Guardsix (guardsix v1.2.2)

Copy Markdown View Source

Elixir library for interacting with the Guardsix API.

Build a client, then pass it to any domain module.

Setup

client = Guardsix.client("https://guardsix.company.com", "admin", "secret")
query = Guardsix.search_params("user=*", "Last 24 hours", 100, ["127.0.0.1"])

# Block until final results (polls automatically)
{:ok, result} = Guardsix.run_search(client, query)

# Low-level primitives are still available
alias Guardsix.Core.Search

{:ok, %{"search_id" => id}} = Search.get_id(client, query)
{:ok, result}               = Search.get_result(client, id)
{:ok, prefs}                = Search.user_preference(client)
{:ok, repos}                = Search.repos(client)

Incidents

alias Guardsix.Core.Incident

{:ok, incidents} = Incident.list(client, start_time, end_time)
{:ok, states}    = Incident.list_states(client, start_time, end_time)
{:ok, _}         = Incident.resolve(client, ["id1"])
{:ok, _}         = Incident.close(client, ["id2"])
{:ok, _}         = Incident.reopen(client, ["id3"])
{:ok, _}         = Incident.assign(client, ["id1"], "user_id")
{:ok, _}         = Incident.add_comments(client, [Guardsix.comment("id1", "note")])
{:ok, users}     = Incident.get_users(client)

Alert Rules

alias Guardsix.Data.Rule
alias Guardsix.Core.AlertRule

{:ok, rules} = AlertRule.list(client)
{:ok, rule}  = AlertRule.get(client, "rule-id")
{:ok, _}     = AlertRule.activate(client, ["id1", "id2"])
{:ok, _}     = AlertRule.deactivate(client, ["id1"])
{:ok, _}     = AlertRule.delete(client, ["id1"])

# Builder-style alert rule creation
rule =
  Guardsix.rule("Brute Force Detection")
  |> Rule.description("Detects brute force login attempts")
  |> Rule.query("error_code=4625")
  |> Rule.time_range(1, :day)
  |> Rule.repos(["10.0.0.1"])
  |> Rule.limit(100)
  |> Rule.threshold(:greaterthan, 5)
  |> Rule.risk_level("high")
  |> Rule.aggregation_type("max")
  |> Rule.assignee("admin")

{:ok, _} = AlertRule.create(client, rule)

# Email notification
alias Guardsix.Data.EmailNotification

notif =
  Guardsix.email_notification(["rule-1"], "admin@example.com")
  |> EmailNotification.subject("Alert: {{ rule_name }}")
  |> EmailNotification.template("<p>Details</p>")

{:ok, _} = AlertRule.create_email_notification(client, notif)

# HTTP notification
alias Guardsix.Data.HttpNotification

webhook =
  Guardsix.http_notification(["rule-1"], "https://hooks.slack.com/abc", :post)
  |> HttpNotification.body(~s({"text": "{{ rule_name }}"}))
  |> HttpNotification.bearer_auth("my-token")

{:ok, _} = AlertRule.create_http_notification(client, webhook)

Guardsix Repos & User-Defined Lists

alias Guardsix.Core.GuardsixRepo
alias Guardsix.Core.UserDefinedList
alias Guardsix.Core.UserDefinedListBySession

{:ok, repos} = GuardsixRepo.list(client)
{:ok, lists} = UserDefinedList.list(client)

# Session-based operations (unstable)
{:ok, session} = Guardsix.session("https://guardsix.example.com", "admin", "password")
{:ok, data} = UserDefinedListBySession.extract(session, "list-id")
{:ok, _} = UserDefinedListBySession.update_static_by_name(session, "MY_LIST", ["val1"])
{:ok, _} = UserDefinedListBySession.delete_by_name(session, "MY_LIST")

SSL

client = Guardsix.client("https://192.168.1.100", "admin", "secret", ssl_verify: false)

Summary

Functions

Create a client for the Guardsix API.

Build an incident comment.

Check whether a Guardsix instance is running in debug mode.

Get the default authentication method of a Guardsix instance.

Build an email notification for alert rules.

Check whether a Guardsix instance has failover enabled.

Build an HTTP notification for alert rules.

Build an alert rule.

Run a search and block until final results arrive.

