threatstack 0.2.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 187538b81d44fb05e61ceed262abe656e82a2a4d
-  data.tar.gz: 4bf4c21c0ea8af3cc10f96044427763f5800b3c3
+  metadata.gz: 74577f2d9484d086e874ca7e040cd1091e4a50a8
+  data.tar.gz: 159fa0747f42351a160133662896e4de9466febb
 SHA512:
-  metadata.gz: 628ec3682dac755b55796c97fca8611786ea5a90fdf1412bf18f7081a1f30b47ae4e37ae836ce017ee5e23834086b5d1e3a5a446409d2e1a26d1341f8fa64c4e
-  data.tar.gz: 5746ae5b1648fd66e077b81a15f9341d8a5c18e38560fe455e900e820012f14d4b4bcf39a46316c2acd9f9612b8535c80aa5f77b489d06e84b1ea877d01fe447
+  metadata.gz: a54cf4e5e7b6b5fffb2d624391129b1b836692f98cab6d0a6bf2ae74a8c2ec3d009d999ad8d3d01478ee322619ebf4494b636122dd5c7ac4278a1770ef2c48e6
+  data.tar.gz: faf63d2859b2e75f18916c2005cba0d488c8a35f9720b4355d2bdfd0704f5270010144be3090188f4136e8bf91208833478a05139bafae70c5e5d4cb3abafe14

data/.gitignore

@@ -7,3 +7,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+*.gem

data/README.md

@@ -1,6 +1,8 @@
 # Threatstack
 
-Threatstack is a tool for monitoring your infrastructure and hosts for malicious or suspicious activity. They have this handy little API that I decided to write a Ruby wrapper for. This is a very thin wrapper that only transforms keys for the purpose of changing them to snake_case like the rest of the ruby world. Otherwise, this maps very closely to the API docs found here: https://app.threatstack.com/api/docs
+Threatstack is a tool for monitoring your infrastructure and hosts for malicious or suspicious activity. They have this handy little API that I decided to write a Ruby wrapper for. This is a very thin wrapper that only transforms keys for the purpose of changing them to snake_case like the rest of the ruby world. Otherwise, this maps very closely to the API docs found here: https://apidocs.threatstack.com/v2
+
+### NOTE: From version 1.0.0 onward, only Threatstack API v2 is supported
 
 ## Installation
 
@@ -23,30 +25,33 @@ Or install it yourself as:
 You can access all attributes on responses thanks to the method_missing function in Ruby. We only munged the attributes that don't correspond to snake_case. If you want to see a list of all available attributes for a serializable response object, simply do something like this:
 
 ```
-client = Threatstack::Client.new(API_TOKEN)
-client.policies.first.attrs
-=> [:rules,
- :id,
- :name,
+client = Threatstack::Client.new(API_TOKEN, organization_id: ORG_ID)
+[threatstack] main> ts.alerts.first.attrs
+=> [:id,
+ :title,
+ :type,
  :created_at,
- :updated_at,
- :enabled,
- :agent_count,
- :alert_rule_count,
- :description,
- :organization_id,
- :alert_policy_id,
- :alert_policy,
- :file_integrity_rules]
+ :event_count,
+ :is_dismissed,
+ :dismissed_at,
+ :dismissed_reason,
+ :dismissed_reason_text,
+ :dismissed_by,
+ :severity,
+ :agent_id,
+ :rule_id,
+ :ruleset_id,
+ :event_ids]
+
  ```
 
 ### Alerts
 
 ```
-client = Threatstack::Client.new(API_TOKEN)
+client = Threatstack::Client.new(API_TOKEN, organization_id: ORG_ID)
 ## All these are optional url params. See the Threatstack API Docs
 alert = client.alerts(start: 3.days.ago, end: Time.now, count: 5).last
-=> #<Threatstack::Alert::Alert:0x007fde0b01cbd8
+=> #<Threatstack::Alert:0x007fde0b01cbd8
  @raw=
   {"created_at"=>1496850520000,
    "expires_at"=>1496936920000,
@@ -54,22 +59,15 @@ alert = client.alerts(start: 3.days.ago, end: Time.now, count: 5).last
    "count"=>4,
    "title"=>"CloudTrail Activity : EC2 Service Policy Changes : CreateVolume by ryan_canty",
    ...
-event = alert.latest_events.last
-=> <Threatstack::Alert::Event:0x007fde0ca08420
- @raw=
-  {"user"=>"ryan_canty",
-   "userType"=>"IAMUser",
-   ...
-user_that_caused_the_event = event.user_identity.arn
-=> "arn:aws:iam::1234567890:user/ryan_canty"
-
+count = alert.count
+=> 4
 ```
 
