Complete documentation of all available gulp-cli commands and options.
Commands are organized hierarchically (e.g., gulp-cli auth login). This reference uses the format:
gulp-cli <group> <command> [OPTIONS] [ARGUMENTS]
Global options available on every command:
gulp-cli --verbose --as-user USER_NAME <group> <command> ...--as-useruses a different already-saved login session (user must be already logged-in withauth)for the current command only.--verboseprints full JSON output instead of the standard summary/table output.
Utility commands for gULP server metadata and similar endpoints.
gulp-cli utility gulp-versionutility gulp-version prints only the gULP version and uses the saved CLI session, so run gulp-cli auth login first.
Authenticate with gULP server and store authentication token.
gulp-cli auth login [OPTIONS]Options:
--url TEXT— Server URL (default: from config orhttp://localhost:8080)--username TEXT— Username (required)--password TEXT— Password (required, or prompt if not provided)
Examples:
gulp-cli auth login --url http://localhost:8080 --username admin --password admin
gulp-cli auth login --url http://localhost:8080 --username guest --password guest
gulp-cli auth login # Prompts for missing valuesEach login is saved under that username, so you can switch later with the global --as-user flag.
Logout the current saved session.
gulp-cli auth logout [OPTIONS]Examples:
gulp-cli auth logout
gulp-cli --as-user guest auth logoutDisplay current authenticated user info.
gulp-cli auth whoami [OPTIONS]Examples:
gulp-cli auth whoami
gulp-cli --as-user guest auth whoamiOutput:
├─ User: admin
├─ Permissions: admin
└─ URL: http://localhost:8080
List all users in the system.
gulp-cli user list [OPTIONS]Options:
--limit INTEGER— Max results (default: 50)--offset INTEGER— Offset (default: 0)
Examples:
gulp-cli user list
gulp-cli user list --limit 100Get details for a specific user.
gulp-cli user get USERNAME [OPTIONS]Arguments:
USERNAME— Username to retrieve
Examples:
gulp-cli user get aliceCreate a new user.
gulp-cli user create USERNAME [OPTIONS]Arguments:
USERNAME— New username
Options:
--password TEXT— Password (prompted if not provided)--admin— Grant admin privileges--permissions TEXT— Comma-separated permissions (e.g.,read,write,execute)
Examples:
gulp-cli user create alice --password secret123
gulp-cli user create bob --password secret456 --admin
gulp-cli user create analyst --password secret789 --permissions read,writeUpdate an existing user.
gulp-cli user update USERNAME [OPTIONS]Arguments:
USERNAME— Username to update
Options:
--password TEXT— New password--admin— Set admin status (use--no-adminto revoke)--permissions TEXT— Update permissions
Examples:
gulp-cli user update alice --password newpass123
gulp-cli user update bob --admin
gulp-cli user update alice --permissions readDelete a user.
gulp-cli user delete USERNAME [OPTIONS]Arguments:
USERNAME— Username to delete
Options:
--confirm— Skip confirmation prompt
Examples:
gulp-cli user delete alice
gulp-cli user delete alice --confirmList GulpUserSession objects using the dedicated session API.
- Non-admin users can list only their own session.
- Admin users can list all sessions or filter by
--user-id.
gulp-cli user session-list [OPTIONS]Options:
--user-id TEXT— Optional user filter; admin required for other users
Examples:
gulp-cli user session-list
gulp-cli user session-list --user-id alice
gulp-cli --as-user guest user session-listDelete a specific user session using the dedicated session API.
- Non-admin users can delete only their own session.
- Admin users can delete any session.
gulp-cli user session-delete SESSION_ID [OPTIONS]Arguments:
SESSION_ID— Session ID to delete
Examples:
gulp-cli user session-delete abc123def456
gulp-cli --as-user admin user session-delete abc123def456List all operations.
gulp-cli operation list [OPTIONS]Options:
--limit INTEGER— Max results (default: 50)--offset INTEGER— Offset (default: 0)
Examples:
gulp-cli operation list
gulp-cli operation list --limit 100Get operation details.
gulp-cli operation get OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Operation ID
Examples:
gulp-cli operation get my_investigationCreate a new operation.
gulp-cli operation create OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Operation ID (must be unique)
Options:
--description TEXT— Operation description--display-name TEXT— Display name (default: same as operation ID)
Examples:
gulp-cli operation create incident-2026-001 --description "Malware investigation"
gulp-cli operation create my_investigation --display-name "My Investigation"Update operation details.
gulp-cli operation update OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Operation ID
Options:
--description TEXT— New description--display-name TEXT— New display name
Examples:
gulp-cli operation update my_investigation --description "Updated description"Delete an operation.
gulp-cli operation delete OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Operation ID
Options:
--confirm— Skip confirmation
Examples:
gulp-cli operation delete my_investigation --confirmGrant user access to an operation.
gulp-cli operation grant-user OPERATION_ID USERNAME [OPTIONS]Arguments:
OPERATION_ID— Operation IDUSERNAME— Username to grant access
Examples:
gulp-cli operation grant-user my_investigation aliceRevoke user access from an operation.
gulp-cli operation revoke-user OPERATION_ID USERNAME [OPTIONS]Arguments:
OPERATION_ID— Operation IDUSERNAME— Username to revoke access
Examples:
gulp-cli operation revoke-user my_investigation aliceIngest one or more files into an operation.
