Chore/add user guides (#326)

* trust user guide

* adding trust user guides

* user guides

* adding user guides

* user guides

* user guides

* PR feedback

* PR feedback

* PR feedback

* Update trustedactivities.md

Updates to phrasing for brevity, clarity and style. The "Note" section within "Update a Trusted Activity" appeared to be entirely in a code block, which didn't seem right.

* Update users.md

Updates to phrasing for clarity, brevity, and style.

* style

* format note block

* tiny wording adjustments

* /s

Co-authored-by: annie-payseur <52421911+annie-payseur@users.noreply.github.com>

Author: tora-kozic

docs/guides.md

@@ -2,8 +2,12 @@
 
 * [Get started with the Code42 command-line interface (CLI)](userguides/gettingstarted.md)
 * [Configure a profile](userguides/profile.md)
-* [Ingest file events or alerts into a SIEM](userguides/siemexample.md)
+* [Ingest Data into a SIEM](userguides/siemexample.md)
 * [Manage detection list users](userguides/detectionlists.md)
 * [Manage legal hold users](userguides/legalhold.md)
 * [Clean up your environment by deactivating devices](userguides/deactivatedevices.md)
 * [Write custom extension scripts using the Code42 CLI and py42](userguides/extensions.md)
+* [Manage Users](userguides/users.md)
+* [Configure Trusted Activities](userguides/trustedactivities.md)
+* [Configure Alert Rules](userguides/alertrules.md)
+* [Add and Manage Cases](userguides/cases.md)

docs/userguides/alertrules.md

@@ -0,0 +1,110 @@
+# Add Users to Alert Rules
+
+Once you [create an alert rule in the Code42 console](https://support.code42.com/Administrator/Cloud/Code42_console_reference/Alert_rule_settings_reference), you can use the CLI `alert-rules` commands to add and remove users from your existing alert rules.
+
+To see a list of all the users currently in your organization:
+- Export a list from the [Users action menu](https://support.code42.com/Administrator/Cloud/Code42_console_reference/Users_reference#Action_menu).
+- Use the [CLI users commands](./users.md).
+
+## View Existing Alert Rules
+
+You'll need the ID of an alert rule to add or remove a user.
+
+To view a list of all alert rules currently created for your organization, including the rule ID, use the following command:
+```bash
+code42 alert-rules list
+```
+
+Once you've identified the rule ID, view the details of the alert rule as follows:
+```bash
+code42 alert-rules show <rule-ID>
+```
+
+#### Example output
+Example output for a single alert rule in default JSON format.
+```json
+{
+    "type$": "ENDPOINT_EXFILTRATION_RULE_DETAILS_RESPONSE",
+    "rules": [
+        {
+            "type$": "ENDPOINT_EXFILTRATION_RULE_DETAILS",
+            "tenantId": "c4e43418-07d9-4a9f-a138-29f39a124d33",
+            "name": "My Rule",
+            "description": "this is your rule!",
+            "severity": "HIGH",
+            "isEnabled": false,
+            "fileBelongsTo": {
+                "type$": "FILE_BELONGS_TO",
+                "usersToAlertOn": "ALL_USERS"
+            },
+            "notificationConfig": {
+                "type$": "NOTIFICATION_CONFIG",
+                "enabled": false
+            },
+            "fileCategoryWatch": {
+                "type$": "FILE_CATEGORY_WATCH",
+                "watchAllFiles": true
+            },
+            "ruleSource": "Alerting",
+            "fileSizeAndCount": {
+                "type$": "FILE_SIZE_AND_COUNT",
+                "fileCountGreaterThan": 2,
+                "totalSizeGreaterThanInBytes": 200,
+                "operator": "AND"
+            },
+            "fileActivityIs": {
+                "type$": "FILE_ACTIVITY",
+                "syncedToCloudService": {
+                    "type$": "SYNCED_TO_CLOUD_SERVICE",
+                    "watchBox": false,
+                    "watchBoxDrive": false,
+                    "watchDropBox": false,
+                    "watchGoogleBackupAndSync": false,
+                    "watchAppleIcLoud": false,
+                    "watchMicrosoftOneDrive": false
+                },
+                "uploadedOnRemovableMedia": true,
+                "readByBrowserOrOther": true
+            },
+            "timeWindow": 15,
+            "id": "404ff012-fa2f-4acf-ae6d-107eabf7f24c",
+            "createdAt": "2021-04-27T01:55:36.4204590Z",
+            "createdBy": "sean.cassidy@example.com",
+            "modifiedAt": "2021-09-03T01:46:13.2902310Z",
+            "modifiedBy": "sean.cassidy@example.com",
+            "isSystem": false
+        }
+    ]
+}
+```
+
+## Add a User to an Alert Rule
+
+You can manage the users who are associated with an alert rule once you know the rule's `rule_id` and the user's `username`.
+
+To add a single user to your alert rule, use the following command:
+```bash
+code42 alert-rules add-user --rule-id <rule-id> -u sean.cassidy@example.com
+```
+
+Alternatively, to add multiple users to your alert rule, fill out the `add` CSV file template, then use the `bulk add` command with the CSV file path.
+```bash
+code42 alert-rules bulk add users.csv
+```
+
+You can remove single or multiple users from alert rules similarly using the `remove-user` and `bulk remove` commands.
+
+
+## Get CSV Template
+
+The following command will generate a CSV template to either add or remove users from multiple alert rules at once.  The CSV file will be saved to the current working directory.
+```bash
+code42 alert-rules bulk generate-template [add|remove]
+```
+
+You can then fill out and use each of the CSV templates with their respective bulk commands.
+```bash
+code42 alert-rules bulk [add|remove] /Users/my_user/bulk-command.csv
+```
+
+Learn more about the [Alert Rules](../commands/alertrules.md) commands.

