Integ 3173/risk indicators

CHANGELOG.md

@@ -9,13 +9,18 @@
  how a consumer would use the library or CLI tool (e.g. adding unit tests, updating documentation, etc) are not captured
  here.
 
-## Unreleased
+## 2.12.0 - 2026-05-04
 
 ### Added
 - Added the `sdk.file-events.v2.search_groups` method to get approximate aggregate file event counts by a given grouping term.
 - Added the `GroupingEventQuery` class, used to make these queries.
 - Added the cli command `incydr file-events search-groups` to get approximate aggregate file event counts by a given grouping term.
-
+- Added the `type` parameter to session search methods and commands, allowing users to filter results to STANDARD or ACCOUNT_TAKE_OVER.
+- Added the `is_high_value` option to trusted activity methods in the SDK, and the `--high-value` option to trusted activity methods in the CLI.
+- Added the ability to specify domain trust for browser destinations, allowing users to specify when users should be allowed to use certain destinations when logged-in using a trusted domain.
+- Added the ability to specify trust for file-transfer tools when adding a trusted domain.
+- Added the `risk-indicator-categories` client to the SDK, allowing the listing of risk indicator categories, subcategories, and risk indicators.
+- Added the `risk-indicator-categories` command to the CLI, allowing the listing of risk indicator categories.
 
 ## 2.11.0 - 2026-02-10
 

docs/cli/cmds/risk-indicator-categories.md

@@ -0,0 +1,6 @@
+# Risk Indicator Categories Commands
+
+::: mkdocs-click
+    :module: _incydr_cli.cmds.risk_indicator_categories
+    :command: risk_indicator_categories
+    :list_subcommands:

docs/sdk/client.md

@@ -3,4 +3,4 @@
 
 ::: incydr.Client
     :docstring:
-    :members: settings session request_history actors agents alerts alert_rules audit_log cases customer departments devices directory_groups file_events sessions trusted_activities users risk_profiles watchlists
+    :members: settings session request_history actors agents alerts alert_rules audit_log cases customer departments devices directory_groups file_events sessions trusted_activities users risk_profiles watchlists risk_indicator_categories

docs/sdk/clients/risk_indicator_categories.md

@@ -0,0 +1,5 @@
+# Risk Indicator Categories
+
+::: _incydr_sdk.risk_indicator_categories.client.RiskIndicatorCategoriesV1
+    :docstring:
+    :members:

docs/sdk/enums.md

@@ -604,6 +604,8 @@ Devices has been replaced by [Agents](#agents)
 * **FILE_UPLOAD** = `"FILE_UPLOAD"`
 * **GIT_PUSH** = `"GIT_PUSH"`
 * **GIT_REPOSITORY_URI** = `"GIT_REPOSITORY_URI"`
+* **USER_ACCOUNT_UPLOAD** = `"USER_ACCOUNT_UPLOAD"`
+* **FILE_TRANSFER** = `"FILE_TRANSFER"`
 
 ### Cloud Sync Apps
 
@@ -631,6 +633,30 @@ Devices has been replaced by [Agents](#agents)
 
 * **GMAIL** = `"GMAIL"`
 * **OFFICE_365** = `"OFFICE_365"`
+* **GOOGLE_DRIVE** = `"GOOGLE_DRIVE"`
+
+
+### Browser Destinations
+
+::: incydr.enums.trusted_activities.BrowserDestination
+    :docstring:
+
+* **AIRTABLE** = `"AIRTABLE"`
+* **AMAZON_WEB_SERVICES** = `"AMAZON_WEB_SERVICES"`
+* **BLACKBOX** = `"BLACKBOX"`
+* **BOX** = `"BOX"`
+* **CHATGPT** = `"CHATGPT"`
+* **CLAUDE** = `"CLAUDE"`
+* **CONCUR** = `"CONCUR"`
+* **CURSOR** = `"CURSOR"`
+* **DROPBOX** = `"DROPBOX"`
+* **GOOGLE_WORKSPACE** = `"GOOGLE_WORKSPACE"`
+* **MICROSOFT_365** = `"MICROSOFT_365"`
+* **NOTTA** = `"NOTTA"`
+* **OTTER** = `"OTTER"`
+* **PERPLEXITY** = `"PERPLEXITY"`
+* **SLACK** = `"SLACK"`
+* **YOU_DOT_COM** = `"YOU_DOT_COM"`
 
 ### Principal Types
 

docs/sdk/models.md

@@ -329,3 +329,26 @@ ExcludedUsersList is deprecated. Use ExcludedActorsList instead.
 