 You can also limit the response if that's important to you:
 
 ```
 client.alerts(fields: ['title', 'alerts'])
-=> [#<Threatstack::Alert::Alert:0x007fd61348c768
+=> [#<Threatstack::Alert:0x007fd61348c768
   @raw={"title"=>"CloudTrail Activity (IAM Policy Changes) : CreateAccessKey by ryan_canty", "severity"=>2}>]
 ```
 
@@ -83,36 +81,19 @@ client.alert('1234567890')
 
 ```
 client.agents
-=>  [#<Threatstack::Agent::Agent:0x007fa262b0b2e0 @raw={...}> ]
-client.agent
-=>  #<Threatstack::Agent::Agent:0x007fa262b0b2e0 @raw={...}>
+=>  [#<Threatstack::Response:0x007fa262b0b2e0 @raw={...}> ]
+client.agent('123123123')
+=>  #<Threatstack::Agent:0x007fa262b0b2e0 @raw={...}>
 ```
 
-
-### Policies
+### Vulnerabilities
 
 ```
-client.policies
-=>  [#<Threatstack::Policy::Policy:0x007fa262b0b2e0 @raw={...}> ]
-client.policy
-=>  #<Threatstack::Policy::Policy:0x007fa262b0b2e0 @raw={...}>
+client.vulnerabilities
+client.vulnerability('CVE-123')
 ```
+## TODO: Write docs for all the things (contributions welcome)
 
-### Organizations
-
-```
-client.organizations
-=>  [#<Threatstack::Organization::Organization:0x007fa262b0b2e0 @raw={...}> ]
-```
-
-### Audit Logs
-
-```
-client.logs
-=>  [#<Threatstack::Log::Log:0x007fa262b0b2e0 @raw={...}>]
-client.search('query')
-=>  [#<Threatstack::Log::Log:0x007fa262b0b2e0 @raw={...}>]
-```
 
 ## Development
 

data/lib/threatstack/client.rb

@@ -3,77 +3,154 @@ require 'httparty'
 require 'threatstack/response'
 require 'threatstack/entities/agent'
 require 'threatstack/entities/alert'
-require 'threatstack/entities/log'
-require 'threatstack/entities/organization'
-require 'threatstack/entities/policy'
+require 'threatstack/entities/ruleset'
+require 'threatstack/entities/rule'
+
 
 module Threatstack
   class ThreatstackError < StandardError; end
 
   class Client
-    THREATSTACK_API = 'https://app.threatstack.com/api'.freeze
-
-    attr_reader :token, :org_id, :api_version
+    THREATSTACK_API = 'https://api.threatstack.com'.freeze
+    attr_reader :token, :org_id, :api_version, :last_pagination_token
 
-    def initialize(token, api_version = 'v1')
+    def initialize(token, organization_id: nil, api_version: 'v2')
       @api_version = api_version
       @token = token
+      @org_id = organization_id
+      if api_version == 'v1'
+        raise ThreatstackError, "This version of threatstack-ruby does not support Threatstack API v1"
+      end
     end
 
+    ### ALERTS ###
+
     def agents(params = {})
       response = do_request(:get, 'agents', params)
-      Response.new(:agent, response).agents
+      Response.new(response['agents'], self, entity: :agent).agents
     end
 
     def agent(agent_id, params = {})
       raise ThreatstackError, "Must specify agent id" unless agent_id
       response = do_request(:get, "agents/#{agent_id}", params)
-      Agent.new(response)
+      Agent.new(response, self)
     end
 
+    ### ALERTS ###
     def alerts(params = {})
       response = do_request(:get, 'alerts', params)
-      Response.new(:alert, response).alerts
+      Response.new(response['alerts'], self, entity: :alert).alerts
+    end
+
+    def dismissed_alerts(params = {})
+      response = do_request(:get, 'alerts/dismissed', params)
+      Response.new(response['alerts'], self, entity: :alert).alerts
     end
 
     def alert(alert_id, params = {})
       raise ThreatstackError, "Must specify alert id" unless alert_id
       response = do_request(:get, "alerts/#{alert_id}", params)
-      Alert.new(response)
+      Alert.new(response, self)
+    end
+
+    def severity_counts(params = {})
+      response = do_request(:get, "alerts/severity-counts", params)
+      Response.new(response['severityCounts'], self, entity: :severity_count).list
+    end
+
+    def event(alert_id, event_id, params = {})
+      response = do_request(:get, "alerts/#{alert_id}/events/#{event_id}", params)
+      GenericObject.new(response['details'], self, entity: :event)
     end
 
