summaryrefslogtreecommitdiffstats
path: root/collections-debian-merged/ansible_collections/ibm/qradar/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'collections-debian-merged/ansible_collections/ibm/qradar/plugins')
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py72
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py173
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py84
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py251
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py191
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py215
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py189
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py84
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py251
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py191
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py215
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py189
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py248
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py138
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py248
-rw-r--r--collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py138
16 files changed, 2877 insertions, 0 deletions
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py
new file mode 100644
index 00000000..f8ecb6e5
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py
@@ -0,0 +1,72 @@
+# (c) 2019 Red Hat Inc.
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+author: Ansible Security Automation Team
+httpapi : qradar
+short_description: HttpApi Plugin for IBM QRadar
+description:
+ - This HttpApi plugin provides methods to connect to IBM QRadar over a
+ HTTP(S)-based api.
+version_added: "1.0"
+"""
+
+import json
+
+from ansible.module_utils.basic import to_text
+from ansible.errors import AnsibleConnectionFailure
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible.plugins.httpapi import HttpApiBase
+from ansible.module_utils.connection import ConnectionError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import BASE_HEADERS
+
+
+class HttpApi(HttpApiBase):
+ def send_request(self, request_method, path, payload=None, headers=None):
+ headers = headers if headers else BASE_HEADERS
+
+ try:
+ self._display_request(request_method)
+ response, response_data = self.connection.send(
+ path, payload, method=request_method, headers=headers
+ )
+ value = self._get_response_value(response_data)
+
+ return response.getcode(), self._response_to_json(value)
+ except HTTPError as e:
+ error = json.loads(e.read())
+ return e.code, error
+
+ def _display_request(self, request_method):
+ self.connection.queue_message(
+ "vvvv", "Web Services: %s %s" % (request_method, self.connection._url)
+ )
+
+ def _get_response_value(self, response_data):
+ return to_text(response_data.getvalue())
+
+ def _response_to_json(self, response_text):
+ try:
+ return json.loads(response_text) if response_text else {}
+ # JSONDecodeError only available on Python 3.5+
+ except ValueError:
+ raise ConnectionError("Invalid JSON response: %s" % response_text)
+
+ def update_auth(self, response, response_text):
+ cookie = response.info().get("Set-Cookie")
+ # Set the 'SEC' header
+ if "SEC" in cookie:
+ return {"SEC": cookie.split(";")[0].split("=")[-1]}
+
+ return None
+
+ def logout(self):
+ self.send_request("POST", "/auth/logout")
+
+ # Clean up tokens
+ self.connection._auth = None
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py
new file mode 100644
index 00000000..e3bab33d
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py
@@ -0,0 +1,173 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+from ansible.module_utils.urls import CertificateError
+from ansible.module_utils.six.moves.urllib.parse import urlencode, quote_plus
+from ansible.module_utils.connection import ConnectionError
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible.module_utils.connection import Connection
+from ansible.module_utils._text import to_text
+
+import json
+
+BASE_HEADERS = {"Content-Type": "application/json", "Version": "9.1"}
+
+
+def find_dict_in_list(some_list, key, value):
+ text_type = False
+ try:
+ to_text(value)
+ text_type = True
+ except TypeError:
+ pass
+ for some_dict in some_list:
+ if key in some_dict:
+ if text_type:
+ if to_text(some_dict[key]).strip() == to_text(value).strip():
+ return some_dict, some_list.index(some_dict)
+ else:
+ if some_dict[key] == value:
+ return some_dict, some_list.index(some_dict)
+ return None
+
+
+def set_offense_values(module, qradar_request):
+ if module.params["closing_reason"]:
+ found_closing_reason = qradar_request.get_by_path(
+ "api/siem/offense_closing_reasons?filter={0}".format(
+ quote_plus('text="{0}"'.format(module.params["closing_reason"]))
+ )
+ )
+ if found_closing_reason:
+ module.params["closing_reason_id"] = found_closing_reason[0]["id"]
+ else:
+ module.fail_json(
+ "Unable to find closing_reason text: {0}".format(
+ module.params["closing_reason"]
+ )
+ )
+
+ if module.params["status"]:
+ module.params["status"] = module.params["status"].upper()
+
+
+class QRadarRequest(object):
+ def __init__(self, module, headers=None, not_rest_data_keys=None):
+
+ self.module = module
+ self.connection = Connection(self.module._socket_path)
+
+ # This allows us to exclude specific argspec keys from being included by
+ # the rest data that don't follow the qradar_* naming convention
+ if not_rest_data_keys:
+ self.not_rest_data_keys = not_rest_data_keys
+ else:
+ self.not_rest_data_keys = []
+ self.not_rest_data_keys.append("validate_certs")
+ self.headers = headers if headers else BASE_HEADERS
+
+ def _httpapi_error_handle(self, method, uri, payload=None):
+ # FIXME - make use of handle_httperror(self, exception) where applicable
+ # https://docs.ansible.com/ansible/latest/network/dev_guide/developing_plugins_network.html#developing-plugins-httpapi
+
+ try:
+ code, response = self.connection.send_request(
+ method, uri, payload=payload, headers=self.headers
+ )
+ except ConnectionError as e:
+ self.module.fail_json(msg="connection error occurred: {0}".format(e))
+ except CertificateError as e:
+ self.module.fail_json(msg="certificate error occurred: {0}".format(e))
+ except ValueError as e:
+ self.module.fail_json(msg="certificate not found: {0}".format(e))
+
+ if code == 404:
+ if (
+ to_text("Object not found") in to_text(response)
+ or to_text("Could not find object") in to_text(response)
+ or to_text("No offense was found") in to_text(response)
+ ):
+ return {}
+
+ if code == 409:
+ if "code" in response:
+ if response["code"] in [1002, 1004]:
+ # https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/9.2--staged_config-deploy_status-POST.html
+ # Documentation says we should get 1002, but I'm getting 1004 from QRadar
+ return response
+ else:
+ self.module.fail_json(
+ msg="qradar httpapi returned error {0} with message {1}".format(
+ code, response
+ )
+ )
+ elif not (code >= 200 and code < 300):
+ self.module.fail_json(
+ msg="qradar httpapi returned error {0} with message {1}".format(
+ code, response
+ )
+ )
+
+ return response
+
+ def get(self, url, **kwargs):
+ return self._httpapi_error_handle("GET", url, **kwargs)
+
+ def put(self, url, **kwargs):
+ return self._httpapi_error_handle("PUT", url, **kwargs)
+
+ def post(self, url, **kwargs):
+ return self._httpapi_error_handle("POST", url, **kwargs)
+
+ def patch(self, url, **kwargs):
+ return self._httpapi_error_handle("PATCH", url, **kwargs)
+
+ def delete(self, url, **kwargs):
+ return self._httpapi_error_handle("DELETE", url, **kwargs)
+
+ def get_data(self):