 ::: incydr.models.IncludedDirectoryGroup
     :docstring:
+
+## Risk Indicator Categories
+---
+
+### `RiskIndicator` model
+
+::: incydr.models.RiskIndicator
+    :docstring:
+
+### `RiskIndicatorSubcategory` model
+
+::: incydr.models.RiskIndicatorSubcategory
+    :docstring:
+
+### `RiskIndicatorCategory` model
+
+::: incydr.models.RiskIndicatorCategory
+    :docstring:
+
+### `RiskIndicatorCategoriesResponsePage` model
+
+::: incydr.models.RiskIndicatorCategoriesResponsePage
+    :docstring:

mkdocs.yml

@@ -55,6 +55,7 @@ nav:
       - File Event Querying: 'sdk/clients/file_event_queries.md'
       - Legal Hold: 'sdk/clients/legal_hold.md'
       - Orgs: 'sdk/clients/orgs.md'
+      - Risk Indicator Categories: 'sdk/clients/risk_indicator_categories.md'
       - Sessions: 'sdk/clients/sessions.md'
       - Trusted Activites: 'sdk/clients/trusted_activities.md'
       - Users: 'sdk/clients/users.md'
@@ -84,6 +85,7 @@ nav:
         - Files: 'cli/cmds/files.md'
         - Legal Hold: 'cli/cmds/legal_hold.md'
         - Orgs: 'cli/cmds/orgs.md'
+        - Risk Indicator Categories: 'cli/cmds/risk_indicator_categories.md'
         - Sessions: 'cli/cmds/sessions.md'
         - Trusted Activites: 'cli/cmds/trusted_activities.md'
         - Users: 'cli/cmds/users.md'

src/_incydr_cli/cmds/risk_indicator_categories.py

@@ -0,0 +1,103 @@
+import itertools
+from typing import Iterator
+from typing import Optional
+
+import click
+
+from _incydr_cli import console
+from _incydr_cli import logging_options
+from _incydr_cli import render
+from _incydr_cli.cmds.options.output_options import columns_option
+from _incydr_cli.cmds.options.output_options import table_format_option
+from _incydr_cli.cmds.options.output_options import TableFormat
+from _incydr_cli.core import IncydrCommand
+from _incydr_cli.core import IncydrGroup
+from _incydr_sdk.core.client import Client
+from _incydr_sdk.risk_indicator_categories.models import RiskIndicator
+
+
+@click.group(cls=IncydrGroup)
+@logging_options
+def risk_indicator_categories():
+    """View and manage risk indicators."""
+
+
+@risk_indicator_categories.command("list", cls=IncydrCommand)
+@table_format_option
+@columns_option
+@logging_options
+def list_categories(
+    format_: Optional[TableFormat] = None,
+    columns: Optional[str] = None,
+):
+    """
+    List Risk Indicators by category and subcategory.
+    """
+    client = Client()
+    categories = client.risk_indicator_categories.v1.list_categories().categories
+
+    if format_ == TableFormat.table:
+        columns = columns or [
+            "id",
+            "name",
+            "description",
+            "category_name",
+            "category_id",
+            "subcategory_name",
+            "subcategory_id",
+            "type",
+        ]
+        render.table(
+            RiskIndicatorTableEntry,
+            iter_risk_indicator_table_entries(categories),
+            columns=columns,
+            flat=False,
+        )
+    elif format_ == TableFormat.csv:
+        render.csv(
+            RiskIndicatorTableEntry,
+            iter_risk_indicator_table_entries(categories),
+            columns=columns,
+            flat=True,
+        )
+    else:
+        printed = False
+        for indicator in iter_risk_indicator_table_entries(categories):
+            printed = True
+            if format_ == TableFormat.json_pretty:
+                console.print_json(indicator.json())
+            else:
+                click.echo(indicator.json())
+        if not printed:
+            console.print("No results found.")
+
+
+class RiskIndicatorTableEntry(RiskIndicator):
+    category_name: str
+    category_id: str
+    category_description: Optional[str]
+    subcategory_name: str
+    subcategory_id: str
+    subcategory_description: Optional[str]
+    type: str
+
+
+def iter_risk_indicator_table_entries(categories) -> Iterator[RiskIndicatorTableEntry]:
+    for category in categories:
+        for subcategory in category.subcategories:
+            for indicator, indicator_type in itertools.chain(
+                ((i, "standard") for i in subcategory.standard_indicators),
+                ((i, "custom") for i in subcategory.custom_indicators),
+            ):
+                yield RiskIndicatorTableEntry(
+                    id=indicator.id,
+                    name=indicator.name,
+                    description=indicator.description,
+                    category_name=category.name,
+                    category_id=category.id,
+                    category_description=category.description,
+                    subcategory_name=subcategory.name,
+                    subcategory_id=subcategory.id,
+                    subcategory_description=subcategory.description,
+                    type=indicator_type,
+                )

src/_incydr_cli/cmds/sessions.py

@@ -72,6 +72,11 @@ def sessions():
     help="Limit search to sessions beginning before this date and time. "
     "Accepts a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format.",
 )
+@click.option(
+    "--type",
+    default=None,
+    help="Limit search to sessions of this type. Acceptable types are STANDARD or ACCOUNT_TAKE_OVER",
+)
 @click.option(
     "--no-alerts",
     is_flag=True,
@@ -123,6 +128,7 @@ def search(
     actor_id: Optional[str] = None,
     start: Optional[str] = None,
     end: Optional[str] = None,
+    type: Optional[str] = None,
     no_alerts: bool = False,
     risk_indicators: Optional[str] = None,
     state: Optional[List[str]] = None,
@@ -162,6 +168,7 @@ def search(
     sessions_gen = client.sessions.v1.iter_all(
         actor_id=actor_id,
         start_time=start,
+        type=type,
         end_time=end,
         has_alerts=not no_alerts,
         risk_indicators=risk_indicators.split(",") if risk_indicators else None,