threatstack 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bb2d3822b5477af93812d538e414b247230d3539
+  data.tar.gz: 46428650cbe22613630d2f91daa71e8bb79bafee
+SHA512:
+  metadata.gz: eccd2edb7ed85e4cb2e9818413e8ecc54361407c03920b912d12a5209302cd0a9b6d88deba537ec54ef07b354d42604ae691f78dbefb26deea069e88e3efe835
+  data.tar.gz: fcfca22363bef5e091c8aae805c9589af22d3b61ff1007f3286ef753c37389d728cee48af7e0379c5b79e99a8194f2ea52fcb08ce8c497a9cd117c61a69d0716

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.3
+before_install: gem install bundler -v 1.14.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in threatstack.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Ryan Canty
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,130 @@
+# Threatstack
+
+Threatstack is a tool for monitoring your infrastructure and hosts for malicious or suspicious activity. They have this handy little API that I decided to write a Ruby wrapper for. This is a very thin wrapper that only transforms keys for the purpose of changing them to snake_case like the rest of the ruby world. Otherwise, this maps very closely to the API docs found here: https://app.threatstack.com/api/docs
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'threatstack'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install threatstack
+
+## Usage
+
+You can access all attributes on responses thanks to the method_missing function in Ruby. We only munged the attributes that don't correspond to snake_case. If you want to see a list of all available attributes for a serializable response object, simply do something like this:
+
+```
+client = Threatstack::Client.new(API_TOKEN)
+client.policies.first.attrs
+=> [:rules,
+ :id,
+ :name,
+ :created_at,
+ :updated_at,
+ :enabled,
+ :agent_count,
+ :alert_rule_count,
+ :description,
+ :organization_id,
+ :alert_policy_id,
+ :alert_policy,
+ :file_integrity_rules]
+ ```
+
+### Alerts
+
+```
+client = Threatstack::Client.new(API_TOKEN)
+## All these are optional url params. See the Threatstack API Docs
+alert = client.alerts(start: 3.days.ago, end: Time.now, count: 5).last
+=> #<Threatstack::Alert::Alert:0x007fde0b01cbd8
+ @raw=
+  {"created_at"=>1496850520000,
+   "expires_at"=>1496936920000,
+   "last_updated_at"=>"2017-06-07T16:03:56.270Z",
+   "count"=>4,
+   "title"=>"CloudTrail Activity : EC2 Service Policy Changes : CreateVolume by ryan_canty",
+   ...
+event = alert.latest_events.last
+=> <Threatstack::Alert::Event:0x007fde0ca08420
+ @raw=
+  {"user"=>"ryan_canty",
+   "userType"=>"IAMUser",
+   ...
+user_that_caused_the_event = event.user_identity.arn
+=> "arn:aws:iam::1234567890:user/ryan_canty"
+
+```
+
+You can also limit the response if that's important to you:
+
+```
+client.alerts(fields: ['title', 'alerts'])
+=> [#<Threatstack::Alert::Alert:0x007fd61348c768
+  @raw={"title"=>"CloudTrail Activity (IAM Policy Changes) : CreateAccessKey by ryan_canty", "severity"=>2}>]
+```
+
+You can also get a single alert by id using:
+
+```
+client.alert('1234567890')
+```
+
+### Agents
+
+```
+client.agents
+=>  [#<Threatstack::Agent::Agent:0x007fa262b0b2e0 @raw={...}> ]
+client.agent
+=>  #<Threatstack::Agent::Agent:0x007fa262b0b2e0 @raw={...}>
+```
+
+
+### Policies
+
+```
+client.policies
+=>  [#<Threatstack::Policy::Policy:0x007fa262b0b2e0 @raw={...}> ]
+client.policy
+=>  #<Threatstack::Policy::Policy:0x007fa262b0b2e0 @raw={...}>
+```
+
+### Organizations
+
+```
+client.organizations
+=>  [#<Threatstack::Organization::Organization:0x007fa262b0b2e0 @raw={...}> ]
+```
+
+### Audit Logs
+
+```
+client.logs
+=>  [#<Threatstack::Log::Log:0x007fa262b0b2e0 @raw={...}>]
+client.search('query')
+=>  [#<Threatstack::Log::Log:0x007fa262b0b2e0 @raw={...}>]
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/onetwopunch/threatstack.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require "bundler/setup"
+require "threatstack"
+require "pry"
+
+Pry.config.prompt = lambda do |context, nesting, pry|
+  "[threatstack] #{context}> "
+end
+
+Pry.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/threatstack.rb

@@ -0,0 +1,5 @@
+require "threatstack/version"
+require "threatstack/client"
+
+module Threatstack
+end

data/lib/threatstack/agent/agent.rb

@@ -0,0 +1,9 @@
+require 'threatstack/agent/agent'
+
+module Threatstack
+  module Agent
+    class Agent
+      include Serializable
+    end
+  end
+end

data/lib/threatstack/agent/response.rb

@@ -0,0 +1,16 @@
+require 'threatstack/agent/agent'
+
+module Threatstack
+  module Agent
+    class Response
+      attr_reader :raw
+      def initialize(raw)
+        @raw = raw
+      end
+
+      def agents
+        raw.map{ |a| Agent.new(a) }
+      end
+    end
+  end
+end

data/lib/threatstack/alert/alert.rb

@@ -0,0 +1,22 @@
+require 'threatstack/alert/event'
+require 'threatstack/alert/rule'
+require 'threatstack/serializable'