+ """
+ Get the valid fields that should be passed to the REST API as urlencoded
+ data so long as the argument specification to the module follows the
+ convention:
+ - the key to the argspec item does not start with qradar_
+ - the key does not exist in the not_data_keys list
+ """
+ try:
+ qradar_data = {}
+ for param in self.module.params:
+ if (self.module.params[param]) is not None and (
+ param not in self.not_rest_data_keys
+ ):
+ qradar_data[param] = self.module.params[param]
+ return qradar_data
+
+ except TypeError as e:
+ self.module.fail_json(msg="invalid data type provided: {0}".format(e))
+
+ def post_by_path(self, rest_path, data=None):
+ """
+ POST with data to path
+ """
+ if data is None:
+ data = json.dumps(self.get_data())
+ elif data is False:
+ # Because for some reason some QRadar REST API endpoint use the
+ # query string to modify state
+ return self.post("/{0}".format(rest_path))
+ return self.post("/{0}".format(rest_path), payload=data)
+
+ def create_update(self, rest_path, data=None):
+ """
+ Create or Update a file/directory monitor data input in qradar
+ """
+ if data is None:
+ data = json.dumps(self.get_data())
+ # return self.post("/{0}".format(rest_path), payload=data)
+ return self.patch("/{0}".format(rest_path), payload=data) # PATCH
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py
new file mode 100644
index 00000000..69baa06a
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py
@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: deploy
+short_description: Trigger a qradar configuration deployment
+description:
+ - This module allows for INCREMENTAL or FULL deployments
+version_added: "1.0.0"
+options:
+ type:
+ description:
+ - Type of deployment
+ required: false
+ type: str
+ choices:
+ - "INCREMENTAL"
+ - "FULL"
+ default: "INCREMENTAL"
+notes:
+ - This module does not support check mode because the QRadar REST API does not offer stateful inspection of configuration deployments
+
+author: "Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>"
+"""
+
+EXAMPLES = """
+- name: run an incremental deploy
+ ibm.qradar.deploy:
+ type: INCREMENTAL
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import QRadarRequest
+
+import json
+
+
+def main():
+
+ argspec = dict(
+ type=dict(
+ choices=["INCREMENTAL", "FULL"], required=False, default="INCREMENTAL"
+ )
+ )
+
+ module = AnsibleModule(argument_spec=argspec, supports_check_mode=False)
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["state", "type_name", "identifier"],
+ )
+
+ qradar_return_data = qradar_request.post_by_path("api/staged_config/deploy_status")
+
+ if "message" in qradar_return_data and (
+ to_text("No changes to deploy") in to_text(qradar_return_data["message"])
+ ):
+ module.exit_json(
+ msg="No changes to deploy",
+ qradar_return_data=qradar_return_data,
+ changed=False,
+ )
+ else:
+ module.exit_json(
+ msg="Successfully initiated {0} deployment.".format(module.params["type"]),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py
new file mode 100644
index 00000000..eebb9e9b
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py
@@ -0,0 +1,251 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: log_source_management
+short_description: Manage Log Sources in QRadar
+description:
+ - This module allows for addition, deletion, or modification of Log Sources in QRadar
+version_added: "1.0.0"
+options:
+ name:
+ description:
+ - Name of Log Source
+ required: true
+ type: str
+ state:
+ description:
+ - Add or remove a log source.
+ required: true
+ choices: [ "present", "absent" ]
+ type: str
+ type_name:
+ description:
+ - Type of resource by name
+ required: false
+ type: str
+ type_id:
+ description:
+ - Type of resource by id, as defined in QRadar Log Source Types Documentation
+ required: false
+ type: int
+ protocol_type_id:
+ description:
+ - Type of protocol by id, as defined in QRadar Log Source Types Documentation
+ required: false
+ type: int
+ identifier:
+ description:
+ - Log Source Identifier (Typically IP Address or Hostname of log source)
+ required: true
+ type: str
+ description:
+ description:
+ - Description of log source
+ required: true
+ type: str
+
+notes:
+ - Either C(type) or C(type_id) is required
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+EXAMPLES = """
+- name: Add a snort log source to IBM QRadar
+ ibm.qradar.log_source_management:
+ name: "Snort logs"
+ type_name: "Snort Open Source IDS"
+ state: present
+ description: "Snort IDS remote logs from rsyslog"
+ identifier: "192.168.1.101"
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+)
+
+import json
+
+
+def set_log_source_values(module, qradar_request):
+ if module.params["type_name"]:
+ log_source_type_found = qradar_request.get(
+ "/api/config/event_sources/log_source_management/log_source_types?filter={0}".format(
+ quote('name="{0}"'.format(module.params["type_name"]))
+ )
+ )[0]
+ if module.params["type_id"]:
+ log_source_type_found = qradar_request.get(
+ "api/config/event_sources/log_source_management/log_source_types?filter={0}".format(
+ quote('id="{0}"'.format(module.params["type_id"]))
+ )
+ )[0]
+ if log_source_type_found:
+ if not module.params["type_id"]:
+ module.params["type_id"] = log_source_type_found["id"]
+ else:
+ module.fail_json(
+ msg="Incompatible type provided, please consult QRadar Documentation for Log Source Types"
+ )
+
+ if module.params["protocol_type_id"]:
+ found_dict_in_list, _fdil_index = find_dict_in_list(
+ log_source_type_found["protocol_types"],
+ "protocol_id",
+ module.params["protocol_type_id"],
+ )
+ if not found_dict_in_list:
+ module.fail_json(
+ msg="Incompatible protocol_type_id provided, please consult QRadar Documentation for Log Source Types"
+ )
+ else:
+ # Set it to the default as provided by the QRadar Instance
+ module.params["protocol_type_id"] = log_source_type_found["protocol_types"][0][
+ "protocol_id"
+ ]
+
+ module.params["protocol_parameters"] = [
+ {
+ "id": module.params["protocol_type_id"],
+ "name": "identifier",
+ "value": module.params["identifier"],
+ }
+ ]
+
+
+def main():
+
+ argspec = dict(
+ name=dict(required=True, type="str"),
+ state=dict(choices=["present", "absent"], required=True),
+ type_name=dict(required=False, type="str"),
+ type_id=dict(required=False, type="int"),
+ identifier=dict(required=True, type="str"),
+ protocol_type_id=dict(required=False, type="int"),
+ description=dict(required=True, type="str"),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ required_one_of=[("type_name", "type_id")],
+ mutually_exclusive=[("type_name", "type_id")],
+ supports_check_mode=True,
+ )
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["state", "type_name", "identifier"],
+ )
+
+ log_source_exists = qradar_request.get(
+ "/api/config/event_sources/log_source_management/log_sources?filter={0}".format(
+ quote('name="{0}"'.format(module.params["name"]))
+ )
+ )
+
+ if log_source_exists:
+
+ if module.params["state"] == "present":
+ existing_log_source_protocol_identifier, _elspi_index = find_dict_in_list(
+ log_source_exists[0]["protocol_parameters"], "name", "identifier"
+ )
+
+ set_log_source_values(module, qradar_request)
+
+ comparison_map = [
+ existing_log_source_protocol_identifier["value"]
+ == module.params["identifier"],
+ log_source_exists[0]["name"] == module.params["name"],
+ log_source_exists[0]["type_id"] == module.params["type_id"],
+ to_text(log_source_exists[0]["description"])
+ == to_text(module.params["description"]),
+ ]
+
+ if all(comparison_map):
+ module.exit_json(changed=False, msg="Nothing to do.")
