code42 · ceciliastevens · Dec 15, 2025 · Dec 15, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,15 @@
  how a consumer would use the library or CLI tool (e.g. adding unit tests, updating documentation, etc) are not captured
  here.
 
+## Unreleased
+
+### Added
+- Added the `state_v2` field to session states. Added the new session state `CLOSED_TP_BENIGN`.
+- Added support for the `ON` filter in file event queries.
+
+### Fixed
+- A bug where the SDK's V2 Watchlist methods were returning the wrong models.
+
 ## 2.7.0 - 2025-11-13
 
 ### Updated

diff --git a/docs/integration-guides/index.md b/docs/integration-guides/index.md
diff --git a/docs/integration-guides/sentinel/azure-sentinel-data-collector.md b/docs/integration-guides/sentinel/azure-sentinel-data-collector.md
diff --git a/docs/integration-guides/sentinel/azure-sentinel-log-analytics.md b/docs/integration-guides/sentinel/azure-sentinel-log-analytics.md
diff --git a/docs/integration-guides/sentinel/introduction.md b/docs/integration-guides/sentinel/introduction.md
diff --git a/docs/sdk/enums.md b/docs/sdk/enums.md
@@ -555,6 +555,7 @@ Devices has been replaced by [Agents](#agents)
 * **IN_PROGRESS** = `"IN_PROGRESS"`
 * **CLOSED** = `"CLOSED"`
 * **CLOSED_TP** = `"CLOSED_TP"`
+* **CLOSED_TP_BENIGN** = `"CLOSED_TP_BENIGN"`
 * **CLOSED_FP** = `"CLOSED_FP"`
 * **OPEN_NEW_DATA** = `"OPEN_NEW_DATA"`
 

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -91,12 +91,6 @@ nav:
         - Alerts (Deprecated): 'cli/cmds/alerts.md'
         - Devices (Deprecated): 'cli/cmds/devices.md'
         - Risk Profiles (Deprecated): 'cli/cmds/risk_profiles.md'
-  - Guides:
-      - Introduction: 'integration-guides/index.md'
-      - Microsoft Sentinel:
-        - Introduction: 'integration-guides/sentinel/introduction.md'
-        - Data Collector API: 'integration-guides/sentinel/azure-sentinel-data-collector.md'
-        - Log Analytics Agent: 'integration-guides/sentinel/azure-sentinel-log-analytics.md'
 
 markdown_extensions:
   - attr_list

diff --git a/pyproject.toml b/pyproject.toml
@@ -28,7 +28,7 @@ dependencies = [
   "requests",
   "requests-toolbelt",
   "rich",
-  "pydantic>=2.11,<2.12",
+  "pydantic>=2.11",
   "pydantic-settings",
   "isodate",
   "python-dateutil",

diff --git a/src/_incydr_cli/cmds/sessions.py b/src/_incydr_cli/cmds/sessions.py
@@ -322,7 +322,7 @@ def bulk_update_state(
     Bulk update the state of multiple sessions. Optionally attach a note.
 
     NEW_STATE specifies the new state to which sessions will be updated.
-    Must be one of the following: 'OPEN', 'IN_PROGRESS', 'CLOSED', 'CLOSED_TP', 'CLOSED_FP', 'OPEN_NEW_DATA'
+    Must be one of the following: 'OPEN', 'IN_PROGRESS', 'CLOSED', 'CLOSED_TP', 'CLOSED_TP_BENIGN', 'CLOSED_FP', 'OPEN_NEW_DATA'
 
     Takes a single arg `FILE` which specifies the path to the file (use "-" to read from stdin).
     File format can either be CSV or [JSON Lines format](https://jsonlines.org) (Default is CSV).

diff --git a/src/_incydr_cli/cmds/trusted_activities.py b/src/_incydr_cli/cmds/trusted_activities.py
@@ -334,7 +334,7 @@ def _output_trusted_activity(
         t.add_column("Action Groups")
 