+
+module Threatstack
+  module Alert
+    class Alert
+      include Serializable
+      attributes :latest_events, :rule
+
+      def latest_events
+        raw['latest_events'].map do |event|
+          Event.new(event)
+        end
+      end
+
+      def rule
+        Rule.new(raw['rule'])
+      end
+    end
+  end
+end

data/lib/threatstack/alert/event.rb

@@ -0,0 +1,15 @@
+require 'threatstack/alert/user_identity'
+require 'threatstack/serializable'
+
+module Threatstack
+  module Alert
+    class Event
+      include Serializable
+      attributes :user_identity
+
+      def user_identity
+        UserIdentity.new(raw['userIdentity'])
+      end
+    end
+  end
+end

data/lib/threatstack/alert/response.rb

@@ -0,0 +1,15 @@
+require 'threatstack/alert/alert'
+require 'threatstack/serializable'
+
+module Threatstack
+  module Alert
+    class Response
+      include Serializable
+      attributes :alerts
+      
+      def alerts
+        raw.map{ |a| Alert.new(a) }
+      end
+    end
+  end
+end

data/lib/threatstack/alert/rule.rb

@@ -0,0 +1,13 @@
+require 'threatstack/serializable'
+module Threatstack
+  module Alert
+    class Rule
+      include Serializable
+      attributes :original_rule
+
+      def original_rule
+        Rule.new(raw['original_rule'])
+      end
+    end
+  end
+end

data/lib/threatstack/alert/user_identity.rb

@@ -0,0 +1,34 @@
+require 'threatstack/serializable'
+
+module Threatstack
+  module Alert
+    class UserIdentity
+      include Serializable
+      attributes :user_name, :session_context, :invoked_by, :account_id, :access_key_id, :principal_id
+
+      def user_name
+        raw['userName']
+      end
+
+      def session_context
+        raw['sessionContext']
+      end
+
+      def invoked_by
+        raw['invokedBy']
+      end
+
+      def account_id
+        raw['accountId']
+      end
+
+      def access_key_id
+        raw['accessKeyId']
+      end
+
+      def principal_id
+        raw['principalId']
+      end
+    end
+  end
+end

data/lib/threatstack/client.rb

@@ -0,0 +1,93 @@
+require 'open-uri'
+require 'httparty'
+require 'threatstack/alert/response'
+require 'threatstack/alert/alert'
+require 'threatstack/agent/response'
+require 'threatstack/agent/agent'
+require 'threatstack/policy/response'
+require 'threatstack/policy/policy'
+require 'threatstack/organization/response'
+require 'threatstack/log/response'
+
+module Threatstack
+  class ThreatstackError < StandardError; end
+
+  class Client
+    THREATSTACK_API = 'https://app.threatstack.com/api/v1'
+
+    attr_reader :token, :org_id
+
+    def initialize(token)
+      @token = token
+    end
+
+    def alerts(params = {})
+      response = do_request(:get, 'alerts', params)
+      Alert::Response.new(response).alerts
+    end
+
+    def alert(alert_id, params = {})
+      raise ThreatstackError, "Must specify alert id" unless alert_id
+      response = do_request(:get, "alerts/#{alert_id}", params)
+      Alert::Alert.new(response)
+    end
+
+    def agents(params = {})
+      response = do_request(:get, 'agents', params)
+      Agent::Response.new(response).agents
+    end
+
+    def agent(agent_id, params = {})
+      raise ThreatstackError, "Must specify agent id" unless agent_id
+      response = do_request(:get, "agents/#{agent_id}", params)
+      Agent::Agent.new(response)
+    end
+
+    def policies(params = {})
+      response = do_request(:get, 'policies', params)
+      Policy::Response.new(response).policies
+    end
+
+    def policy(policy_id, params = {})
+      raise ThreatstackError, "Must specify policy id" unless policy_id
+      response = do_request(:get, "policies/#{policy_id}", params)
+      Policy::Policy.new(response)
+    end
+
+    def organizations(params = {})
+      response = do_request(:get, 'organizations', params)
+      Organization::Response.new(response).organizations
+    end
+
+    def logs(params = {})
+      response = do_request(:get, 'logs', params)
+      Log::Response.new(response).logs
+    end
+
+    def search(query, params = {})
+      logs(params.merge(q: query))
+    end
+
+    private
+
+    def do_request(method, path, params = {})
+      response = HTTParty.public_send(method, build_uri(path, params), headers: { "Authorization" => token })
+      if response.instance_of?(Hash) && response['status'] == 'error'
+        raise ThreatstackError, response['message']
+      end
+      response
+    end
+
+    def build_uri(path, params = {})
+      params[:start] = params[:start].utc if params[:start]
+      params[:end] = params[:end].utc if params[:end]
+      params[:fields] = params[:fields].join(',') if params[:fields]&.is_a?(Array)
+
+      query = params.each_pair.map { |k, v| "#{k}=#{v}" }.join('&')
+      uri = "#{THREATSTACK_API}/#{path}"
+      uri += "?#{URI::encode(query)}" if params.any?