+ else:
+ log_source_exists[0]["protocol_parameters"][
+ _elspi_index
+ ] = module.params["protocol_parameters"][0]
+ log_source_exists[0]["name"] = module.params["name"]
+ log_source_exists[0]["type_id"] = module.params["type_id"]
+ log_source_exists[0]["description"] = module.params["description"]
+ if module.check_mode:
+ qradar_return_data = {
+ "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
+ }
+ else:
+ qradar_return_data = qradar_request.create_update(
+ "api/config/event_sources/log_source_management/log_sources",
+ data=json.dumps(log_source_exists),
+ )
+
+ module.exit_json(
+ msg="Successfully updated log source: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+ if module.params["state"] == "absent":
+ if module.check_mode:
+ qradar_return_data = {
+ "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
+ }
+ else:
+ qradar_return_data = qradar_request.delete(
+ "/api/config/event_sources/log_source_management/log_sources/{0}".format(
+ log_source_exists[0]["id"]
+ )
+ )
+
+ module.exit_json(
+ msg="Successfully deleted log source: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ if module.params["state"] == "present":
+ set_log_source_values(module, qradar_request)
+ if module.check_mode:
+ qradar_return_data = {
+ "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
+ }
+ else:
+ qradar_return_data = qradar_request.create_update(
+ "api/config/event_sources/log_source_management/log_sources",
+ data=json.dumps([qradar_request.get_data()]),
+ )
+
+ module.exit_json(
+ msg="Successfully created log source: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+ if module.params["state"] == "absent":
+ module.exit_json(changed=False, msg="Nothing to do.")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py
new file mode 100644
index 00000000..37eceb16
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py
@@ -0,0 +1,191 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: offense_action
+short_description: Take action on a QRadar Offense
+description:
+ - This module allows to assign, protect, follow up, set status, and assign closing reason to QRadar Offenses
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - ID of Offense
+ required: true
+ type: int
+ status:
+ description:
+ - One of "open", "hidden" or "closed". (Either all lower case or all caps)
+ required: false
+ choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ]
+ type: str
+ assigned_to:
+ description:
+ - Assign to an user, the QRadar username should be provided
+ required: false
+ type: str
+ closing_reason:
+ description:
+ - Assign a predefined closing reason here, by name.
+ required: false
+ type: str
+ closing_reason_id:
+ description:
+ - Assign a predefined closing reason here, by id.
+ required: false
+ type: int
+ follow_up:
+ description:
+ - Set or unset the flag to follow up on a QRadar Offense
+ required: false
+ type: bool
+ protected:
+ description:
+ - Set or unset the flag to protect a QRadar Offense
+ required: false
+ type: bool
+
+notes:
+ - Requires one of C(name) or C(id) be provided
+ - Only one of C(closing_reason) or C(closing_reason_id) can be provided
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+"""
+# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS
+# name:
+# description:
+# - Name of Offense
+# required: true
+# type: str
+"""
+
+EXAMPLES = """
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ # name=dict(required=False, type='str'),
+ # id=dict(required=False, type='str'),
+ id=dict(required=True, type="int"),
+ assigned_to=dict(required=False, type="str"),
+ closing_reason=dict(required=False, type="str"),
+ closing_reason_id=dict(required=False, type="int"),
+ follow_up=dict(required=False, type="bool"),
+ protected=dict(required=False, type="bool"),
+ status=dict(
+ required=False,
+ choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"],
+ type="str",
+ ),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ # required_one_of=[
+ # ('name', 'id',),
+ # ],
+ mutually_exclusive=[("closing_reason", "closing_reason_id")],
+ supports_check_mode=True,
+ )
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"],
+ )
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME
+ # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))
+
+ found_offense = qradar_request.get(
+ "/api/siem/offenses/{0}".format(module.params["id"])
+ )
+
+ if found_offense:
+ set_offense_values(module, qradar_request)
+
+ post_strs = []
+
+ if module.params["status"] and (
+ to_text(found_offense["status"]) != to_text(module.params["status"])
+ ):
+ post_strs.append("status={0}".format(to_text(module.params["status"])))
+
+ if module.params["assigned_to"] and (
+ to_text(found_offense["assigned_to"])
+ != to_text(module.params["assigned_to"])
+ ):
+ post_strs.append("assigned_to={0}".format(module.params["assigned_to"]))
+
+ if module.params["closing_reason_id"] and (
+ found_offense["closing_reason_id"] != module.params["closing_reason_id"]
+ ):
+ post_strs.append(
+ "closing_reason_id={0}".format(module.params["closing_reason_id"])
+ )
+
+ if module.params["follow_up"] and (
+ found_offense["follow_up"] != module.params["follow_up"]
+ ):
+ post_strs.append("follow_up={0}".format(module.params["follow_up"]))
+
+ if module.params["protected"] and (
+ found_offense["protected"] != module.params["protected"]
+ ):
+ post_strs.append("protected={0}".format(module.params["protected"]))
+
+ if post_strs:
+ if module.check_mode:
+ module.exit_json(
+ msg="A change would have been made but was not because of Check Mode.",
+ changed=True,
+ )
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/siem/offenses/{0}?{1}".format(
+ module.params["id"], "&".join(post_strs)
+ )
+ )
+ # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore
+ module.exit_json(
+ msg="Successfully updated Offense ID: {0}".format(module.params["id"]),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+ else:
+ # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore
+ module.fail_json(
+ msg="Unable to find Offense ID: {0}".format(module.params["id"])
+ )
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py
new file mode 100644
index 00000000..fd9e4d90
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py
@@ -0,0 +1,215 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: offense_info
+short_description: Obtain information about one or many QRadar Offenses, with filter options
+description:
+ - This module allows to obtain information about one or many QRadar Offenses, with filter options
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Obtain only information of the Offense with provided ID
+ required: false
+ type: int
+ name:
+ description:
+ - Obtain only information of the Offense that matches the provided name
+ required: false
+ type: str
+ status:
+ description:
+ - Obtain only information of Offenses of a certain status
+ required: false
+ choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ]
+ default: "open"
+ type: str
+ assigned_to:
+ description:
+ - Obtain only information of Offenses assigned to a certain user
+ required: false
+ type: str
+ closing_reason:
+ description:
+ - Obtain only information of Offenses that were closed by a specific closing reason
+ required: false
+ type: str
+ closing_reason_id:
+ description:
+ - Obtain only information of Offenses that were closed by a specific closing reason ID
+ required: false
+ type: int
+ follow_up:
+ description:
+ - Obtain only information of Offenses that are marked with the follow up flag
+ required: false
+ type: bool
+ protected:
+ description:
+ - Obtain only information of Offenses that are protected
+ required: false
+ type: bool
+notes:
+ - You may provide many filters and they will all be applied, except for C(id)
+ as that will return only
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+
+# FIXME - provide correct example here
+RETURN = """
+offenses:
+ description: Information
+ returned: always
+ type: list
+ elements: dict
+ contains:
+ qradar_offenses:
+ description: IBM QRadar Offenses found based on provided filters
+ returned: always
+ type: complex
+ contains:
+ source:
+ description: Init system of the service. One of C(systemd), C(sysv), C(upstart).
+ returned: always
+ type: str
+ sample: sysv
+ state:
+ description: State of the service. Either C(running), C(stopped), or C(unknown).
+ returned: always
+ type: str
+ sample: running
+ status:
+ description: State of the service. Either C(enabled), C(disabled), or C(unknown).
+ returned: systemd systems or RedHat/SUSE flavored sysvinit/upstart
+ type: str
+ sample: enabled
+ name:
+ description: Name of the service.