-    def policies(params = {})
-      response = do_request(:get, 'policies', params)
-      Response.new(:policy, response).policies
+    ### CVEs ###
+
+    def vulnerabilities(params = {})
+      uri = "vulnerabilities"
+      uri += "/suppressed" if params[:suppressed]
+      response = do_request(:get, uri, params)
+      Response.new(response['cves'], self, entity: :cve).cves
     end
 
-    def policy(policy_id, params = {})
-      raise ThreatstackError, "Must specify policy id" unless policy_id
-      response = do_request(:get, "policies/#{policy_id}", params)
-      Policy.new(response)
+    def vulnerability(vuln_id, params = {})
+      raise ThreatstackError, "Must specify vulnerability id" unless vuln_id
+      response = do_request(:get, "vulnerabilities/#{vuln_id}", params)
+      Cve.new(response, self)
     end
 
-    def organizations(params = {})
-      response = do_request(:get, 'organizations', params)
-      Response.new(:organization, response).organizations
+    def package_vulnerabilities(package, params = {})
+      raise ThreatstackError, "Must specify package" unless package
+      uri = "vulnerabilities/package/#{package}"
+      uri += "/suppressed" if params[:suppressed]
+      response = do_request(:get, uri, params)
+      Response.new(response['packages'], self, entity: :package).list
     end
 
-    def logs(params = {})
-      response = do_request(:get, 'logs', params)
-      Response.new(:log, response).logs
+    def server_vulnerabilities(server, params = {})
+      raise ThreatstackError, "Must specify server" unless server
+      uri = "vulnerabilities/server/#{server}"
+      uri += "/suppressed" if params[:suppressed]
+      response = do_request(:get, uri, params)
+      response['cves']
     end
 
-    def search(query, params = {})
-      logs(params.merge(q: query))
+    def cves_by_agent(agent, params = {})
+      raise ThreatstackError, "Must specify agent" unless agent
+      uri = "vulnerabilities/agent/#{agent}"
+      uri += "/suppressed" if params[:suppressed]
+      response = do_request(:get, uri, params)
+      response['cves']
+    end
+
+    def vulnerability_suppressions(params = {})
+      response = do_request(:get, "vulnerabilities/suppressions", params)
+      Response.new(response['suppressions'], self, entity: :suppression).list
+    end
+
+    ### Rulesets ###
+
+    def rulesets(params = {})
+      response = do_request(:get, 'rulesets', params)
+      Response.new(response['rulesets'], self, entity: :ruleset).rulesets
+    end
+
+    def ruleset(ruleset_id, params = {})
+      raise ThreatstackError, "Must specify ruleset id" unless ruleset_id
+      response = do_request(:get, "rulesets/#{ruleset_id}", params)
+      Ruleset.new(response, self)
+    end
+
+    ### Rules ###
+
+    def rules(ruleset_id, params = {})
+      response = do_request(:get, "rulesets/#{ruleset_id}/rules", params)
+      Response.new(response['rules'], self, entity: :rule).rules
+    end
+
+    def rule(ruleset_id, rule_id, params = {})
+      raise ThreatstackError, "Must specify ruleset id and rule id" unless ruleset_id && rule_id
+      response = do_request(:get, "rulesets/#{ruleset_id}/rules/#{rule_id}", params)
+      Rule.new(response, self)
+    end
+
+    ### Servers ###
+
+    def servers(monitored = true, params = {})
+      uri = "servers"
+      uri += "/non-monitored" unless monitored
+      response = do_request(:get, uri, params)
+      Response.new(response['servers'], self, entity: :server).list
     end
 
     private
 
     def do_request(method, path, params = {})
-      response = HTTParty.public_send(method, build_uri(path, params), headers: { "Authorization" => token })
+      headers = { "Authorization" => token, "Organization-Id" => org_id }
+      response = HTTParty.public_send(method, build_uri(path, params), headers: headers).parsed_response
       if response.instance_of?(Hash) && response['status'] == 'error'
         raise ThreatstackError, response['message']
       end
+      @last_pagination_token = response['token']
       response
     end
 