docs/userguides/cases.md

@@ -0,0 +1,96 @@
+# Add and Manage Cases
+
+To create a new case, only the name is required.  Other attributes are optional and can be provided through the available flags.
+
+The following command creates a case with the `subject` and `assignee` user indicated by their respective UIDs.
+```bash
+code42 cases create My-Case --subject 123 --assignee 456 --description "Sample case"
+```
+
+## Update a Case
+
+To further update or view the details of your case, you'll need the case's unique number, which is assigned upon creation.  To get this number, you can use the `list` command to view all cases, with optional filter values.
+
+To print to the console all open cases created in the last 30 days:
+```bash
+code42 cases list --begin-create-time 30d --status OPEN
+```
+
+#### Example Output
+Example output for a single case in JSON format.
+```json
+{
+    "number": 42,
+    "name": "My-Case",
+    "createdAt": "2021-9-17T18:29:53.375136Z",
+    "updatedAt": "2021-9-17T18:29:53.375136Z",
+    "description": "Sample case",
+    "findings": "",
+    "subject": "123",
+    "subjectUsername": "sean.cassidy@example.com",
+    "status": "OPEN",
+    "assignee": "456",
+    "assigneeUsername": "elvis.presley@example.com",
+    "createdByUserUid": "789",
+    "createdByUsername": "andy.warhol@example.com",
+    "lastModifiedByUserUid": "789",
+    "lastModifiedByUsername": "andy.warhol@example.com"
+}
+```
+
+Once you've identified your case's number, you can view further details on the case, or update its attributes.
+
+The following command will print all details of your case.
+```bash
+code42 cases show 42
+```
+
+If you've finished your investigation and you'd like to close your case, you can update the status of the case.  Similarly, other attributes of the case can be updated using the optional flags.
+```bash
+code42 cases update 42 --status CLOSED
+```
+
+## Get CSV Template
+
+The following command will generate a CSV template to either add or remove file events from multiple cases at once.  The csv file will be saved to the current working directory.
+```bash
+code42 cases file-events bulk generate-template [add|remove]
+```
+
+You can then fill out and use each of the CSV templates with their respective bulk commands.
+```bash
+code42 cases file-events bulk [add|remove] bulk-command.csv
+```
+
+## Manage File Exposure Events Associated with a Case
+
+The following example command can be used to view all the file exposure events currently associated with a case, indicated here by case number `42`.
+```bash
+code42 cases file-events list 42
+```
+
+Use the `file-events add` command to associate a single file event, referred to by event ID, to a case.
+
+Below is an example command to associate some event with ID `event_abc` with case number `42`.
+```bash
+code42 cases file-events add 42 event_abc
+```
+
+To associate multiple file events with one or more cases at once, enter the case and file event information into the `file-events add` CSV file template, then use the `bulk add` command with the CSV file path. For example:
+```bash
+code42 cases file-events bulk add my_new_cases.csv
+```
+
+Similarly, the `file-events remove` and `file-events bulk remove` commands can be used to remove a file event from a case.
+
+## Export Case Details
+
+You can use the CLI to export the details of a case into a PDF.
+
+The following example command will download the details from case number `42` and save a PDF with the name `42_case_summary.pdf` to the provided path.  If a path is not provided, it will be saved to the current working directory.
+
+```bash
+code42 cases export 42 --path /Users/my_user/cases/
+```
+
+Learn more about the [Managing Cases](../commands/cases.md).