gulp-cli ingest file OPERATION_ID PLUGIN [FILE...] [OPTIONS]Arguments:
OPERATION_ID— Target operationPLUGIN— Plugin name (e.g.,win_evtx,syslog,csv)FILE— File path or glob pattern (multiple allowed; optional when--paths-fileis set)
Options:
--context TEXT— Context for ingestion, specify a name to create a new context if it doesn't exist, or an existingcontext_id(default:sdk_context)--plugin-params TEXT— JSON string with plugin parameters. When it includes"compressed": true, gulp-cli bzip2-compresses each input file before upload and the backend decompresses it before plugin ingestion.--flt TEXT— JSON object forGulpIngestionFilter--paths-file PATH— Text file with one file or glob pattern per line. When set, positionalFILEarguments are optional and ignored if also provided.--reset-operation— Delete and recreate the operation before ingest starts--create-operation— Create operation automatically when it does not exist--preview— Run preview-only ingestion (no persistence)--wait— Wait for completion with progress--show-per-file-progress / --no-show-per-file-progress— Show one line per completed file request in--waitmode (default: on)--timeout INTEGER— Timeout in seconds for--waitmode--batch-size INTEGER— Number of file ingestion requests to submit concurrently per window (default:cores * 2)
Examples:
# Single file
gulp-cli ingest file my_op win_evtx /path/to/System.evtx
# Multiple files
gulp-cli ingest file my_op win_evtx /path/file1.evtx /path/file2.evtx
# Wildcard pattern
gulp-cli ingest file my_op win_evtx 'samples/win_evtx/*.evtx'
# Multiple patterns
gulp-cli ingest file my_op win_evtx '**/*.evtx' '/logs/*.json'
# Paths file
gulp-cli ingest file my_op win_evtx --paths-file /tmp/file_paths.txt
# With plugin parameters
gulp-cli ingest file my_op csv file.csv --plugin-params '{"delimiter":";","encoding":"utf-8"}'
# Compress before upload and let the backend decompress before ingestion
gulp-cli ingest file my_op win_evtx /path/to/System.evtx --plugin-params '{"compressed": true}'
# Preview mode (no ingestion persisted)
gulp-cli ingest file my_op win_evtx /path/to/System.evtx --preview
# Reset operation data before ingest (destructive for collab/request data)
gulp-cli ingest file my_op win_evtx 'samples/win_evtx/*.evtx' --reset-operation
# Wait for completion (per-file progress is enabled by default)
gulp-cli ingest file my_op win_evtx 'samples/win_evtx/*.evtx' --waitAdd files to an existing source.
gulp-cli ingest file-to-source SOURCE_ID [FILE...] [OPTIONS]Arguments:
SOURCE_ID— Source IDFILE— File path or glob pattern (multiple allowed; optional when--paths-fileis set)
Options:
--plugin TEXT— Override the plugin associated with the source (requires--plugin-params)--plugin-params TEXT— JSON object for plugin_params (overrides source defaults; required when--pluginis set,{}is allowed). When it includes"compressed": true, gulp-cli bzip2-compresses each input file before upload and the backend decompresses it before plugin ingestion.--flt TEXT— JSON object for GulpIngestionFilter--paths-file PATH— Text file with one file or glob pattern per line. When set, positionalFILEarguments are optional and ignored if also provided.--wait— Wait for completion with progress--show-per-file-progress / --no-show-per-file-progress— Show one line per completed file request in--waitmode (default: on)--timeout INTEGER— Timeout in seconds for--waitmode--batch-size INTEGER— Number of file ingestion requests to submit concurrently per window (default:cores * 2)
Examples:
gulp-cli ingest file-to-source source123 /new/System.evtx --wait
gulp-cli ingest file-to-source source123 '/new/*.evtx'
gulp-cli ingest file-to-source source123 --paths-file /tmp/file_paths.txt
gulp-cli ingest file-to-source source123 /new/events.json --plugin json --plugin-params '{"mapping_parameters": {}}'
gulp-cli ingest file-to-source source123 /new/System.evtx --plugin win_evtx --plugin-params '{"compressed": true}'Create a ZIP archive from one or more source path expressions.
Path expressions may be:
- a single file path
- a directory path
- a glob mask (for example
/bla/somef*.txt,/bla/*,**/*.evtx)
Environment variables and home shortcuts are expanded in all input paths (for example $EVIDENCE_DIR/*.evtx, ~/cases/case-01/*).
gulp-cli ingest zip-create OUTPUT_ZIP [PATH_PATTERN...] [OPTIONS]Arguments:
OUTPUT_ZIP— Destination ZIP path (supports environment variables and~)PATH_PATTERN— File, directory, or glob path expression (multiple allowed)
Options:
--paths-file TEXT— Text file with one source path expression per line (supports environment variables and~per line)--no-overwrite— Do not overwrite output ZIP if it already exists (default: overwrite enabled)--no-preserve-path— Do not preserve the source path hierarchy inside archive entries (default: preserve path enabled)--split-size TEXT— Create multipart ZIP volumes at this size (bytes,kb,mb,gb; default: disabled)
When --split-size is set, zip-create writes multipart ZIP volumes such as evidence.zip.001, evidence.zip.002, etc. Extract those volumes with 7z or another tool that supports split ZIP files.
When --paths-file is set, positional PATH_PATTERN values are ignored. Without --paths-file, positional PATH_PATTERN values are used.