+ returned: always
+ type: str
+ sample: arp-ethers.service
+"""
+
+
+EXAMPLES = """
+- name: Get list of all currently OPEN IBM QRadar Offenses
+ ibm.qradar.offense_info:
+ status: OPEN
+ register: offense_list
+
+- name: display offense information for debug purposes
+ debug:
+ var: offense_list
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ id=dict(required=False, type="int"),
+ name=dict(required=False, type="str"),
+ assigned_to=dict(required=False, type="str"),
+ closing_reason=dict(required=False, type="str"),
+ closing_reason_id=dict(required=False, type="int"),
+ follow_up=dict(required=False, type="bool", default=None),
+ protected=dict(required=False, type="bool", default=None),
+ status=dict(
+ required=False,
+ choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"],
+ default="open",
+ type="str",
+ ),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ mutually_exclusive=[("closing_reason", "closing_reason_id")],
+ supports_check_mode=True,
+ )
+
+ qradar_request = QRadarRequest(module)
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
+ # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))
+
+ set_offense_values(module, qradar_request)
+
+ if module.params["id"]:
+ offenses = qradar_request.get(
+ "/api/siem/offenses/{0}".format(module.params["id"])
+ )
+
+ else:
+ query_strs = []
+
+ if module.params["status"]:
+ query_strs.append(
+ quote("status={0}".format(to_text(module.params["status"])))
+ )
+
+ if module.params["assigned_to"]:
+ query_strs.append(
+ quote("assigned_to={0}".format(module.params["assigned_to"]))
+ )
+
+ if module.params["closing_reason_id"]:
+ query_strs.append(
+ quote(
+ "closing_reason_id={0}".format(module.params["closing_reason_id"])
+ )
+ )
+
+ if module.params["follow_up"] is not None:
+ query_strs.append(quote("follow_up={0}".format(module.params["follow_up"])))
+
+ if module.params["protected"] is not None:
+ query_strs.append(quote("protected={0}".format(module.params["protected"])))
+
+ if query_strs:
+ offenses = qradar_request.get(
+ "/api/siem/offenses?filter={0}".format("&".join(query_strs))
+ )
+ else:
+ offenses = qradar_request.get("/api/siem/offenses")
+
+ if module.params["name"]:
+ named_offense = find_dict_in_list(
+ offenses, "description", module.params["name"]
+ )
+ if named_offense:
+ offenses = named_offense
+ else:
+ offenses = []
+
+ module.exit_json(offenses=offenses, changed=False)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py
new file mode 100644
index 00000000..3a5fd6a0
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: offense_note
+short_description: Create or update a QRadar Offense Note
+description:
+ - This module allows to create a QRadar Offense note
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Offense ID to operate on
+ required: true
+ type: int
+ note_text:
+ description: The note's text contents
+ required: true
+ type: str
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+"""
+# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS
+# offense_name:
+# description:
+# - Name of Offense
+# required: true
+# type: str
+
+# FIXME - WOULD LIKE TO MANAGE STATE
+# state:
+# description: Define state of the note: present or absent
+# required: false
+# choices: ["present", "absent"]
+# default: "present"
+"""
+
+EXAMPLES = """
+- name: Add a note to QRadar Offense ID 1
+ ibm.qradar.offense_note:
+ id: 1
+ note_text: This an example note entry that should be made on offense id 1
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+)
+
+import copy
+import json
+
+
+def set_offense_values(module, qradar_request):
+ if module.params["closing_reason"]:
+ found_closing_reason = qradar_request.get(
+ "/api/siem/offense_closing_reasons?filter={0}".format(
+ quote('text="{0}"'.format(module.params["closing_reason"]))
+ )
+ )
+ if found_closing_reason:
+ module.params["closing_reason_id"] = found_closing_reason[0]["id"]
+ else:
+ module.fail_json(
+ "Unable to find closing_reason text: {0}".format(
+ module.params["closing_reason"]
+ )
+ )
+
+ if module.params["status"]:
+ module.params["status"] = module.params["status"].upper()
+
+
+def main():
+
+ argspec = dict(
+ # state=dict(required=False, choices=["present", "absent"], type='str', default="present"),
+ id=dict(required=True, type="int"),
+ note_text=dict(required=True, type="str"),
+ )
+
+ module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
+
+ qradar_request = QRadarRequest(module, not_rest_data_keys=["state", "id"],)
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME
+ # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))
+ # FIXME - once this is sorted, add it to module_utils
+
+ found_notes = qradar_request.get(
+ "/api/siem/offenses/{0}/notes?filter={1}".format(
+ module.params["id"],
+ quote('note_text="{0}"'.format(module.params["note_text"])),
+ )
+ )
+
+ # if module.params['state'] == 'present':
+
+ if found_notes:
+ # The note we want exists either by ID or by text name, verify
+
+ note = found_notes[0]
+ if note["note_text"] == module.params["note_text"]:
+ module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+ else:
+ if module.check_mode:
+ module.exit_json(
+ msg="A change would have occured but did not because Check Mode",
+ changed=True,
+ )
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/siem/offenses/{0}/notes?note_text={1}".format(
+ module.params["id"], quote("{0}".format(module.params["note_text"]))
+ ),
+ data=False,
+ )
+ module.exit_json(
+ msg="Successfully created Offense Note ID: {0}".format(
+ qradar_return_data["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=False,
+ )
+
+ else:
+ if module.check_mode:
+ module.exit_json(
+ msg="A change would have occured but did not because Check Mode",
+ changed=True,
+ )
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/siem/offenses/{0}/notes?note_text={1}".format(
+ module.params["id"], quote("{0}".format(module.params["note_text"]))
+ ),
+ data=False,
+ )
+ module.exit_json(
+ msg="Successfully created Offense Note ID: {0}".format(
+ qradar_return_data["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+ module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+
+ # FIXME FIXME FIXME - can we actually delete these via the REST API?
+ # if module.params['state'] == 'absent':
+ # if not found_notes:
+ # module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+ # else:
+ # if module.check_mode:
+ # module.exit_json(msg="A change would have occured but did not because Check Mode", changed=True)
+ # # FIXME: fix the POST here to actually delete
+ # qradar_return_data = qradar_request.post_by_path(
+ # 'api/siem/offenses/{0}/notes?note_text={1}'.format(
+ # module.params['id'],
+ # quote("{0}".format(module.params['note_text'])),
+ # ),
+ # data=False
+ # )
+ # module.exit_json(
+ # msg="Successfully created Offense Note ID: {0}".format(qradar_return_data['id']),
+ # qradar_return_data=qradar_return_data,
+ # changed=True
+ # )
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py
new file mode 100644
index 00000000..69baa06a
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py
@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: deploy
+short_description: Trigger a qradar configuration deployment
+description:
+ - This module allows for INCREMENTAL or FULL deployments
+version_added: "1.0.0"
+options:
+ type:
+ description:
+ - Type of deployment
+ required: false
+ type: str
+ choices:
+ - "INCREMENTAL"
+ - "FULL"
+ default: "INCREMENTAL"
+notes:
+ - This module does not support check mode because the QRadar REST API does not offer stateful inspection of configuration deployments
+
+author: "Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>"
+"""
+
+EXAMPLES = """
+- name: run an incremental deploy
+ ibm.qradar.deploy:
+ type: INCREMENTAL
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import QRadarRequest
+
+import json
+
+
+def main():
+
+ argspec = dict(
+ type=dict(
+ choices=["INCREMENTAL", "FULL"], required=False, default="INCREMENTAL"
+ )
+ )
+
+ module = AnsibleModule(argument_spec=argspec, supports_check_mode=False)
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["state", "type_name", "identifier"],
+ )
+
+ qradar_return_data = qradar_request.post_by_path("api/staged_config/deploy_status")
+
+ if "message" in qradar_return_data and (
+ to_text("No changes to deploy") in to_text(qradar_return_data["message"])
+ ):
+ module.exit_json(
+ msg="No changes to deploy",
+ qradar_return_data=qradar_return_data,
+ changed=False,
+ )
+ else:
+ module.exit_json(
+ msg="Successfully initiated {0} deployment.".format(module.params["type"]),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py
new file mode 100644
index 00000000..eebb9e9b
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py
@@ -0,0 +1,251 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: log_source_management
+short_description: Manage Log Sources in QRadar
+description:
+ - This module allows for addition, deletion, or modification of Log Sources in QRadar
+version_added: "1.0.0"
+options:
+ name:
+ description:
+ - Name of Log Source
+ required: true
+ type: str
+ state:
+ description:
+ - Add or remove a log source.