docs/userguides/deactivatedevices.md

@@ -95,3 +95,5 @@ code42 devices list --active \
 This lists all devices that have not connected within a year _and_
 are not a user's most-recently-connected device, and then attempts
 to deactivate them.
+
+Learn more about [Managing Devices](../commands/devices.md).

docs/userguides/detectionlists.md

@@ -2,8 +2,9 @@
 
 Use the `departing-employee` commands to add employees to or remove employees from the Departing Employees list. Use the `high-risk-employee` commands to add employees to or remove employees from the High Risk list, or update risk tags for those users.
 
-To see a list of all the users currently in your organization, you can export a list from the
-[Users action menu](https://support.code42.com/Administrator/Cloud/Administration_console_reference/Users_reference#Action_menu).
+To see a list of all the users currently in your organization:
+- Export a list from the [Users action menu](https://support.code42.com/Administrator/Cloud/Code42_console_reference/Users_reference#Action_menu).
+- Use the [CLI users commands](./users.md).
 
 ## Get CSV template
 To add multiple users to the Departing Employees list:

docs/userguides/legalhold.md

@@ -2,8 +2,11 @@
 
 Once you [create a legal hold matter in the Code42 console](https://support.code42.com/Administrator/Cloud/Configuring/Create_a_legal_hold_matter#Step_1:_Create_a_matter), you can use the Code42 CLI to add or release custodians from the matter.
 
+To see a list of all the users currently in your organization:
+- Export a list from the [Users action menu](https://support.code42.com/Administrator/Cloud/Code42_console_reference/Users_reference#Action_menu).
+- Use the [CLI users commands](./users.md).
+
 Use the `legal-hold` commands to manage legal hold custodians.
- - To see a list of all the users currently in your organization, you can export a list from the [Users action menu](https://support.code42.com/Administrator/Cloud/Code42_console_reference/Users_reference#Action_menu).
  - To view a list of legal hold matters for your organization, including the matter ID, use the following command:
    `code42 legal-hold list`
  - To see a list of all the custodians currently associated with a legal hold matter, enter `code42 legal-hold show <matterID>`.

docs/userguides/siemexample.md

@@ -14,20 +14,30 @@ First install and configure the Code42 CLI following the instructions in
 [Getting Started](gettingstarted.md).
 
 ## Run queries
-You can get file events in either a JSON or CEF format for use by your SIEM tool. Alerts data is available in JSON format. You can query the data as a
-scheduled job or run ad-hoc queries. Learn more about [searching](../commands/securitydata.md) using the CLI.
+You can get file events in either a JSON or CEF format for use by your SIEM tool. Alerts data and audit logs are available in JSON format. You can query the data as a
+scheduled job or run ad-hoc queries.
+
+Learn more about searching [File Events](../commands/securitydata.md), [Alerts](../commands/alerts.md), and [Audit Logs](../commands/auditlogs.md) using the CLI.
 