Examples:
# Create a ZIP from mixed path expressions
gulp-cli ingest zip-create /tmp/evidence.zip /data/host1/*.evtx /data/host2 /data/readme.txt
# Use environment variables and home shortcuts
gulp-cli ingest zip-create '$CASE_DIR/evidence.zip' '$CASE_DIR/raw/*.json' '~/pcaps/*.pcap'
# Read source path expressions from a file
gulp-cli ingest zip-create /tmp/evidence.zip --paths-file /tmp/evidence_paths.txtIngest raw payload chunks into an operation.
gulp-cli ingest raw OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--data TEXT— Raw payload text (JSON recommended)--data-file TEXT— Path to file containing raw payload--plugin TEXT— Plugin used to process the raw payload (default:raw)--plugin-params TEXT— JSON object forplugin_params--flt TEXT— JSON object forGulpIngestionFilter--req-id TEXT— Optional request ID for chunked ingestion--last— Mark this payload as the last raw chunk--create-operation— Create operation automatically when it does not exist--wait— Wait for completion--timeout INTEGER— Timeout in seconds for--waitmode
Examples:
gulp-cli ingest raw my_op --data '[{"id":"doc-1","@timestamp":"2026-01-01T00:00:00Z"}]' --wait
gulp-cli ingest raw my_op --data-file /tmp/raw_chunk.json --last --waitExecute a raw OpenSearch query.
gulp-cli query raw OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--q TEXT— OpenSearch query JSON (required)--q-options TEXT— Query options JSON--preview— Enableq_options.preview_mode=true(synchronous preview result)--limit INTEGER— Setq_options.limit--wait— Wait for query completion
Examples:
# Match all documents
gulp-cli query raw my_op --q '{"query":{"match_all":{}}}'
# Search specific field
gulp-cli query raw my_op --q '{"query":{"term":{"EventID":4688}}}'
# Preview mode (synchronous, limited result set)
gulp-cli query raw my_op --q '{"query":{"match_all":{}}}' --preview
# Pagination override
gulp-cli query raw my_op --q '{"query":{"match_all":{}}}' --limit 100
# Wait for completion
gulp-cli query raw my_op --q '{"query":{"match_all":{}}}' --wait
# Preview mode can also be provided through q-options
gulp-cli query raw my_op --q '{"query":{"match_all":{}}}' --q-options '{"preview_mode":true}'Execute a raw OpenSearch query with simple pagination.
gulp-cli query raw-paginate OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation--q TEXT— OpenSearch query JSON (required)--limit INTEGER— Number of results to return (default: 10)--offset INTEGER— Result offset for pagination (default: 0)--q-options TEXT— Query options JSON (i.e. for sorting, --limit/--offset override q_options values)
Examples:
# Get first 10 results
gulp-cli query raw-paginate my_op --q '{"query":{"match_all":{}}}'
# Get next 10 results (pagination)
gulp-cli query raw-paginate my_op --q '{"query":{"match_all":{}}}' --offset 10Query using gULP's native document structure.
gulp-cli query gulp OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--flt TEXT— Filter JSON--q-options TEXT— Query options JSON--preview— Enableq_options.preview_mode=true(synchronous preview result)--limit INTEGER— Setq_options.limit--wait— Wait for completion
Examples:
# Get documents with default options
gulp-cli query gulp my_op
# Filter by source
gulp-cli query gulp my_op --flt '{"source_ids":["security"]}'
# Filter by tag
gulp-cli query gulp my_op --flt '{"tags":["suspicious"]}'
# Preview mode
gulp-cli query gulp my_op --flt '{"tags":["suspicious"]}' --preview
# Pagination override
gulp-cli query gulp my_op --flt '{"tags":["suspicious"]}' --limit 200Get a single document by OpenSearch _id.
gulp-cli query document-get-by-id OPERATION_ID DOC_IDArguments:
OPERATION_ID— Target operationDOC_ID— Document_id
Examples:
gulp-cli query document-get-by-id incident-001 AVY84pUBM0e5DCHhCzDqRun a synchronous OpenSearch aggregation query.
gulp-cli query aggregation OPERATION_ID --q JSONOptions:
--q TEXT— Aggregation query JSON object (required)
Examples:
gulp-cli query aggregation incident-001 \
--q '{"size":0,"aggs":{"by_event_code":{"terms":{"field":"event.code"}}}}'Get query history for the authenticated user.
gulp-cli query history-getExamples:
gulp-cli query history-getGet max/min timeline values (@timestamp, gulp.timestamp, event.code) with optional grouping.
gulp-cli query max-min-per-field OPERATION_ID [OPTIONS]Options:
--flt TEXT—GulpQueryFilterJSON object--group-by TEXT— Optional group-by field (for example:event.code)
Examples:
gulp-cli query max-min-per-field incident-001
gulp-cli query max-min-per-field incident-001 --group-by event.code
gulp-cli query max-min-per-field incident-001 --flt '{"source_ids":["security"]}'Export query_gulp results to a local JSON file (streamed download).
gulp-cli query gulp-export OPERATION_ID --output PATH [OPTIONS]Options:
--output TEXT— Output file path (required)--flt TEXT—GulpQueryFilterJSON object--q-options TEXT—GulpQueryParametersJSON object--preview— Setq_options.preview_mode(ignored server-side by export API)--limit INTEGER— Setq_options.limit
Examples:
gulp-cli query gulp-export incident-001 \
--flt '{"source_ids":["security"]}' \
--output ./incident-001-security.jsonExecute Sigma rule against documents.