+ required: true
+ choices: [ "present", "absent" ]
+ type: str
+ type_name:
+ description:
+ - Type of resource by name
+ required: false
+ type: str
+ type_id:
+ description:
+ - Type of resource by id, as defined in QRadar Log Source Types Documentation
+ required: false
+ type: int
+ protocol_type_id:
+ description:
+ - Type of protocol by id, as defined in QRadar Log Source Types Documentation
+ required: false
+ type: int
+ identifier:
+ description:
+ - Log Source Identifier (Typically IP Address or Hostname of log source)
+ required: true
+ type: str
+ description:
+ description:
+ - Description of log source
+ required: true
+ type: str
+
+notes:
+ - Either C(type) or C(type_id) is required
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+EXAMPLES = """
+- name: Add a snort log source to IBM QRadar
+ ibm.qradar.log_source_management:
+ name: "Snort logs"
+ type_name: "Snort Open Source IDS"
+ state: present
+ description: "Snort IDS remote logs from rsyslog"
+ identifier: "192.168.1.101"
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+)
+
+import json
+
+
+def set_log_source_values(module, qradar_request):
+ if module.params["type_name"]:
+ log_source_type_found = qradar_request.get(
+ "/api/config/event_sources/log_source_management/log_source_types?filter={0}".format(
+ quote('name="{0}"'.format(module.params["type_name"]))
+ )
+ )[0]
+ if module.params["type_id"]:
+ log_source_type_found = qradar_request.get(
+ "api/config/event_sources/log_source_management/log_source_types?filter={0}".format(
+ quote('id="{0}"'.format(module.params["type_id"]))
+ )
+ )[0]
+ if log_source_type_found:
+ if not module.params["type_id"]:
+ module.params["type_id"] = log_source_type_found["id"]
+ else:
+ module.fail_json(
+ msg="Incompatible type provided, please consult QRadar Documentation for Log Source Types"
+ )
+
+ if module.params["protocol_type_id"]:
+ found_dict_in_list, _fdil_index = find_dict_in_list(
+ log_source_type_found["protocol_types"],
+ "protocol_id",
+ module.params["protocol_type_id"],
+ )
+ if not found_dict_in_list:
+ module.fail_json(
+ msg="Incompatible protocol_type_id provided, please consult QRadar Documentation for Log Source Types"
+ )
+ else:
+ # Set it to the default as provided by the QRadar Instance
+ module.params["protocol_type_id"] = log_source_type_found["protocol_types"][0][
+ "protocol_id"
+ ]
+
+ module.params["protocol_parameters"] = [
+ {
+ "id": module.params["protocol_type_id"],
+ "name": "identifier",
+ "value": module.params["identifier"],
+ }
+ ]
+
+
+def main():
+
+ argspec = dict(
+ name=dict(required=True, type="str"),
+ state=dict(choices=["present", "absent"], required=True),
+ type_name=dict(required=False, type="str"),
+ type_id=dict(required=False, type="int"),
+ identifier=dict(required=True, type="str"),
+ protocol_type_id=dict(required=False, type="int"),
+ description=dict(required=True, type="str"),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ required_one_of=[("type_name", "type_id")],
+ mutually_exclusive=[("type_name", "type_id")],
+ supports_check_mode=True,
+ )
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["state", "type_name", "identifier"],
+ )
+
+ log_source_exists = qradar_request.get(
+ "/api/config/event_sources/log_source_management/log_sources?filter={0}".format(
+ quote('name="{0}"'.format(module.params["name"]))
+ )
+ )
+
+ if log_source_exists:
+
+ if module.params["state"] == "present":
+ existing_log_source_protocol_identifier, _elspi_index = find_dict_in_list(
+ log_source_exists[0]["protocol_parameters"], "name", "identifier"
+ )
+
+ set_log_source_values(module, qradar_request)
+
+ comparison_map = [
+ existing_log_source_protocol_identifier["value"]
+ == module.params["identifier"],
+ log_source_exists[0]["name"] == module.params["name"],
+ log_source_exists[0]["type_id"] == module.params["type_id"],
+ to_text(log_source_exists[0]["description"])
+ == to_text(module.params["description"]),
+ ]
+
+ if all(comparison_map):
+ module.exit_json(changed=False, msg="Nothing to do.")
+ else:
+ log_source_exists[0]["protocol_parameters"][
+ _elspi_index
+ ] = module.params["protocol_parameters"][0]
+ log_source_exists[0]["name"] = module.params["name"]
+ log_source_exists[0]["type_id"] = module.params["type_id"]
+ log_source_exists[0]["description"] = module.params["description"]
+ if module.check_mode:
+ qradar_return_data = {
+ "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
+ }
+ else:
+ qradar_return_data = qradar_request.create_update(
+ "api/config/event_sources/log_source_management/log_sources",
+ data=json.dumps(log_source_exists),
+ )
+
+ module.exit_json(
+ msg="Successfully updated log source: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+ if module.params["state"] == "absent":
+ if module.check_mode:
+ qradar_return_data = {
+ "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
+ }
+ else:
+ qradar_return_data = qradar_request.delete(
+ "/api/config/event_sources/log_source_management/log_sources/{0}".format(
+ log_source_exists[0]["id"]
+ )
+ )
+
+ module.exit_json(
+ msg="Successfully deleted log source: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ if module.params["state"] == "present":
+ set_log_source_values(module, qradar_request)
+ if module.check_mode:
+ qradar_return_data = {
+ "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
+ }
+ else:
+ qradar_return_data = qradar_request.create_update(
+ "api/config/event_sources/log_source_management/log_sources",
+ data=json.dumps([qradar_request.get_data()]),
+ )
+
+ module.exit_json(
+ msg="Successfully created log source: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+ if module.params["state"] == "absent":
+ module.exit_json(changed=False, msg="Nothing to do.")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py
new file mode 100644
index 00000000..37eceb16
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py
@@ -0,0 +1,191 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: offense_action
+short_description: Take action on a QRadar Offense
+description:
+ - This module allows to assign, protect, follow up, set status, and assign closing reason to QRadar Offenses
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - ID of Offense
+ required: true
+ type: int
+ status:
+ description:
+ - One of "open", "hidden" or "closed". (Either all lower case or all caps)
+ required: false
+ choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ]
+ type: str
+ assigned_to:
+ description:
+ - Assign to an user, the QRadar username should be provided
+ required: false
+ type: str
+ closing_reason:
+ description:
+ - Assign a predefined closing reason here, by name.
+ required: false
+ type: str
+ closing_reason_id:
+ description:
+ - Assign a predefined closing reason here, by id.