 ### Run a query as a scheduled job
 
 Use your favorite scheduling tool, such as cron or Windows Task Scheduler, to run a query on a regular basis. Specify
-the profile to use by including `--profile`. An example using the `send-to` command to forward only the new file event data since the previous request to an external syslog server:
+the profile to use by including `--profile`.
+
+#### File Exposure Events
+An example using the `send-to` command to forward only the new file event data since the previous request to an external syslog server:
 ```bash
 code42 security-data send-to syslog.example.com:514 -p UDP --profile profile1 -c syslog_sender
 ```
-
+#### Alerts
 An example to send to the syslog server only the new alerts that meet the filter criteria since the previous request:
 ```bash
-code42 alerts send-to syslog.example.com:514 -p UDP --profile profile1 --rule-name “Source code exfiltration” --state OPEN -i
+code42 alerts send-to syslog.example.com:514 -p UDP --profile profile1 --rule-name "Source code exfiltration" --state OPEN -i
+```
+#### Audit Logs
+An example to send to the syslog server only the audit log events that meet the filter criteria from the last 30 days.
+```bash
+code42 audit-logs send-to syslog.example.com:514 -p UDP --profile profile1 --actor-username 'sean.cassidy@example.com' -b 30d
 ```
 
 As a best practice, use a separate profile when executing a scheduled task. Using separate profiles can help prevent accidental updates to your stored checkpoints, for example, by adding `--use-checkpoint` to adhoc queries.
@@ -36,6 +46,8 @@ As a best practice, use a separate profile when executing a scheduled task. Usin
 
 Examples of ad-hoc queries you can run are as follows.
 
+#### File Exposure Events
+
 Print file events since March 5 for a user in raw JSON format:
 ```bash
 code42 security-data search -f RAW-JSON -b 2020-03-05 --c42-username 'sean.cassidy@example.com'
@@ -51,11 +63,18 @@ March 5:
 ```bash
 code42 security-data search -f RAW-JSON -b 2020-03-05 -t ApplicationRead --c42-username 'sean.cassidy@example.com' > /Users/sangita.maskey/Downloads/c42cli_output.txt
 ```
-
+#### Alerts
 Print alerts since May 5 where a file's cloud share permissions changed:
 ```bash
 code42 alerts print -b 2020-05-05 --rule-type FedCloudSharePermissions
 ```
+#### Audit Logs
+Print audit log events since June 5 which affected a certain user:
+```bash
+code42 audit-logs search -b 2021-06-05 --affected-username 'sean.cassidy@examply.com'
+```
+
+#### Example Outputs
 
 Example output for a single file exposure event (in default JSON format):
 
@@ -97,36 +116,53 @@ Example output for a single file exposure event (in default JSON format):
 Example output for a single alert (in default JSON format):
 