gulp-cli query sigma OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--rule-file TEXT— Path to Sigma YAML rule file (required)--src-ids TEXT— Comma-separated source IDs to query--levels TEXT— Comma-separated severity levels (critical, high, medium, low)--wait— Wait for completion--timeout INTEGER— Timeout in seconds
Examples:
# Run Sigma rule
gulp-cli query sigma my_op --rule-file /rules/process_creation.yml
# Filter by source
gulp-cli query sigma my_op --rule-file /rules/process_creation.yml --src-ids windows
# Filter by severity
gulp-cli query sigma my_op --rule-file /rules/process_creation.yml --levels critical,high
# Wait for completion
gulp-cli query sigma my_op --rule-file /rules/process_creation.yml --waitExecute Sigma rules from a ZIP archive (extension command).
gulp-cli query sigma-zip OPERATION_ID --zip-file PATH [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--zip-file TEXT— Path to ZIP archive containing Sigma YAML rules (required)--src-ids TEXT— Comma-separated source IDs--levels TEXT— Comma-separated severity levels (critical,high,medium,low,informational)--tags TEXT— Comma-separated sigma tags--products TEXT— Comma-separated sigma logsource products--categories TEXT— Comma-separated sigma logsource categories--services TEXT— Comma-separated sigma logsource services--q-options TEXT—GulpQueryParametersJSON object--wait— Wait for completion--timeout INTEGER— Wait timeout in seconds (0means no timeout)
Examples:
# Query using zipped Sigma rules
gulp-cli query sigma-zip incident-001 --zip-file /rules/windows_small.zip
# Restrict to selected source and levels
gulp-cli query sigma-zip incident-001 \
--zip-file /rules/windows_small.zip \
--src-ids security \
--levels critical,high \
--wait
# Add q_options for paging or highlighting behavior
gulp-cli query sigma-zip incident-001 \
--zip-file /rules/windows_small.zip \
--q-options '{"limit":200,"highlight_results":false}'Query using an external plugin.
gulp-cli query external OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--plugin TEXT— Plugin name (required)--q TEXT— Query payload (JSON or plain text)--plugin-params TEXT—GulpPluginParametersJSON object (required)--q-options TEXT—GulpQueryParametersJSON object--preview— Enableq_options.preview_mode=true--limit INTEGER— Setq_options.limit--wait— Wait for completion
Examples:
gulp-cli query external my_op \
--plugin query_elasticsearch \
--plugin-params '{"custom_parameters":{"index":"my_index"}}' \
--q '{"query":{"match_all":{}}}'
# Preview + pagination
gulp-cli query external my_op \
--plugin query_elasticsearch \
--plugin-params '{"custom_parameters":{"index":"my_index"}}' \
--q '{"query":{"match":{"message":"error"}}}' \
--preview --limit 50gulp-cli can load custom commands from extension modules discovered at startup.
- Internal path:
src/gulp_cli/extension/ - External path:
~/.config/gulp-cli/extension/ - External modules override internal ones when they share the same filename.
Each extension module must expose a callable register_extension function.
For implementation details and examples, see docs/extensions.md.
Get one GulpRequestStats object by request id.
gulp-cli stats get REQ_ID [OPTIONS]Options:
Examples:
gulp-cli stats get 903546ff-c01e-4875-a585-d7fa34a0d237
gulp-cli --verbose --as-user admin stats get 903546ff-c01e-4875-a585-d7fa34a0d237List GulpRequestStats for an operation.
gulp-cli stats list OPERATION_ID [OPTIONS]Default behavior:
- Shows only ongoing stats (
--ongoing-onlyenabled) - Renders a live table (
--liveenabled) - Default columns:
user_id,ws_id,req_id,status,req_type,time_updated,data,errors - The
datacolumn shows human-readable source information for ingest stats when available
Options:
--ongoing-only / --all— Show only ongoing (default) or all stats--user-id TEXT— Filter by user id--req-type TEXT— Filter by request type (for example:ingest,query,enrich)--server-id TEXT— Filter by server id--time-created-from TEXT— Include stats created at/after timestamp (epoch sec/ms or ISO8601)--time-created-to TEXT— Include stats created at/before timestamp (epoch sec/ms or ISO8601)--errors [any|present|absent]— Filter by error presence (default:any)--live / --no-live— Enable or disable live refresh--refresh-seconds FLOAT— Live refresh interval (default:1.0)--limit INTEGER— Max rows to render (default:100)
Examples:
# Default: ongoing-only + live refresh
gulp-cli stats list incident-001
# Show all stats once (no live refresh)
gulp-cli stats list incident-001 --all --no-live
# Only stats with errors
gulp-cli stats list incident-001 --all --errors present --no-live
# Only stats without errors
gulp-cli stats list incident-001 --all --errors absent --no-live
# Filter by user and request type
gulp-cli stats list incident-001 --all --user-id admin --req-type ingest
# Filter by server id
gulp-cli stats list incident-001 --all --server-id my-server-1 --no-live
# Filter by creation time window (ISO8601)
gulp-cli stats list incident-001 --all \
--time-created-from '2026-03-27T00:00:00Z' \
--time-created-to '2026-03-27T23:59:59Z' \
--no-live
# Faster live refresh while monitoring active ingestion
gulp-cli stats list incident-001 --refresh-seconds 0.5Delete request stats using the server-side object_delete_bulk API.
gulp-cli stats delete-bulk OPERATION_ID [OPTIONS]Important:
- You must provide
--fltor explicitly pass--all.