+ required: false
+ type: int
+ follow_up:
+ description:
+ - Set or unset the flag to follow up on a QRadar Offense
+ required: false
+ type: bool
+ protected:
+ description:
+ - Set or unset the flag to protect a QRadar Offense
+ required: false
+ type: bool
+
+notes:
+ - Requires one of C(name) or C(id) be provided
+ - Only one of C(closing_reason) or C(closing_reason_id) can be provided
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+"""
+# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS
+# name:
+# description:
+# - Name of Offense
+# required: true
+# type: str
+"""
+
+EXAMPLES = """
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ # name=dict(required=False, type='str'),
+ # id=dict(required=False, type='str'),
+ id=dict(required=True, type="int"),
+ assigned_to=dict(required=False, type="str"),
+ closing_reason=dict(required=False, type="str"),
+ closing_reason_id=dict(required=False, type="int"),
+ follow_up=dict(required=False, type="bool"),
+ protected=dict(required=False, type="bool"),
+ status=dict(
+ required=False,
+ choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"],
+ type="str",
+ ),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ # required_one_of=[
+ # ('name', 'id',),
+ # ],
+ mutually_exclusive=[("closing_reason", "closing_reason_id")],
+ supports_check_mode=True,
+ )
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"],
+ )
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME
+ # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))
+
+ found_offense = qradar_request.get(
+ "/api/siem/offenses/{0}".format(module.params["id"])
+ )
+
+ if found_offense:
+ set_offense_values(module, qradar_request)
+
+ post_strs = []
+
+ if module.params["status"] and (
+ to_text(found_offense["status"]) != to_text(module.params["status"])
+ ):
+ post_strs.append("status={0}".format(to_text(module.params["status"])))
+
+ if module.params["assigned_to"] and (
+ to_text(found_offense["assigned_to"])
+ != to_text(module.params["assigned_to"])
+ ):
+ post_strs.append("assigned_to={0}".format(module.params["assigned_to"]))
+
+ if module.params["closing_reason_id"] and (
+ found_offense["closing_reason_id"] != module.params["closing_reason_id"]
+ ):
+ post_strs.append(
+ "closing_reason_id={0}".format(module.params["closing_reason_id"])
+ )
+
+ if module.params["follow_up"] and (
+ found_offense["follow_up"] != module.params["follow_up"]
+ ):
+ post_strs.append("follow_up={0}".format(module.params["follow_up"]))
+
+ if module.params["protected"] and (
+ found_offense["protected"] != module.params["protected"]
+ ):
+ post_strs.append("protected={0}".format(module.params["protected"]))
+
+ if post_strs:
+ if module.check_mode:
+ module.exit_json(
+ msg="A change would have been made but was not because of Check Mode.",
+ changed=True,
+ )
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/siem/offenses/{0}?{1}".format(
+ module.params["id"], "&".join(post_strs)
+ )
+ )
+ # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore
+ module.exit_json(
+ msg="Successfully updated Offense ID: {0}".format(module.params["id"]),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+ else:
+ # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore
+ module.fail_json(
+ msg="Unable to find Offense ID: {0}".format(module.params["id"])
+ )
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py
new file mode 100644
index 00000000..fd9e4d90
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py
@@ -0,0 +1,215 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: offense_info
+short_description: Obtain information about one or many QRadar Offenses, with filter options
+description:
+ - This module allows to obtain information about one or many QRadar Offenses, with filter options
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Obtain only information of the Offense with provided ID
+ required: false
+ type: int
+ name:
+ description:
+ - Obtain only information of the Offense that matches the provided name
+ required: false
+ type: str
+ status:
+ description:
+ - Obtain only information of Offenses of a certain status
+ required: false
+ choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ]
+ default: "open"
+ type: str
+ assigned_to:
+ description:
+ - Obtain only information of Offenses assigned to a certain user
+ required: false
+ type: str
+ closing_reason:
+ description:
+ - Obtain only information of Offenses that were closed by a specific closing reason
+ required: false
+ type: str
+ closing_reason_id:
+ description:
+ - Obtain only information of Offenses that were closed by a specific closing reason ID
+ required: false
+ type: int
+ follow_up:
+ description:
+ - Obtain only information of Offenses that are marked with the follow up flag
+ required: false
+ type: bool
+ protected:
+ description:
+ - Obtain only information of Offenses that are protected
+ required: false
+ type: bool
+notes:
+ - You may provide many filters and they will all be applied, except for C(id)
+ as that will return only
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+
+# FIXME - provide correct example here
+RETURN = """
+offenses:
+ description: Information
+ returned: always
+ type: list
+ elements: dict
+ contains:
+ qradar_offenses:
+ description: IBM QRadar Offenses found based on provided filters
+ returned: always
+ type: complex
+ contains:
+ source:
+ description: Init system of the service. One of C(systemd), C(sysv), C(upstart).
+ returned: always
+ type: str
+ sample: sysv
+ state:
+ description: State of the service. Either C(running), C(stopped), or C(unknown).
+ returned: always
+ type: str
+ sample: running
+ status:
+ description: State of the service. Either C(enabled), C(disabled), or C(unknown).
+ returned: systemd systems or RedHat/SUSE flavored sysvinit/upstart
+ type: str
+ sample: enabled
+ name:
+ description: Name of the service.
+ returned: always
+ type: str
+ sample: arp-ethers.service
+"""
+
+
+EXAMPLES = """
+- name: Get list of all currently OPEN IBM QRadar Offenses
+ ibm.qradar.offense_info:
+ status: OPEN
+ register: offense_list
+
+- name: display offense information for debug purposes
+ debug:
+ var: offense_list
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ id=dict(required=False, type="int"),
+ name=dict(required=False, type="str"),
+ assigned_to=dict(required=False, type="str"),
+ closing_reason=dict(required=False, type="str"),
+ closing_reason_id=dict(required=False, type="int"),
+ follow_up=dict(required=False, type="bool", default=None),
+ protected=dict(required=False, type="bool", default=None),
+ status=dict(
+ required=False,
+ choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"],
+ default="open",
+ type="str",
+ ),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ mutually_exclusive=[("closing_reason", "closing_reason_id")],
+ supports_check_mode=True,
+ )
+
+ qradar_request = QRadarRequest(module)
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
+ # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))
+
+ set_offense_values(module, qradar_request)
+
+ if module.params["id"]:
+ offenses = qradar_request.get(
+ "/api/siem/offenses/{0}".format(module.params["id"])
+ )
+
+ else:
+ query_strs = []
+
+ if module.params["status"]:
+ query_strs.append(
+ quote("status={0}".format(to_text(module.params["status"])))
+ )
+
+ if module.params["assigned_to"]:
+ query_strs.append(
+ quote("assigned_to={0}".format(module.params["assigned_to"]))
+ )
+
+ if module.params["closing_reason_id"]:
+ query_strs.append(
+ quote(
+ "closing_reason_id={0}".format(module.params["closing_reason_id"])
+ )
+ )
+
+ if module.params["follow_up"] is not None:
+ query_strs.append(quote("follow_up={0}".format(module.params["follow_up"])))
+
+ if module.params["protected"] is not None:
+ query_strs.append(quote("protected={0}".format(module.params["protected"])))
+
+ if query_strs:
+ offenses = qradar_request.get(
+ "/api/siem/offenses?filter={0}".format("&".join(query_strs))
+ )
+ else:
+ offenses = qradar_request.get("/api/siem/offenses")
+
+ if module.params["name"]:
+ named_offense = find_dict_in_list(
+ offenses, "description", module.params["name"]
+ )
+ if named_offense:
+ offenses = named_offense
+ else:
+ offenses = []
+
+ module.exit_json(offenses=offenses, changed=False)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py
new file mode 100644
index 00000000..3a5fd6a0
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: offense_note
+short_description: Create or update a QRadar Offense Note
+description:
+ - This module allows to create a QRadar Offense note
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Offense ID to operate on
+ required: true
+ type: int
+ note_text:
+ description: The note's text contents
+ required: true
+ type: str
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+"""
+# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS
+# offense_name:
+# description:
+# - Name of Offense
+# required: true
+# type: str
+
+# FIXME - WOULD LIKE TO MANAGE STATE
+# state:
+# description: Define state of the note: present or absent
+# required: false
+# choices: ["present", "absent"]
+# default: "present"
+"""
+
+EXAMPLES = """
+- name: Add a note to QRadar Offense ID 1
+ ibm.qradar.offense_note:
+ id: 1
+ note_text: This an example note entry that should be made on offense id 1
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+)
+
+import copy
+import json
+
+
+def set_offense_values(module, qradar_request):
+ if module.params["closing_reason"]:
+ found_closing_reason = qradar_request.get(
+ "/api/siem/offense_closing_reasons?filter={0}".format(
+ quote('text="{0}"'.format(module.params["closing_reason"]))
+ )
+ )
+ if found_closing_reason:
+ module.params["closing_reason_id"] = found_closing_reason[0]["id"]
+ else:
+ module.fail_json(
+ "Unable to find closing_reason text: {0}".format(
+ module.params["closing_reason"]
+ )
+ )
+
+ if module.params["status"]:
+ module.params["status"] = module.params["status"].upper()
+
+
+def main():
+
+ argspec = dict(
+ # state=dict(required=False, choices=["present", "absent"], type='str', default="present"),
+ id=dict(required=True, type="int"),
+ note_text=dict(required=True, type="str"),
+ )
+
+ module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
+
+ qradar_request = QRadarRequest(module, not_rest_data_keys=["state", "id"],)
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME
+ # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))
+ # FIXME - once this is sorted, add it to module_utils
+
+ found_notes = qradar_request.get(
+ "/api/siem/offenses/{0}/notes?filter={1}".format(
+ module.params["id"],
+ quote('note_text="{0}"'.format(module.params["note_text"])),
+ )
+ )
+
+ # if module.params['state'] == 'present':
+
+ if found_notes:
+ # The note we want exists either by ID or by text name, verify
+
+ note = found_notes[0]
+ if note["note_text"] == module.params["note_text"]:
+ module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+ else:
+ if module.check_mode:
+ module.exit_json(
+ msg="A change would have occured but did not because Check Mode",
+ changed=True,
+ )
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/siem/offenses/{0}/notes?note_text={1}".format(
+ module.params["id"], quote("{0}".format(module.params["note_text"]))
+ ),
+ data=False,
+ )
+ module.exit_json(
+ msg="Successfully created Offense Note ID: {0}".format(
+ qradar_return_data["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=False,
+ )
+
+ else:
+ if module.check_mode:
+ module.exit_json(
+ msg="A change would have occured but did not because Check Mode",
+ changed=True,
+ )
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/siem/offenses/{0}/notes?note_text={1}".format(
+ module.params["id"], quote("{0}".format(module.params["note_text"]))
+ ),
+ data=False,
+ )
+ module.exit_json(
+ msg="Successfully created Offense Note ID: {0}".format(
+ qradar_return_data["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+
+ module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+
+ # FIXME FIXME FIXME - can we actually delete these via the REST API?