 ```json
-{"type$": "ALERT_DETAILS",
-"tenantId": "c4b5e830-824a-40a3-a6d9-345664cfbb33",
-"type": "FED_CLOUD_SHARE_PERMISSIONS",
-"name": "Cloud Share",
-"description": "Alert Rule for data exfiltration via Cloud Share",
-"actor": "leland.stewart@example.com",
-"target": "N/A",
-"severity": "HIGH",
-"ruleId": "408eb1ae-587e-421a-9444-f75d5399eacb",
-"ruleSource": "Alerting",
-"id": "7d936d0d-e783-4b24-817d-f19f625e0965",
-"createdAt": "2020-05-22T09:47:33.8863230Z",
-"state": "OPEN",
-"observations": [{"type$": "OBSERVATION",
-"id": "4bc378e6-bfbd-40f0-9572-6ed605ea9f6c",
-"observedAt": "2020-05-22T09:40:00.0000000Z",
-"type": "FedCloudSharePermissions",
-"data": {"type$": "OBSERVED_CLOUD_SHARE_ACTIVITY",
-"id": "4bc378e6-bfbd-40f0-9572-6ed605ea9f6c",
-"sources": ["GoogleDrive"],
-"exposureTypes": ["PublicLinkShare"],
-"firstActivityAt": "2020-05-22T09:40:00.0000000Z",
-"lastActivityAt": "2020-05-22T09:45:00.0000000Z",
-"fileCount": 1,
-"totalFileSize": 6025,
-"fileCategories": [{"type$": "OBSERVED_FILE_CATEGORY", "category": "Document", "fileCount": 1, "totalFileSize": 6025, "isSignificant": false}],
-"files": [{"type$": "OBSERVED_FILE", "eventId": "1hHdK6Qe6hez4vNCtS-UimDf-sbaFd-D7_3_baac33d0-a1d3-4e0a-9957-25632819eda7", "name": "1590140395_Longfellow_Cloud_Arch_Redesign.drawio", "category": "Document", "size": 6025}],
-"outsideTrustedDomainsEmailsCount": 0, "outsideTrustedDomainsTotalDomainCount": 0, "outsideTrustedDomainsTotalDomainCountTruncated": false}}]}
+{
+    "type$": "ALERT_DETAILS",
+    "tenantId": "c4b5e830-824a-40a3-a6d9-345664cfbb33",
+    "type": "FED_CLOUD_SHARE_PERMISSIONS",
+    "name": "Cloud Share",
+    "description": "Alert Rule for data exfiltration via Cloud Share",
+    "actor": "leland.stewart@example.com",
+    "target": "N/A",
+    "severity": "HIGH",
+    "ruleId": "408eb1ae-587e-421a-9444-f75d5399eacb",
+    "ruleSource": "Alerting",
+    "id": "7d936d0d-e783-4b24-817d-f19f625e0965",
+    "createdAt": "2020-05-22T09:47:33.8863230Z",
+    "state": "OPEN",
+    "observations": [{"type$": "OBSERVATION",
+        "id": "4bc378e6-bfbd-40f0-9572-6ed605ea9f6c",
+        "observedAt": "2020-05-22T09:40:00.0000000Z",
+        "type": "FedCloudSharePermissions",
+        "data": {
+            "type$": "OBSERVED_CLOUD_SHARE_ACTIVITY",
+            "id": "4bc378e6-bfbd-40f0-9572-6ed605ea9f6c",
+            "sources": ["GoogleDrive"],
+            "exposureTypes": ["PublicLinkShare"],
+            "firstActivityAt": "2020-05-22T09:40:00.0000000Z",
+            "lastActivityAt": "2020-05-22T09:45:00.0000000Z",
+            "fileCount": 1,
+            "totalFileSize": 6025,
+            "fileCategories": [{"type$": "OBSERVED_FILE_CATEGORY", "category": "Document", "fileCount": 1, "totalFileSize": 6025, "isSignificant": false}],
+            "files": [{"type$": "OBSERVED_FILE", "eventId": "1hHdK6Qe6hez4vNCtS-UimDf-sbaFd-D7_3_baac33d0-a1d3-4e0a-9957-25632819eda7", "name": "1590140395_Longfellow_Cloud_Arch_Redesign.drawio", "category": "Document", "size": 6025}],
+            "outsideTrustedDomainsEmailsCount": 0, "outsideTrustedDomainsTotalDomainCount": 0, "outsideTrustedDomainsTotalDomainCountTruncated": false}}]
+}
 ```
 
+Example output for a single audit log event (in default JSON format):
+```json
+{
+    "type$": "audit_log::logged_in/1",
+    "actorId": "1015070955620029617",
+    "actorName": "sean.cassidy@example.com",
+    "actorAgent": "py42 1.17.0 python 3.7.10",
+    "actorIpAddress": "67.220.16.122",
+    "timestamp": "2021-08-30T16:16:19.165Z",
+    "actorType": "USER"
+}
+```
+
+
 ## CEF Mapping
 
 The following tables map the file event data from the Code42 CLI to common event format (CEF).