Options:
--flt TEXT—GulpCollabFilterJSON object--all— Delete all request stats in the operation
Examples:
# Delete stats of a specific type
gulp-cli stats delete-bulk incident-001 \
--flt '{"types":["request_stats"],"user_ids":["admin"]}'
# Delete all request stats in the operation
gulp-cli stats delete-bulk incident-001 --allCancel a running request using the server-side request_cancel API.
gulp-cli stats cancel REQ_ID [OPTIONS]Options:
--expire-now— Immediately expire and delete the request stats entry after cancellation
Examples:
# Cancel request and keep default grace period before cleanup
gulp-cli stats cancel 903546ff-c01e-4875-a585-d7fa34a0d237
# Cancel and remove stats immediately
gulp-cli stats cancel 903546ff-c01e-4875-a585-d7fa34a0d237 --expire-nowRebase document timestamps in-place using the server-side rebase_by_query API.
gulp-cli db rebase-by-query OPERATION_ID --offset-msec OFFSET [OPTIONS]Options:
--offset-msec INTEGER— Milliseconds to add to timestamps (negative to subtract)--flt TEXT—GulpQueryFilterJSON object to restrict documents--script TEXT— Custom Painless script override--wait— Wait for completion with websocket-driven progress--timeout INTEGER— Timeout in seconds when--waitis used
Examples:
# Shift all documents forward by one hour
gulp-cli db rebase-by-query incident-001 --offset-msec 3600000 --wait
# Shift only Security-source documents backward by five minutes
gulp-cli db rebase-by-query incident-001 \
--offset-msec -300000 \
--flt '{"source_ids":["security"]}' \
--wait
# Use a custom script
gulp-cli db rebase-by-query incident-001 \
--offset-msec 0 \
--script 'ctx._source["custom_ts"] = params.now;'Add tags to documents matching a filter.
gulp-cli enrich tag OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--flt TEXT— Filter JSON (required)--tag TEXT— Tag to add (multiple allowed, at least one required)--wait— Wait for completion
Examples:
# Add single tag
gulp-cli enrich tag my_op --flt '{"source":"Security"}' --tag "reviewed"
# Add multiple tags
gulp-cli enrich tag my_op \
--flt '{"event_id":"4688"}' \
--tag "suspicious" \
--tag "requires-review" \
--tag "process-creation"Remove tags from documents.
gulp-cli enrich untag OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--flt TEXT— Filter JSON (required)--tag TEXT— Tag to remove (multiple allowed)--wait— Wait for completion
Examples:
gulp-cli enrich untag my_op --flt '{"tag":"pending"}' --tag "pending"Update field values on documents.
gulp-cli enrich update OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--flt TEXT— Filter JSON (required)--fields TEXT— Fields JSON to update (required)--wait— Wait for completion
Examples:
# Set threat level
gulp-cli enrich update my_op \
--flt '{"event_id":"4688"}' \
--fields '{"threat_level":"high"}'Remove fields from documents.
gulp-cli enrich remove OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--flt TEXT— Filter JSON (required)--fields TEXT— Field names to remove (comma-separated)--wait— Wait for completion
Examples:
gulp-cli enrich remove my_op \
--flt '{"done":true}' \
--fields "temporary_field,debug_info"Run enrichment plugin on documents matching a filter.
gulp-cli enrich documents OPERATION_ID [OPTIONS]Arguments:
OPERATION_ID— Target operation
Options:
--plugin TEXT— Plugin name (required)--plugin-params TEXT— Plugin parameters JSON--flt TEXT— Filter JSON--wait— Wait for completion--fields TEXT— { "field": "value" } pairs to set on enriched documents (JSON string): if "value" isnullthe enrichment is made on field's value in the document. either, enriched "value" is used.
Examples:
gulp-cli enrich documents my_op \
--plugin my_enricher \
--plugin-params '{"api_key":"..."}' \
--flt '{"operation_ids":["my_op"],"source_ids":["security"]}' \
--fields '{"ip.destination": null}'Enrich a single document by ID.
gulp-cli enrich single-id OPERATION_ID DOCUMENT_ID [OPTIONS]Arguments:
OPERATION_ID— Target operationDOCUMENT_ID— Document ID
Options:
--plugin TEXT— Plugin name (required)--plugin-params TEXT— Plugin parameters JSON--fields TEXT— { "field": "value" } pairs to set on enriched documents (JSON string): if "value" isnullthe enrichment is made on field's value in the document. either, enriched "value" is used.--wait— Wait for completion
Examples:
gulp-cli enrich single-id my_op doc123 --plugin my_enricher --fields '{"host.os": null}' --waitManage collaboration objects attached to an operation: notes, links, and highlights.
List notes in operation.
gulp-cli collab note list OPERATION_ID [OPTIONS]Options:
Default columns:
id,operation_id,user_id,server_id,context_id,source_id,time_pin,text
Examples:
gulp-cli collab note list incident-001
gulp-cli --verbose collab note list incident-001Create a note for a specific context/source.
gulp-cli collab note create OPERATION_ID CONTEXT_ID SOURCE_ID NAME TEXT [OPTIONS]Important:
- At least one of
--time-pinor--docis required.