Build a search query with explicit start and end times.

Create an authenticated session for UI endpoints that do not support JWT.

Fetch the version of a running Guardsix instance from its landing page.

Functions

client(base_url, username, secret_key, opts \\ [])

@spec client(String.t(), String.t(), String.t(), keyword()) ::
  Guardsix.Data.Client.t()

Create a client for the Guardsix API.

Options

  • :ssl_verify - verify SSL certificates (default: true)

comment(incident_id, comments)

@spec comment(String.t(), String.t() | [String.t()]) :: Guardsix.Data.Comment.t()

Build an incident comment.

debug?(base_url, opts \\ [])

@spec debug?(
  String.t(),
  keyword()
) :: {:ok, boolean()} | {:error, term()}

Check whether a Guardsix instance is running in debug mode.

Options

  • :ssl_verify - verify SSL certificates (default: true)

Examples

{:ok, false} = Guardsix.debug?("https://guardsix.example.com")

default_auth(base_url, opts \\ [])

@spec default_auth(
  String.t(),
  keyword()
) :: {:ok, String.t()} | {:error, term()}

Get the default authentication method of a Guardsix instance.

Options

  • :ssl_verify - verify SSL certificates (default: true)

Examples

{:ok, "LogpointAuthentication"} = Guardsix.default_auth("https://guardsix.example.com")

email_notification(ids, emails)

@spec email_notification([String.t()], String.t() | [String.t()]) ::
  Guardsix.Data.EmailNotification.t()

Build an email notification for alert rules.

failover?(base_url, opts \\ [])

@spec failover?(
  String.t(),
  keyword()
) :: {:ok, boolean()} | {:error, term()}

Check whether a Guardsix instance has failover enabled.

Options

  • :ssl_verify - verify SSL certificates (default: true)

Examples

{:ok, false} = Guardsix.failover?("https://guardsix.example.com")

http_notification(ids, url, request_type)

@spec http_notification([String.t()], String.t(), atom()) ::
  Guardsix.Data.HttpNotification.t()

Build an HTTP notification for alert rules.

rule(name)

@spec rule(String.t()) :: Guardsix.Data.Rule.t()

Build an alert rule.

run_search(client, query, opts \\ [])

@spec run_search(Guardsix.Data.Client.t(), Guardsix.Data.SearchParams.t(), keyword()) ::
  {:ok, map()} | {:error, term()}

Run a search and block until final results arrive.

Polls automatically, handling expired searches by resubmitting the query.

Options

  • :polling_interval — milliseconds between polls (default: 1_000)
  • :max_attempts — maximum poll iterations (default: 30)

search_params(query, time_range, limit, repos)

@spec search_params(String.t(), String.t() | [number()], non_neg_integer(), [
  String.t()
]) ::
  Guardsix.Data.SearchParams.t()

Build a search query.

search_params(query, start_time, end_time, limit, repos)

@spec search_params(String.t(), number(), number(), non_neg_integer(), [String.t()]) ::
  Guardsix.Data.SearchParams.t()

Build a search query with explicit start and end times.

session(base_url, username, password, opts \\ [])

@spec session(String.t(), String.t(), String.t(), keyword()) ::
  {:ok, Guardsix.Data.Session.t()} | {:error, term()}

Create an authenticated session for UI endpoints that do not support JWT.

Warning

This relies on internal LogPoint UI endpoints and may break if LogPoint changes its login flow, CSRF handling, or page structure.

Options

  • :ssl_verify - verify SSL certificates (default: true)

Examples

{:ok, session} = Guardsix.session("https://guardsix.example.com", "admin", "password")

version(base_url, opts \\ [])

@spec version(
  String.t(),
  keyword()
) :: {:ok, String.t()} | {:error, term()}

Fetch the version of a running Guardsix instance from its landing page.

Options

  • :format - :short (default) returns the semantic version (e.g. "7.7.1"),
            `:long` returns the full build version (e.g. `"7.7.1.0_1766842968"`)
  • :ssl_verify - verify SSL certificates (default: true)

Examples

{:ok, "7.7.1"} = Guardsix.version("https://guardsix.example.com")
{:ok, "7.7.1.0_1766842968"} = Guardsix.version("https://guardsix.example.com", format: :long)