+ # if module.params['state'] == 'absent':
+ # if not found_notes:
+ # module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)
+ # else:
+ # if module.check_mode:
+ # module.exit_json(msg="A change would have occured but did not because Check Mode", changed=True)
+ # # FIXME: fix the POST here to actually delete
+ # qradar_return_data = qradar_request.post_by_path(
+ # 'api/siem/offenses/{0}/notes?note_text={1}'.format(
+ # module.params['id'],
+ # quote("{0}".format(module.params['note_text'])),
+ # ),
+ # data=False
+ # )
+ # module.exit_json(
+ # msg="Successfully created Offense Note ID: {0}".format(qradar_return_data['id']),
+ # qradar_return_data=qradar_return_data,
+ # changed=True
+ # )
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py
new file mode 100644
index 00000000..57c70ee5
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py
@@ -0,0 +1,248 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: rule
+short_description: Manage state of QRadar Rules, with filter options
+description:
+ - Manage state of QRadar Rules, with filter options
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Manage state of a QRadar Rule by ID
+ required: false
+ type: int
+ name:
+ description:
+ - Manage state of a QRadar Rule by name
+ required: false
+ type: str
+ state:
+ description:
+ - Manage state of a QRadar Rule
+ required: True
+ choices: [ "enabled", "disabled", "absent" ]
+ type: str
+ owner:
+ description:
+ - Manage ownership of a QRadar Rule
+ required: false
+ type: str
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+
+# FIXME - provide correct example here
+RETURN = """
+"""
+
+EXAMPLES = """
+- name: Enable Rule 'Ansible Example DDoS Rule'
+ qradar_rule:
+ name: 'Ansible Example DDOS Rule'
+ state: enabled
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ id=dict(required=False, type="int"),
+ name=dict(required=False, type="str"),
+ state=dict(
+ required=True, choices=["enabled", "disabled", "absent"], type="str"
+ ),
+ owner=dict(required=False, type="str"),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ supports_check_mode=True,
+ required_one_of=[("name", "id")],
+ mutually_exclusive=[("name", "id")],
+ )
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["id", "name", "state", "owner"],
+ )
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
+ # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name']))
+ module.params["rule"] = {}
+
+ if module.params["id"]:
+ module.params["rule"] = qradar_request.get(
+ "/api/analytics/rules/{0}".format(module.params["id"])
+ )
+
+ elif module.params["name"]:
+ rules = qradar_request.get(
+ "/api/analytics/rules?filter={0}".format(
+ quote('"{0}"'.format(module.params["name"]))
+ )
+ )
+ if rules:
+ module.params["rule"] = rules[0]
+ module.params["id"] = rules[0]["id"]
+
+ if module.params["state"] == "enabled":
+ if module.params["rule"]:
+ if module.params["rule"]["enabled"] is True:
+ # Already enabled
+ if module.params["id"]:
+ module.exit_json(
+ msg="No change needed for rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully enabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ else:
+ # Not enabled, enable It
+ module.params["rule"]["enabled"] = True
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/analytics/rules/{0}".format(module.params["rule"]["id"]),
+ data=json.dumps(module.params["rule"]),
+ )
+ if module.params["id"]:
+ module.exit_json(
+ msg="Successfully enabled rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully enabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ if module.params["id"]:
+ module.fail_json(
+ msg="Unable to find rule ID: {0}".format(module.params["id"])
+ )
+ if module.params["name"]:
+ module.fail_json(
+ msg='Unable to find rule named: "{0}"'.format(module.params["name"])
+ )
+
+ elif module.params["state"] == "disabled":
+ if module.params["rule"]:
+ if module.params["rule"]["enabled"] is False:
+ # Already disabled
+ if module.params["id"]:
+ module.exit_json(
+ msg="No change needed for rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully enabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ else:
+ # Not disabled, disable It
+ module.params["rule"]["enabled"] = False
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/analytics/rules/{0}".format(module.params["rule"]["id"]),
+ data=json.dumps(module.params["rule"]),
+ )
+ if module.params["id"]:
+ module.exit_json(
+ msg="Successfully disabled rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully disabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ if module.params["id"]:
+ module.fail_json(
+ msg="Unable to find rule ID: {0}".format(module.params["id"])
+ )
+ if module.params["name"]:
+ module.fail_json(
+ msg='Unable to find rule named: "{0}"'.format(module.params["name"])
+ )
+
+ elif module.params["state"] == "absent":
+ if module.params["rule"]:
+ qradar_return_data = qradar_request.delete(
+ "/api/analytics/rules/{0}".format(module.params["rule"]["id"])
+ )
+ if module.params["id"]:
+ module.exit_json(
+ msg="Successfully deleted rule ID: {0}".format(module.params["id"]),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully deleted rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ module.exit_json(msg="Nothing to do, rule not found.")
+
+ module.exit_json(rules=rules, changed=False)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py
new file mode 100644
index 00000000..174d4079
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py
@@ -0,0 +1,138 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: rule_info
+short_description: Obtain information about one or many QRadar Rules, with filter options
+description:
+ - This module obtains information about one or many QRadar Rules, with filter options
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Obtain only information of the Rule with provided ID
+ required: false
+ type: int
+ name:
+ description:
+ - Obtain only information of the Rule that matches the provided name
+ required: false
+ type: str
+ type:
+ description:
+ - Obtain only information for the Rules of a certain type
+ required: false
+ choices: [ "EVENT", "FLOW", "COMMON", "USER"]
+ type: str
+ owner:
+ description:
+ - Obtain only information of Rules owned by a certain user
+ required: false
+ type: str
+ origin:
+ description:
+ - Obtain only information of Rules that are of a certain origin
+ required: false
+ choices: ["SYSTEM", "OVERRIDE", "USER"]
+ type: str
+notes:
+ - You may provide many filters and they will all be applied, except for C(id)
+ as that will return only the Rule identified by the unique ID provided.
