Forge Home


Installs the Threat Stack agent


73,672 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.12 (latest)
  • 2.0.11
  • 2.0.10
  • 2.0.9
  • 2.0.8
  • 2.0.7
  • 2.0.6
  • 2.0.5
  • 2.0.4 (deleted)
  • 2.0.3 (deleted)
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.8.1
  • 1.8.0
  • 1.7.0
  • 1.6.0
  • 1.5.6
  • 1.5.5
  • 1.5.4
  • 1.5.3
  • 1.5.2
  • 1.5.1
  • 1.5.0
  • 1.4.0
  • 1.3.0
  • 1.2.0
  • 1.1.0
  • 1.0.1
  • 1.0.0
released Dec 30th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.5.0 < 7.0.0
  • , , Amazon, , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'threatstack-threatstack', '2.0.12'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add threatstack-threatstack
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install threatstack-threatstack --version 2.0.12

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



threatstack/threatstack — version 2.0.12 Dec 30th 2020

Threat Stack Puppet Module

Build Status Puppet Forge

Puppet manifests to deploy the Threat Stack server agent.

Threat Stack is a continuous cloud security monitoring service. It aims to provide an organization greater security, compliance, and operational efficiency. Threat Stack customers can use this module to deploy the agent and register hosts.

For more see


  • Amazon Linux 1 & 2
  • CentOS
  • Debian
  • RedHat
  • Ubuntu
  • Windows


  • threatstack - Main class
  • threatstack::apt (private) - Setup apt repository configuration and package install
  • threatstack::configure (private) - Register and configure the agent with the Threat Stack service
  • threatstack::msi (private) - Dummy repo class for Windows installs
  • threatstack::package (private) - Install the Threat Stack agent
  • threatstack::params (private) - Default setup values
  • threatstack::service (private) - Manage the Threat Stack service
  • threatstack::site (private) - Used by Puppet test-kitchen
  • threatstack::sysmon (private) - Installs sysmon service and default config on Windows
  • threatstack::yum (private) - Setup yum repository configuration and package install


  • threatstack::deploy_key [required] - Set the deploy key for registering the agent.
  • threatstack::rulesets [optional array] - Set the ruleset or rulesets the node will be added to (Default: 'Base Rule Set').
  • threatstack::configure_agent [optiona bool] - Set to false to just install agent without configuring. Useful for image building.
  • threatstack::agent_config_args [optional array of hashes] - Extra arguments to pass during agent activation. Useful for enabling new platform features.
  • threatstack::disable_auditd [optional bool] - Disable auditd service to avoid installation issues. (Default is 'true' on RHEL-like OSes.)
  • threatstack::enable_sysmon [optional bool] - used via threatstack::sysmon to enable sysmon service on Windows hosts
  • threatstack::extra_args [optional array of hashes] - optional array of hashes to define setup options for the threatstack agent (Default: undef)
  • threatstack::confdir [optional string] - path to config directory for the threatstack service (Default: '/opt/threatstack/etc')
  • threatstack::ts_hostname [optional string] - hostname of your node (Default: $::fqdn)
  • threatstack::gpg_key [optional string] - gpg key url for use with yum/apt repos (Default: set in threatstack::params based on operating system)
  • threatstack::package_version [optional string] - version of the threatstack-agent package to install (Default: installed)
  • threatstack::repo_class [optional string] - name of puppet class that configures the threatstack package repo (Default: either threatstack::apt or threatstack::yum, set in threatstack::params based on operating system)
  • threatstack::repo_url [optional string] - url used by threatstack package repo (Default: defined in threatstack::params for Debian and RedHat operating system families.)
  • threatstack::repo_enabled [optional string] - enable/disable the threatstack repo (Default: defined in threatstack::params for RedHat operating system families.)
  • threatstack::windows_download_url [optional string] - url used to download Threatstack Agent MSI on Windows
  • threatstack::windows_install_options [optional array] - Windows MSI install options
  • threatstack::windows_ts_package [optional string] - Windows MSI package name

Example usage

Below are some examples for how to use this module.

Standard usage

Supply your Threat Stack deploy key, and if you choose, an array of rulesets.

class { '::threatstack':
  deploy_key    => 'MyDeployKey',
  ruleset       => ['MyRuleset']

Using a package mirror

If you manage your own package repository from which you deploy the agent package then supply repo_url and gpg_key.

class { '::threatstack':
  deploy_key    => 'MyDeployKey',
  ruleset       => ['MyRuleset'],
  repo_url      => ''
  gpg_key       => ''

Agent installation into golden image

If installing the agent into an image that will be deployed for multiple instances, configure the class to not configure the agent while creating the image. If the agent is registered and configured in the golden image then events and alerting will not be correct.

class { '::threatstack':
  configure_agent => false,


Run the following to perform basic spec testing.

bundle install
bundle exec rake spec

Integration testing requires setting TS_DEPLOY_KEY in the environment to a valid key value for tests to succeed.

export TS_DEPLOY_KEY='<deploy_key>'
bundle exec kitchen test

Contributing enhancements/fixes

See the CONTRIBUTING document for details.