Elixir library for interacting with the Guardsix API.
Build a client, then pass it to any domain module.
Setup
client = Guardsix.client("https://guardsix.company.com", "admin", "secret")Search
query = Guardsix.search_params("user=*", "Last 24 hours", 100, ["127.0.0.1"])
# Block until final results (polls automatically)
{:ok, result} = Guardsix.run_search(client, query)
# Low-level primitives are still available
alias Guardsix.Core.Search
{:ok, %{"search_id" => id}} = Search.get_id(client, query)
{:ok, result} = Search.get_result(client, id)
{:ok, prefs} = Search.user_preference(client)
{:ok, repos} = Search.repos(client)Incidents
alias Guardsix.Core.Incident
{:ok, incidents} = Incident.list(client, start_time, end_time)
{:ok, states} = Incident.list_states(client, start_time, end_time)
{:ok, _} = Incident.resolve(client, ["id1"])
{:ok, _} = Incident.close(client, ["id2"])
{:ok, _} = Incident.reopen(client, ["id3"])
{:ok, _} = Incident.assign(client, ["id1"], "user_id")
{:ok, _} = Incident.add_comments(client, [Guardsix.comment("id1", "note")])
{:ok, users} = Incident.get_users(client)Alert Rules
alias Guardsix.Data.Rule
alias Guardsix.Core.AlertRule
{:ok, rules} = AlertRule.list(client)
{:ok, rule} = AlertRule.get(client, "rule-id")
{:ok, _} = AlertRule.activate(client, ["id1", "id2"])
{:ok, _} = AlertRule.deactivate(client, ["id1"])
{:ok, _} = AlertRule.delete(client, ["id1"])
# Builder-style alert rule creation
rule =
Guardsix.rule("Brute Force Detection")
|> Rule.description("Detects brute force login attempts")
|> Rule.query("error_code=4625")
|> Rule.time_range(1, :day)
|> Rule.repos(["10.0.0.1"])
|> Rule.limit(100)
|> Rule.threshold(:greaterthan, 5)
|> Rule.risk_level("high")
|> Rule.aggregation_type("max")
|> Rule.assignee("admin")
{:ok, _} = AlertRule.create(client, rule)
# Email notification
alias Guardsix.Data.EmailNotification
notif =
Guardsix.email_notification(["rule-1"], "admin@example.com")
|> EmailNotification.subject("Alert: {{ rule_name }}")
|> EmailNotification.template("<p>Details</p>")
{:ok, _} = AlertRule.create_email_notification(client, notif)
# HTTP notification
alias Guardsix.Data.HttpNotification
webhook =
Guardsix.http_notification(["rule-1"], "https://hooks.slack.com/abc", :post)
|> HttpNotification.body(~s({"text": "{{ rule_name }}"}))
|> HttpNotification.bearer_auth("my-token")
{:ok, _} = AlertRule.create_http_notification(client, webhook)Guardsix Repos & User-Defined Lists
alias Guardsix.Core.GuardsixRepo
alias Guardsix.Core.UserDefinedList
alias Guardsix.Core.UserDefinedListBySession
{:ok, repos} = GuardsixRepo.list(client)
{:ok, lists} = UserDefinedList.list(client)
# Session-based operations (unstable)
{:ok, session} = Guardsix.session("https://guardsix.example.com", "admin", "password")
{:ok, data} = UserDefinedListBySession.extract(session, "list-id")
{:ok, _} = UserDefinedListBySession.update_static_by_name(session, "MY_LIST", ["val1"])
{:ok, _} = UserDefinedListBySession.delete_by_name(session, "MY_LIST")SSL
client = Guardsix.client("https://192.168.1.100", "admin", "secret", ssl_verify: false)
Summary
Functions
Create a client for the Guardsix API.
Build an incident comment.
Check whether a Guardsix instance is running in debug mode.
Get the default authentication method of a Guardsix instance.
Build an email notification for alert rules.
Check whether a Guardsix instance has failover enabled.
Build an HTTP notification for alert rules.
Build an alert rule.
Run a search and block until final results arrive.
Build a search query.
Build a search query with explicit start and end times.
Create an authenticated session for UI endpoints that do not support JWT.
Fetch the version of a running Guardsix instance from its landing page.
Functions
@spec client(String.t(), String.t(), String.t(), keyword()) :: Guardsix.Data.Client.t()
Create a client for the Guardsix API.
Options
:ssl_verify- verify SSL certificates (default:true)
@spec comment(String.t(), String.t() | [String.t()]) :: Guardsix.Data.Comment.t()
Build an incident comment.
Check whether a Guardsix instance is running in debug mode.
Options
:ssl_verify- verify SSL certificates (default:true)
Examples
{:ok, false} = Guardsix.debug?("https://guardsix.example.com")
Get the default authentication method of a Guardsix instance.
Options
:ssl_verify- verify SSL certificates (default:true)
Examples
{:ok, "LogpointAuthentication"} = Guardsix.default_auth("https://guardsix.example.com")
@spec email_notification([String.t()], String.t() | [String.t()]) :: Guardsix.Data.EmailNotification.t()
Build an email notification for alert rules.
Check whether a Guardsix instance has failover enabled.
Options
:ssl_verify- verify SSL certificates (default:true)
Examples
{:ok, false} = Guardsix.failover?("https://guardsix.example.com")
@spec http_notification([String.t()], String.t(), atom()) :: Guardsix.Data.HttpNotification.t()
Build an HTTP notification for alert rules.
@spec rule(String.t()) :: Guardsix.Data.Rule.t()
Build an alert rule.
@spec run_search(Guardsix.Data.Client.t(), Guardsix.Data.SearchParams.t(), keyword()) :: {:ok, map()} | {:error, term()}
Run a search and block until final results arrive.
Polls automatically, handling expired searches by resubmitting the query.
Options
:polling_interval— milliseconds between polls (default:1_000):max_attempts— maximum poll iterations (default:30)
@spec search_params(String.t(), String.t() | [number()], non_neg_integer(), [ String.t() ]) :: Guardsix.Data.SearchParams.t()
Build a search query.
@spec search_params(String.t(), number(), number(), non_neg_integer(), [String.t()]) :: Guardsix.Data.SearchParams.t()
Build a search query with explicit start and end times.
@spec session(String.t(), String.t(), String.t(), keyword()) :: {:ok, Guardsix.Data.Session.t()} | {:error, term()}
Create an authenticated session for UI endpoints that do not support JWT.
Warning
This relies on internal LogPoint UI endpoints and may break if LogPoint changes its login flow, CSRF handling, or page structure.
Options
:ssl_verify- verify SSL certificates (default:true)
Examples
{:ok, session} = Guardsix.session("https://guardsix.example.com", "admin", "password")
Fetch the version of a running Guardsix instance from its landing page.
Options
:format-:short(default) returns the semantic version (e.g."7.7.1"),`:long` returns the full build version (e.g. `"7.7.1.0_1766842968"`):ssl_verify- verify SSL certificates (default:true)
Examples
{:ok, "7.7.1"} = Guardsix.version("https://guardsix.example.com")
{:ok, "7.7.1.0_1766842968"} = Guardsix.version("https://guardsix.example.com", format: :long)