@@ -87,6 +164,5 @@ module Threatstack
       uri += "?#{URI::encode(query)}" if params.any?
       uri
     end
-
   end
 end

data/lib/threatstack/entities/agent.rb

@@ -3,5 +3,19 @@ require 'threatstack/serializable'
 module Threatstack
   class Agent
     include Serializable
+    attributes :id, :instance_id, :status, :activated_at, :last_reported_at,
+      :version, :name, :description, :hostname, :tags, :agent_type
+
+    def tags
+      raw['tags'].map{ |t| Tag.new(t) }
+    end
+
+    def ruleset_ids
+      raw['rulesets']
+    end
+
+    def rulesets
+      ruleset_ids.each { |id| client.ruleset(id) }
+    end
   end
 end

data/lib/threatstack/entities/alert.rb

@@ -1,20 +1,26 @@
-require 'threatstack/entities/event'
-require 'threatstack/entities/rule'
 require 'threatstack/serializable'
 
 module Threatstack
   class Alert
     include Serializable
-    attributes :latest_events, :rule
+    attributes :id, :title, :type, :created_at, :event_count, :is_dismissed, :dismissed_at,
+      :dismissed_reason, :dismissed_reason_text, :dismissed_by, :severity, :agent_id,
+      :rule_id, :ruleset_id, :event_ids
 
-    def latest_events
-      raw['latest_events'].map do |event|
-        Event.new(event)
-      end
+    def rule
+      client.rule(rule_id)
     end
 
-    def rule
-      Rule.new(raw['rule'])
+    def agent
+      client.agent(agent_id)
+    end
+
+    def ruleset
+      client.ruleset(ruleset_id)
+    end
+
+    def events
+      event_ids&.map{ |event_id| client.event(id, event_id)}
     end
   end
 end

data/lib/threatstack/entities/cve.rb

@@ -0,0 +1,9 @@
+require 'threatstack/serializable'
+
+module Threatstack
+  class Cve
+    include Serializable
+    attributes :cve_number, :reported_package, :system_package, :vector_type,
+      :affected_servers, :is_suppressed, :severity
+  end
+end

data/lib/threatstack/entities/{log.rb → generic_object.rb}

@@ -1,7 +1,5 @@
-require 'threatstack/serializable'
-
 module Threatstack
-  class Log
+  class GenericObject
     include Serializable
   end
 end

data/lib/threatstack/entities/rule.rb

@@ -3,10 +3,12 @@ require 'threatstack/serializable'
 module Threatstack
   class Rule
     include Serializable
-    attributes :original_rule
+    attributes :id, :ruleset_id, :name, :type, :severity_of_alerts, :alert_description,
+      :aggregate_fields, :filter, :frequency, :threshold, :suppressions, :ignore_files,
+      :file_integrity_paths, :events_to_monitor
 
-    def original_rule
-      Rule.new(raw['original_rule'])
+    def ruleset
+      client.ruleset(ruleset_id)
     end
   end
 end

data/lib/threatstack/entities/ruleset.rb

@@ -0,0 +1,12 @@
+require 'threatstack/serializable'
+
+module Threatstack
+  class Ruleset
+    include Serializable
+    attributes :id, :rule_ids, :name, :created_at, :updated_at, :description, :agents
+
+    def rules
+      client.rules(id)
+    end
+  end
+end

data/lib/threatstack/response.rb

@@ -1,41 +1,44 @@
+require 'threatstack/serializable'
 require 'threatstack/entities/agent'
 require 'threatstack/entities/alert'
-require 'threatstack/entities/log'
-require 'threatstack/entities/organization'
-require 'threatstack/entities/policy'
+require 'threatstack/entities/cve'
+require 'threatstack/entities/generic_object'
+require 'threatstack/entities/ruleset'
+require 'threatstack/entities/rule'
 
 module Threatstack
   class InvalidEntity < StandardError; end
   class Response
-    attr_reader :entity, :raw
-    def initialize(entity, raw)
-      @raw = raw
-      @entity = entity
-    end
+    attr_reader :entity, :raw, :client
+    include Serializable
 
     def agents
       raise InvalidEntity unless entity == :agent
-      raw.map{ |a| Agent.new(a) }
+      raw.map{ |a| Agent.new(a, client) }
     end
 
     def alerts
       raise InvalidEntity unless entity == :alert
-      raw.map{ |a| Alert.new(a) }
+      raw.map{ |a| Alert.new(a, client) }
+    end
+
+    def cves
+      raise InvalidEntity unless entity == :cve
+      raw.map{ |a| Cve.new(a, client) }
     end
 
