitudememory_mblogical_coresos_flavorcoresos
6ee1f7ef-ad7d-46b1-9f74-384299c908302018-09-25 16:14:28.898Dell Inc.false2018-09-25 16:14:28.86350.79.168.117Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz3.2.6.15-Uptycs4c4c4544-0044-3910-8033-c8c04f5a4832PowerEdge T3010.0.14393falseUnited States37.751caolactivewindows_10.0106eef5e-c3a6-44eb-bb3d-1a2087cded3d2018-09-26 17:03:16.187HD93ZH22018-09-25 16:14:28.881-97.822162504windows4Microsoft Windows Server 2016 Datacenter

33. uptycs-post-saved-query


Save a query to the Uptycs DB

Base Command

uptycs-post-saved-query

Input
Argument NameDescriptionRequired
descriptionA short description for the queryOptional
execution_typeThe type of query (global or realtime).Required
nameThe name for the query. This should be unique to this query.Required
queryThe query which will be savedRequired
typeType of issue the query addresses.Optional
groupingAdd the query to a group of queries.Optional
Context Output

There is no context output for this command.

Command Example

uptycs-post-saved-query name="process_query" query="select * from processes where name=:name limit 1" execution_type=global description="This is a test query with a variable argument for the column 'name’"

Context Example
{
"Uptycs.PostedQuery": {
"links": [
{
"href": "/api/customers/e8213ef3-ef92-460e-a542-46dccd700c16/queries/cc40b97a-46ab-4392-9f58-c4659e8ef4c1",
"rel": "self"
},
{
"href": "/api/customers/e8213ef3-ef92-460e-a542-46dccd700c16/queries",
"rel": "parent"
}
],
"updatedAt": "2019-07-19T17:52:18.476Z",
"query": "select * from processes where name=:name limit 1",
"viewConfig": null,
"id": "cc40b97a-46ab-4392-9f58-c4659e8ef4c1",
"createdAt": "2019-07-19T17:52:18.476Z",
"seedId": "9a6dfb16-695a-43c2-ac15-201cbd8040f8",
"resultView": "TABLE",
"custom": true,
"shared": true,
"customerId": "e8213ef3-ef92-460e-a542-46dccd700c16",
"type": "default",
"assetView": "LIST",
"description": "This is a test query with a variable argument for the column 'name\u2019",
"deletedAt": null,
"createdBy": "33436e24-f30f-42d0-8438-d948be12b5af",
"updatedBy": "33436e24-f30f-42d0-8438-d948be12b5af",
"name": "process_query",
"executionType": "global",
"parameters": null,
"deletedBy": null,
"grouping": "\"\""
}
}
Human Readable Output

Uptycs Posted Query

nametypedescriptionqueryexecutionTypegroupingcustom
process_querydefaultThis is a test query with a variable argument for the column 'name’select * from processes where name=:name limit 1global""true

Additional Information


In order to create an instance of the integration, a user API key and secret must be downloaded from the users Uptycs account. After signing in, navigate to Configuration->Users. At the bottom left of the screen you will see a window labeled "User API key". Click download. The downloaded file will have all the information necessary to create the instance.

Known Limitations


While the Demisto-Uptycs integration provides multiple commands with which to access the Uptycs backend, not all features are supported. In particular, configuration changes are best made using the Uptycs UI. Many of the commands have a limit set to reduce the number of rows returned from a query or api call. The limit can be raised, or turned off, however, this may cause the queries take longer to return and potentially return large numbers of rows. When writing queries, it can sometimes be easier to test using the Uptycs UI rather than the integration.

Troubleshooting