Options:
--tags TEXT— Comma-separated tags--glyph-id TEXT— Glyph ID--color TEXT— Color string--private— Create the note as private--time-pin INTEGER— Time pin in nanoseconds--doc TEXT— JSON object for associated document
Examples:
# Time-pinned note
gulp-cli collab note create incident-001 sdk_context security "Analyst note" "Suspicious login spike" \
--time-pin 1774626000000000000 \
--tags suspicious,review
# Document-associated note
gulp-cli collab note create incident-001 sdk_context security "IOC note" "Check parent process" \
--doc '{"_id":"doc-123","gulp.operation_id":"incident-001","gulp.source_id":"security"}'Update an existing note.
gulp-cli collab note update NOTE_ID [OPTIONS]Options:
--name TEXT— Update note name--text TEXT— Update note text--tags TEXT— Replace tags with comma-separated values--glyph-id TEXT— Update glyph ID--color TEXT— Update color--time-pin INTEGER— Update time pin in nanoseconds--doc TEXT— Replace associated document with JSON object
Examples:
gulp-cli collab note update note-123 --text "Updated note text" --tags reviewed,done
gulp-cli collab note update note-123 --time-pin 1774627000000000000Delete a note.
gulp-cli collab note delete NOTE_IDExamples:
gulp-cli collab note delete note-123Delete multiple notes in an operation using the server-side object_delete_bulk API.
gulp-cli collab note delete-bulk OPERATION_ID [OPTIONS]Important:
- You must provide
--fltor explicitly pass--all.
Options:
--flt TEXT—GulpCollabFilterJSON object--all— Delete all notes in the operation
Examples:
# Delete notes by source and tag
gulp-cli collab note delete-bulk incident-001 \
--flt '{"source_ids":["security"],"tags":["reviewed"]}'
# Delete all notes in the operation
gulp-cli collab note delete-bulk incident-001 --allList links in operation.
gulp-cli collab link list OPERATION_ID [OPTIONS]Default columns:
id,operation_id,user_id,server_id,doc_id_from,doc_ids
Examples:
gulp-cli collab link list incident-001
gulp-cli --verbose collab link list incident-001Create a link from one document to one or more target documents.
gulp-cli collab link create OPERATION_ID DOC_ID_FROM --doc-ids DOC1,DOC2 [OPTIONS]Options:
--name TEXT— Link name--description TEXT— Link description--tags TEXT— Comma-separated tags--glyph-id TEXT— Glyph ID--color TEXT— Color string--private— Create the link as private
Examples:
gulp-cli collab link create incident-001 doc-a --doc-ids doc-b,doc-c \
--name "lateral movement" \
--description "Documents connected by same process tree"Update an existing link.
gulp-cli collab link update LINK_ID [OPTIONS]Options:
--name TEXT— Update link name--description TEXT— Update description--tags TEXT— Replace tags with comma-separated values--glyph-id TEXT— Update glyph ID--color TEXT— Update color--doc-ids TEXT— Replace target document IDs with comma-separated values
Examples:
gulp-cli collab link update link-123 --description "Updated correlation rationale"
gulp-cli collab link update link-123 --doc-ids doc-b,doc-dDelete a link.
gulp-cli collab link delete LINK_IDExamples:
gulp-cli collab link delete link-123Delete multiple links in an operation using the server-side object_delete_bulk API.
gulp-cli collab link delete-bulk OPERATION_ID [OPTIONS]Important:
- You must provide
--fltor explicitly pass--all.
Options:
--flt TEXT—GulpCollabFilterJSON object--all— Delete all links in the operation
Examples:
# Delete links that involve a specific document id
gulp-cli collab link delete-bulk incident-001 \
--flt '{"doc_ids":["doc-a"]}'
# Delete all links in the operation
gulp-cli collab link delete-bulk incident-001 --allList highlights in operation.
gulp-cli collab highlight list OPERATION_ID [OPTIONS]Default columns:
id,operation_id,user_id,server_id,time_range
Examples:
gulp-cli collab highlight list incident-001
gulp-cli --verbose collab highlight list incident-001Create a highlight over a time range.
gulp-cli collab highlight create OPERATION_ID --time-range START_NS,END_NS [OPTIONS]Options:
--name TEXT— Highlight name--description TEXT— Description--tags TEXT— Comma-separated tags--glyph-id TEXT— Glyph ID--color TEXT— Color string--private— Create the highlight as private
Examples:
gulp-cli collab highlight create incident-001 \
--time-range 1774626000000000000,1774626060000000000 \
--name "Burst of activity" \
--color redUpdate an existing highlight.
gulp-cli collab highlight update HIGHLIGHT_ID [OPTIONS]Options:
--name TEXT— Update highlight name--description TEXT— Update description--tags TEXT— Replace tags with comma-separated values--glyph-id TEXT— Update glyph ID--color TEXT— Update color--time-range TEXT— Replace time range usingSTART_NS,END_NS
Examples:
gulp-cli collab highlight update hl-123 --time-range 1774626000000000000,1774626120000000000
gulp-cli collab highlight update hl-123 --description "Expanded reviewed window"Delete a highlight.
gulp-cli collab highlight delete HIGHLIGHT_IDExamples:
gulp-cli collab highlight delete hl-123Delete multiple highlights in an operation using the server-side object_delete_bulk API.
gulp-cli collab highlight delete-bulk OPERATION_ID [OPTIONS]Important:
- You must provide
--fltor explicitly pass--all.