-    def logs
-      raise InvalidEntity unless entity == :log
-      raw.map{ |a| Log.new(a) }
+    def rulesets
+      raise InvalidEntity unless entity == :ruleset
+      raw.map{ |r| Ruleset.new(r, client) }
     end
 
-    def organizations
-      raise InvalidEntity unless entity == :organization
-      raw.map{ |a| Organization.new(a) }
+    def rules
+      raise InvalidEntity unless entity == :rule
+      raw.map{ |r| Rule.new(r, client) }
     end
 
-    def policies
-      raise InvalidEntity unless entity == :policy
-      raw.map{ |a| Policy.new(a) }
+    def list
+      raw.map { |g| GenericObject.new(g, client) }
     end
   end
 end

data/lib/threatstack/serializable.rb

@@ -1,23 +1,29 @@
 module Threatstack
   module Serializable
-    attr_reader :raw
+    attr_reader :client, :raw
 
     def self.included(base)
       base.extend ClassMethods
     end
 
-    def initialize(raw)
+    def initialize(raw, client, entity: nil)
+      @client = client
       @raw = raw
+      @entity = entity
     end
 
     def method_missing(m, *args)
-      raw[m.to_s]
+      raw[m.to_s] || raw[camelize(m.to_s)]
     end
 
     def attrs
-      @attrs ||= self.class.default_attrs + raw.keys.map(&:to_sym)
+      @attrs ||= self.class.default_attrs
     end
 
+    def camelize(str)
+      string = str.sub(/^(?:(?=\b|[A-Z_])|\w)/) { $&.downcase }
+      string.gsub(/(?:_|(\/))([a-z\d]*)/) { "#{$1}#{$2.capitalize}" }.gsub('/', '::')
+    end
     module ClassMethods
       def attributes(*args)
         @default_attrs = args

data/lib/threatstack/version.rb

@@ -1,3 +1,3 @@
 module Threatstack
-  VERSION = "0.2.0"
+  VERSION = "1.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: threatstack
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Ryan Canty
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-09-20 00:00:00.000000000 Z
+date: 2017-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -99,16 +99,13 @@ files:
 - lib/threatstack/client.rb
 - lib/threatstack/entities/agent.rb
 - lib/threatstack/entities/alert.rb
-- lib/threatstack/entities/event.rb
-- lib/threatstack/entities/log.rb
-- lib/threatstack/entities/organization.rb
-- lib/threatstack/entities/policy.rb
+- lib/threatstack/entities/cve.rb
+- lib/threatstack/entities/generic_object.rb
 - lib/threatstack/entities/rule.rb
-- lib/threatstack/entities/user_identity.rb
+- lib/threatstack/entities/ruleset.rb
 - lib/threatstack/response.rb
 - lib/threatstack/serializable.rb
 - lib/threatstack/version.rb
-- threatstack-0.1.0.gem
 - threatstack.gemspec
 homepage: https://github.com/getoutreach/threatstack
 licenses:

data/lib/threatstack/entities/event.rb

@@ -1,13 +0,0 @@
-require 'threatstack/entities/user_identity'
-require 'threatstack/serializable'
-
-module Threatstack
-  class Event
-    include Serializable
-    attributes :user_identity
-
-    def user_identity
-      UserIdentity.new(raw['userIdentity'])
-    end
-  end
-end

data/lib/threatstack/entities/organization.rb

@@ -1,7 +0,0 @@
-require 'threatstack/serializable'
-
-module Threatstack
-  class Organization
-    include Serializable
-  end
-end

data/lib/threatstack/entities/policy.rb

@@ -1,12 +0,0 @@
-require 'threatstack/entities/rule'
-
-module Threatstack
-  class Policy
-    include Serializable
-    attributes :rules
-
-    def rules
-      raw['alert_policy'].map{ |r| Rule.new(r) }
-    end
-  end
-end

data/lib/threatstack/entities/user_identity.rb

@@ -1,32 +0,0 @@
-require 'threatstack/serializable'
-
-module Threatstack
-  class UserIdentity
-    include Serializable
-    attributes :user_name, :session_context, :invoked_by, :account_id, :access_key_id, :principal_id
-
-    def user_name
-      raw['userName']
-    end
-
-    def session_context
-      raw['sessionContext']
-    end
-
-    def invoked_by
-      raw['invokedBy']
-    end
-
-    def account_id
-      raw['accountId']
-    end
-
-    def access_key_id
-      raw['accessKeyId']
-    end
-
-    def principal_id
-      raw['principalId']
-    end
-  end
-end