         # exclude activity action groups from the info panel
-        include = list(TrustedActivity.__fields__.keys())
+        include = list(TrustedActivity.model_fields.keys())
         include.remove("activity_action_groups")
         t.add_row(
             model_as_card(

diff --git a/src/_incydr_cli/cmds/watchlists.py b/src/_incydr_cli/cmds/watchlists.py
@@ -29,9 +29,9 @@
 from _incydr_sdk.utils import model_as_card
 from _incydr_sdk.watchlists.models.responses import IncludedDepartment
 from _incydr_sdk.watchlists.models.responses import IncludedDirectoryGroup
-from _incydr_sdk.watchlists.models.responses import Watchlist
 from _incydr_sdk.watchlists.models.responses import WatchlistActor
 from _incydr_sdk.watchlists.models.responses import WatchlistUser
+from _incydr_sdk.watchlists.models.responses import WatchlistV2
 
 MAX_USER_DISPLAY_COUNT = 25
 
@@ -115,7 +115,7 @@ def list_(
         actor = user
     client = Client()
     watchlists = client.watchlists.v2.iter_all(actor_id=actor)
-    _output_results(watchlists, Watchlist, format_, columns)
+    _output_results(watchlists, WatchlistV2, format_, columns)
 
 
 @watchlists.command(cls=IncydrCommand)

diff --git a/src/_incydr_sdk/enums/sessions.py b/src/_incydr_sdk/enums/sessions.py
@@ -10,6 +10,7 @@ class SessionStates(_Enum):
     IN_PROGRESS = "IN_PROGRESS"
     CLOSED = "CLOSED"
     CLOSED_TP = "CLOSED_TP"
+    CLOSED_TP_BENIGN = "CLOSED_TP_BENIGN"
     CLOSED_FP = "CLOSED_FP"
     OPEN_NEW_DATA = "OPEN_NEW_DATA"
 

diff --git a/src/_incydr_sdk/queries/file_events.py b/src/_incydr_sdk/queries/file_events.py
@@ -29,6 +29,7 @@
 from _incydr_sdk.file_events.models.response import SavedSearch
 from _incydr_sdk.file_events.models.response import SearchFilterGroup
 from _incydr_sdk.file_events.models.response import SearchFilterGroupV2
+from _incydr_sdk.queries.utils import parse_ts_to_date_str
 from _incydr_sdk.queries.utils import parse_ts_to_ms_str
 
 _term_enum_map = {
@@ -347,6 +348,33 @@ def date_range(self, term: str, start_date=None, end_date=None):
             )
         return self
 
+    def on(self, term: str, date=None):
+        """
+        Adds a date-based filter for the specified term.
+
+        When passed as part of a query, returns events on the specified date.
+
+        Example:
+            `EventQuery(**kwargs).date_range(term="event.inserted", start_date="P1D")` creates a query that returns all events inserted into Forensic Search within the past day.
+
+        **Parameters**:
+
+        * **term**: `str` - The term which corresponds to a file event field.
+        * **date**: `int`, `float`, `str`, `datetime` -  The date to query for events. Defaults to None.
+        """
+        self.groups.append(
+            FilterGroup(
+                filters=[
+                    Filter(
+                        term=term,
+                        operator=Operator.ON,
+                        value=parse_ts_to_date_str(date),
+                    )
+                ]
+            )
+        )
+        return self
+
     def matches_any(self):
         """
         Sets operator to combine multiple filters to `OR`.
@@ -439,10 +467,10 @@ def _validate_duration_str(iso_duration_str):
 
 def _create_filter_group(filter_group: SearchFilterGroup) -> FilterGroup:
     filters = [
-        Filter.construct(value=f.value, operator=f.operator, term=f.term)
+        Filter.model_construct(value=f.value, operator=f.operator, term=f.term)
         for f in filter_group.filters
     ]
-    return FilterGroup.construct(
+    return FilterGroup.model_construct(
         filterClause=filter_group.filter_clause, filters=filters
     )
 
@@ -451,7 +479,7 @@ def _create_filter_group_v2(filter_group_v2: SearchFilterGroupV2) -> FilterGroup
     subgroups = []
     for subgroup in filter_group_v2.subgroups:
         subgroups.append(_handle_filter_group_type(subgroup))
-    return FilterGroupV2.construct(
+    return FilterGroupV2.model_construct(
         subgroupClause=filter_group_v2.subgroup_clause, subgroups=subgroups
     )