Options:
--flt TEXT—GulpCollabFilterJSON object--all— Delete all highlights in the operation
Examples:
# Delete highlights in a creation-time window
gulp-cli collab highlight delete-bulk incident-001 \
--flt '{"time_created_range":[1774626000000,1774629600000]}'
# Delete all highlights in the operation
gulp-cli collab highlight delete-bulk incident-001 --allStory management commands provided by the story extension plugin.
gulp-cli collab story [COMMAND]Commands:
create— Create a story objectupdate— Update an existing storydelete— Delete a story by idget— Retrieve a story by idlist— List stories for an operation
gulp-cli collab story create OPERATION_ID --name TEXT --doc-ids DOC1,DOC2 [OPTIONS]Options:
--highlight-ids TEXT— Comma-separated highlight IDs--include-whole-documents— Include all document fields in each story entry--description TEXT— Story description--tags TEXT— Comma-separated tags--glyph-id TEXT— Glyph ID--color TEXT— Color string--private— Create as private object--wait— Wait for completion if endpoint returns pending--timeout INTEGER— Wait timeout in seconds (0means no timeout)
Examples:
gulp-cli collab story create incident-001 \
--name "Executive summary" \
--doc-ids doc-a,doc-b \
--highlight-ids hl-1,hl-2gulp-cli collab story update STORY_ID [OPTIONS]Options:
--name TEXT— Update story title--doc-ids TEXT— Replace target document IDs--highlight-ids TEXT— Replace highlight IDs--include-whole-documents— Include all document fields in each story entry--description TEXT— Update description--tags TEXT— Replace tags--glyph-id TEXT— Update glyph ID--color TEXT— Update color--wait— Wait for completion if endpoint returns pending--timeout INTEGER— Wait timeout in seconds (0means no timeout)
gulp-cli collab story delete STORY_ID [OPTIONS]Options:
--wait— Wait for completion if endpoint returns pending--timeout INTEGER— Wait timeout in seconds (0means no timeout)
gulp-cli collab story get OPERATION_ID STORY_IDgulp-cli collab story list OPERATION_ID [OPTIONS]Options:
--flt TEXT—GulpCollabFilterJSON object
Examples:
gulp-cli collab story list incident-001
gulp-cli collab story list incident-001 --flt '{"tags":["executive"]}'List all OpenSearch datastreams/indexes (admin required).
gulp-cli db list-indexes [OPTIONS]Examples:
gulp-cli db list-indexes
gulp-cli --verbose db list-indexesRefresh an OpenSearch index so newly ingested documents become searchable (ingest permission required).
gulp-cli db refresh-index INDEXArguments:
INDEX— Index / datastream name (usually the operation ID)
Examples:
gulp-cli db refresh-index incident-001Delete an OpenSearch datastream/index and (by default) its associated collab operation.
WARNING: all document data in the index will be permanently lost.
gulp-cli db delete-index INDEX [OPTIONS]Arguments:
INDEX— Index / datastream name
Options:
--keep-operation— Do NOT delete the corresponding collab operation--yes / -y— Skip the confirmation prompt
Examples:
# Interactive confirmation
gulp-cli db delete-index incident-001
# Delete index only, keep the operation
gulp-cli db delete-index incident-001 --keep-operation --yes
# Non-interactive (CI/scripts)
gulp-cli db delete-index incident-001 --yesAll commands require admin permission.
List user groups.
gulp-cli user-group list [OPTIONS]Options:
--flt TEXT—GulpCollabFilterJSON for filtering
Examples:
gulp-cli user-group list
gulp-cli user-group list --verbose
gulp-cli user-group list --flt '{"names":["analysts"]}'Get a user group by ID.
gulp-cli user-group get GROUP_IDExamples:
gulp-cli user-group get analystsCreate a new user group.
gulp-cli user-group create NAME --permission PERMS [OPTIONS]Arguments:
NAME— Group name (also used as ID)
Options:
--permission TEXT— Comma-separated permissions:read,edit,ingest,admin(required)--description / -d TEXT— Optional description--glyph-id TEXT— Optional glyph ID
Examples:
gulp-cli user-group create analysts --permission read,edit
gulp-cli user-group create ingestors --permission read,edit,ingest --description "Can run ingestion"Update a user group's properties.
gulp-cli user-group update GROUP_ID [OPTIONS]Options:
--permission TEXT— New comma-separated permissions--description / -d TEXT— New description--glyph-id TEXT— New glyph ID
Examples:
gulp-cli user-group update analysts --permission read,edit,ingest
gulp-cli user-group update analysts --description "Read + edit + ingest access"Delete a user group. Members are not deleted.
gulp-cli user-group delete GROUP_IDExamples:
gulp-cli user-group delete analystsAdd a user to a group.
gulp-cli user-group add-user GROUP_ID USER_IDExamples:
gulp-cli user-group add-user analysts aliceRemove a user from a group.
gulp-cli user-group remove-user GROUP_ID USER_IDExamples:
gulp-cli user-group remove-user analysts aliceManage access control for collaboration objects. The caller must be the object owner or have admin permission.