+      uri
+    end
+
+  end
+end

data/lib/threatstack/log/log.rb

@@ -0,0 +1,9 @@
+require 'threatstack/serializable'
+
+module Threatstack
+  module Log
+    class Log
+      include Serializable
+    end
+  end
+end

data/lib/threatstack/log/response.rb

@@ -0,0 +1,14 @@
+require 'threatstack/log/log'
+
+module Threatstack
+  module Log
+    class Response
+      include Serializable
+      attributes :logs
+
+      def logs
+        raw.map{ |a| Log.new(a) }
+      end
+    end
+  end
+end

data/lib/threatstack/organization/organization.rb

@@ -0,0 +1,10 @@
+require 'threatstack/organization/organization'
+require 'threatstack/serializable'
+
+module Threatstack
+  module Organization
+    class Organization
+      include Serializable
+    end
+  end
+end

data/lib/threatstack/organization/response.rb

@@ -0,0 +1,15 @@
+require 'threatstack/organization/organization'
+require 'threatstack/serializable'
+
+module Threatstack
+  module Organization
+    class Response
+      include Serializable
+      attributes :organizations
+
+      def organizations
+        raw.map{ |a| Organization.new(a) }
+      end
+    end
+  end
+end

data/lib/threatstack/policy/policy.rb

@@ -0,0 +1,15 @@
+require 'threatstack/policy/policy'
+require 'threatstack/alert/rule'
+
+module Threatstack
+  module Policy
+    class Policy
+      include Serializable
+      attributes :rules
+
+      def rules
+        raw['alert_policy'].map{ |r| Threatstack::Alert::Rule.new(r) }
+      end
+    end
+  end
+end

data/lib/threatstack/policy/response.rb

@@ -0,0 +1,15 @@
+require 'threatstack/policy/policy'
+require 'threatstack/serializable'
+
+module Threatstack
+  module Policy
+    class Response
+      include Serializable
+      attributes :policies
+
+      def policies
+        raw.map{ |a| Policy.new(a) }
+      end
+    end
+  end
+end

data/lib/threatstack/serializable.rb

@@ -0,0 +1,31 @@
+module Threatstack
+  module Serializable
+    attr_reader :raw
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    def initialize(raw)
+      @raw = raw
+    end
+
+    def method_missing(m, *args)
+      raw[m.to_s]
+    end
+
+    def attrs
+      @attrs ||= self.class.default_attrs + raw.keys.map(&:to_sym)
+    end
+
+    module ClassMethods
+      def attributes(*args)
+        @default_attrs = args
+      end
+
+      def default_attrs
+        @default_attrs ||= []
+      end
+    end
+  end
+end

data/lib/threatstack/version.rb

@@ -0,0 +1,3 @@
+module Threatstack
+  VERSION = "0.1.0"
+end

data/threatstack.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'threatstack/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "threatstack"
+  spec.version       = Threatstack::VERSION
+  spec.authors       = ["Ryan Canty"]
+  spec.email         = ["jrcanty@gmail.com"]
+
+  spec.summary       = %q{Threatstack API integration for Ruby}
+  spec.description   = %q{Threatstack API integration for Ruby}
+  spec.homepage      = "https://github.com/onetwopunch/threatstack"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.14"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency "pry"
+  spec.add_runtime_dependency "httparty"
+end

metadata

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: threatstack
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Ryan Canty
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-06-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Threatstack API integration for Ruby
+email:
+- jrcanty@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/threatstack.rb
+- lib/threatstack/agent/agent.rb
+- lib/threatstack/agent/response.rb
+- lib/threatstack/alert/alert.rb
+- lib/threatstack/alert/event.rb
+- lib/threatstack/alert/response.rb
+- lib/threatstack/alert/rule.rb
+- lib/threatstack/alert/user_identity.rb
+- lib/threatstack/client.rb
+- lib/threatstack/log/log.rb
+- lib/threatstack/log/response.rb
+- lib/threatstack/organization/organization.rb
+- lib/threatstack/organization/response.rb
+- lib/threatstack/policy/policy.rb
+- lib/threatstack/policy/response.rb
+- lib/threatstack/serializable.rb
+- lib/threatstack/version.rb
+- threatstack.gemspec
+homepage: https://github.com/onetwopunch/threatstack
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.10
+signing_key: 
+specification_version: 4
+summary: Threatstack API integration for Ruby
+test_files: []