Grant a specific user access to an object.
gulp-cli acl add-user OBJ_ID --obj-type TYPE --user-id USER_IDArguments:
OBJ_ID— ID of the object
Options:
--obj-type TEXT— Object collab type (e.g.note,operation,link,highlight) (required)--user-id TEXT— User ID to grant access (required)
Examples:
gulp-cli acl add-user note-123 --obj-type note --user-id alice
gulp-cli acl add-user incident-001 --obj-type operation --user-id aliceRevoke a user's access to an object.
gulp-cli acl remove-user OBJ_ID --obj-type TYPE --user-id USER_IDExamples:
gulp-cli acl remove-user note-123 --obj-type note --user-id aliceGrant a group access to an object.
gulp-cli acl add-group OBJ_ID --obj-type TYPE --group-id GROUP_IDOptions:
--obj-type TEXT— Object collab type (required)--group-id TEXT— Group ID to grant access (required)
Examples:
gulp-cli acl add-group incident-001 --obj-type operation --group-id analysts
gulp-cli acl add-group note-123 --obj-type note --group-id analystsRevoke a group's access to an object.
gulp-cli acl remove-group OBJ_ID --obj-type TYPE --group-id GROUP_IDExamples:
gulp-cli acl remove-group incident-001 --obj-type operation --group-id analystsMake an object private. Only the owner and admins will be able to access it.
gulp-cli acl make-private OBJ_ID --obj-type TYPEExamples:
gulp-cli acl make-private note-123 --obj-type note
gulp-cli acl make-private link-456 --obj-type linkMake an object public (accessible by everyone). Clears all explicit grants.
gulp-cli acl make-public OBJ_ID --obj-type TYPEExamples:
gulp-cli acl make-public note-123 --obj-type noteManage files on the S3-compatible filestore.
List files from storage, optionally filtered by operation/context.
gulp-cli storage list-files [OPTIONS]Options:
--operation-id TEXT— Filter by operation ID--context-id TEXT— Filter by context ID--continuation-token TEXT— Pagination token from previous response--max-results INTEGER— Results per page (default:100, max:1000)
Examples:
# List files for one operation
gulp-cli storage list-files --operation-id incident-001
# Paginate next page
gulp-cli storage list-files --operation-id incident-001 --continuation-token abc123
# Global list (admin)
gulp-cli storage list-files --verboseDownload a file by storage ID.
gulp-cli storage get-file OPERATION_ID STORAGE_ID --output PATHArguments:
OPERATION_ID— Operation ID used for permission checkSTORAGE_ID— Storage ID (gulp.storage_id)
Options:
--output TEXT— Local output file path (required)
Examples:
gulp-cli storage get-file incident-001 \
incident-001/context-a/source-security/System.evtx \
--output ./downloads/System.evtxDelete a single storage file by storage ID.
gulp-cli storage delete-by-id OPERATION_ID STORAGE_IDExamples:
gulp-cli storage delete-by-id incident-001 \
incident-001/context-a/source-security/System.evtxDelete storage files by operation/context tags.
gulp-cli storage delete-by-tags [OPTIONS]Important:
- Provide at least one filter (
--operation-idand/or--context-id) or explicitly pass--all.
Options:
--operation-id TEXT— Filter by operation ID--context-id TEXT— Filter by context ID--all— Delete across all operations/contexts--yes / -y— Skip confirmation prompt when using--all
Examples:
# Delete all files in one operation
gulp-cli storage delete-by-tags --operation-id incident-001
# Delete by operation + context
gulp-cli storage delete-by-tags --operation-id incident-001 --context-id sdk_context
# Global delete (dangerous)
gulp-cli storage delete-by-tags --all --yesList all plugins.
gulp-cli plugin list [OPTIONS]Options:
--plugin-type [extension|external|ingestion|enrichment]— Filter plugins by functional type
Examples:
# List only ingestion plugins
gulp-cli plugin list --plugin-type ingestion
# List only enrichment plugins
gulp-cli plugin list --plugin-type enrichment
# List only extension plugins
gulp-cli plugin list --plugin-type extension
# List only external/query plugins
gulp-cli plugin list --plugin-type externalList UI plugins.
gulp-cli plugin list-ui [OPTIONS]List all mapping files.
gulp-cli mapping list [OPTIONS]Upload a mapping file.
gulp-cli mapping upload FILE_PATH [OPTIONS]Download a mapping file.
gulp-cli mapping download FILENAME OUTPUT_PATH [OPTIONS]Delete a mapping file.
gulp-cli mapping delete FILENAME [OPTIONS]Map document field criteria per plugin to a glyph and/or color used by the UI. Criteria can be simple values for exact matches or operator dicts for numeric comparisons.
gulp-cli enhance-map create PLUGIN MATCH_CRITERIA [--glyph-id GLYPH_ID] [--color COLOR]Where MATCH_CRITERIA is a JSON dict mapping document field names to criteria values:
- Simple values for exact match:
'{"field":"value"}' - Operator dicts for numeric comparisons:
'{"field":{"eq":value}}','{"field":{"gte":min,"lte":max}}' - Multiple criteria (all must match):
'{"field1":"value","field2":{"gte":10}}'
Examples:
gulp-cli enhance-map create win_evtx '{"gulp.event_code":{"eq":4624}}' --glyph-id logon_glyph
gulp-cli enhance-map create win_evtx '{"severity":{"gte":7,"lte":10}}' --color "#ff0000"gulp-cli enhance-map update OBJ_ID [--glyph-id GLYPH_ID] [--color COLOR]gulp-cli enhance-map delete OBJ_IDgulp-cli enhance-map get OBJ_IDgulp-cli enhance-map list [--flt '{"plugin":"win_evtx"}']Create and manage glyph objects used in collaboration and enhance mappings.
gulp-cli glyph create [--img-path ./icon.png] [--name GLYPH_NAME] [--private]gulp-cli glyph update OBJ_ID [--name NEW_NAME] [--img-path ./icon_new.png]gulp-cli glyph delete OBJ_IDgulp-cli glyph get OBJ_IDgulp-cli glyph list [--flt '{"private":false}']