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>"
+"""
+
+
+# FIXME - provide correct example here
+RETURN = """
+"""
+
+EXAMPLES = """
+- name: Get information about the Rule named "Custom Company DDoS Rule"
+ ibm.qradar.rule_info:
+ name: "Custom Company DDoS Rule"
+ register: custom_ddos_rule_info
+
+- name: debugging output of the custom_ddos_rule_info registered variable
+ debug:
+ var: custom_ddos_rule_info
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ id=dict(required=False, type="int"),
+ name=dict(required=False, type="str"),
+ owner=dict(required=False, type="str"),
+ type=dict(
+ required=False, choices=["EVENT", "FLOW", "COMMON", "USER"], type="str"
+ ),
+ origin=dict(required=False, choices=["SYSTEM", "OVERRIDE", "USER"], type="str"),
+ )
+
+ module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
+
+ qradar_request = QRadarRequest(module)
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
+ # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name']))
+
+ if module.params["id"]:
+ rules = qradar_request.get(
+ "/api/analytics/rules/{0}".format(module.params["id"])
+ )
+
+ else:
+ query_strs = []
+
+ if module.params["name"]:
+ query_strs.append(
+ quote('name="{0}"'.format(to_text(module.params["name"])))
+ )
+
+ if module.params["owner"]:
+ query_strs.append(quote("owner={0}".format(module.params["owner"])))
+
+ if module.params["type"]:
+ query_strs.append(quote("type={0}".format(module.params["type"])))
+
+ if module.params["origin"]:
+ query_strs.append(quote("origin={0}".format(module.params["origin"])))
+
+ if query_strs:
+ rules = qradar_request.get(
+ "/api/analytics/rules?filter={0}".format("&".join(query_strs))
+ )
+ else:
+ rules = qradar_request.get("/api/analytics/rules")
+
+ module.exit_json(rules=rules, changed=False)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py
new file mode 100644
index 00000000..57c70ee5
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py
@@ -0,0 +1,248 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: rule
+short_description: Manage state of QRadar Rules, with filter options
+description:
+ - Manage state of QRadar Rules, with filter options
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Manage state of a QRadar Rule by ID
+ required: false
+ type: int
+ name:
+ description:
+ - Manage state of a QRadar Rule by name
+ required: false
+ type: str
+ state:
+ description:
+ - Manage state of a QRadar Rule
+ required: True
+ choices: [ "enabled", "disabled", "absent" ]
+ type: str
+ owner:
+ description:
+ - Manage ownership of a QRadar Rule
+ required: false
+ type: str
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
+"""
+
+
+# FIXME - provide correct example here
+RETURN = """
+"""
+
+EXAMPLES = """
+- name: Enable Rule 'Ansible Example DDoS Rule'
+ qradar_rule:
+ name: 'Ansible Example DDOS Rule'
+ state: enabled
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ id=dict(required=False, type="int"),
+ name=dict(required=False, type="str"),
+ state=dict(
+ required=True, choices=["enabled", "disabled", "absent"], type="str"
+ ),
+ owner=dict(required=False, type="str"),
+ )
+
+ module = AnsibleModule(
+ argument_spec=argspec,
+ supports_check_mode=True,
+ required_one_of=[("name", "id")],
+ mutually_exclusive=[("name", "id")],
+ )
+
+ qradar_request = QRadarRequest(
+ module, not_rest_data_keys=["id", "name", "state", "owner"],
+ )
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
+ # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name']))
+ module.params["rule"] = {}
+
+ if module.params["id"]:
+ module.params["rule"] = qradar_request.get(
+ "/api/analytics/rules/{0}".format(module.params["id"])
+ )
+
+ elif module.params["name"]:
+ rules = qradar_request.get(
+ "/api/analytics/rules?filter={0}".format(
+ quote('"{0}"'.format(module.params["name"]))
+ )
+ )
+ if rules:
+ module.params["rule"] = rules[0]
+ module.params["id"] = rules[0]["id"]
+
+ if module.params["state"] == "enabled":
+ if module.params["rule"]:
+ if module.params["rule"]["enabled"] is True:
+ # Already enabled
+ if module.params["id"]:
+ module.exit_json(
+ msg="No change needed for rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully enabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ else:
+ # Not enabled, enable It
+ module.params["rule"]["enabled"] = True
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/analytics/rules/{0}".format(module.params["rule"]["id"]),
+ data=json.dumps(module.params["rule"]),
+ )
+ if module.params["id"]:
+ module.exit_json(
+ msg="Successfully enabled rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully enabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ if module.params["id"]:
+ module.fail_json(
+ msg="Unable to find rule ID: {0}".format(module.params["id"])
+ )
+ if module.params["name"]:
+ module.fail_json(
+ msg='Unable to find rule named: "{0}"'.format(module.params["name"])
+ )
+
+ elif module.params["state"] == "disabled":
+ if module.params["rule"]:
+ if module.params["rule"]["enabled"] is False:
+ # Already disabled
+ if module.params["id"]:
+ module.exit_json(
+ msg="No change needed for rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully enabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data={},
+ changed=False,
+ )
+ else:
+ # Not disabled, disable It
+ module.params["rule"]["enabled"] = False
+
+ qradar_return_data = qradar_request.post_by_path(
+ "api/analytics/rules/{0}".format(module.params["rule"]["id"]),
+ data=json.dumps(module.params["rule"]),
+ )
+ if module.params["id"]:
+ module.exit_json(
+ msg="Successfully disabled rule ID: {0}".format(
+ module.params["id"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully disabled rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ if module.params["id"]:
+ module.fail_json(
+ msg="Unable to find rule ID: {0}".format(module.params["id"])
+ )
+ if module.params["name"]:
+ module.fail_json(
+ msg='Unable to find rule named: "{0}"'.format(module.params["name"])
+ )
+
+ elif module.params["state"] == "absent":
+ if module.params["rule"]:
+ qradar_return_data = qradar_request.delete(
+ "/api/analytics/rules/{0}".format(module.params["rule"]["id"])
+ )
+ if module.params["id"]:
+ module.exit_json(
+ msg="Successfully deleted rule ID: {0}".format(module.params["id"]),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ if module.params["name"]:
+ module.exit_json(
+ msg="Successfully deleted rule named: {0}".format(
+ module.params["name"]
+ ),
+ qradar_return_data=qradar_return_data,
+ changed=True,
+ )
+ else:
+ module.exit_json(msg="Nothing to do, rule not found.")
+
+ module.exit_json(rules=rules, changed=False)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py
new file mode 100644
index 00000000..174d4079
--- /dev/null
+++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py
@@ -0,0 +1,138 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2019, Adam Miller (admiller@redhat.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+---
+module: rule_info
+short_description: Obtain information about one or many QRadar Rules, with filter options
+description:
+ - This module obtains information about one or many QRadar Rules, with filter options
+version_added: "1.0.0"
+options:
+ id:
+ description:
+ - Obtain only information of the Rule with provided ID
+ required: false
+ type: int
+ name:
+ description:
+ - Obtain only information of the Rule that matches the provided name
+ required: false
+ type: str
+ type:
+ description:
+ - Obtain only information for the Rules of a certain type
+ required: false
+ choices: [ "EVENT", "FLOW", "COMMON", "USER"]
+ type: str
+ owner:
+ description:
+ - Obtain only information of Rules owned by a certain user
+ required: false
+ type: str
+ origin:
+ description:
+ - Obtain only information of Rules that are of a certain origin
+ required: false
+ choices: ["SYSTEM", "OVERRIDE", "USER"]
+ type: str
+notes:
+ - You may provide many filters and they will all be applied, except for C(id)
+ as that will return only the Rule identified by the unique ID provided.
+
+author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>"
+"""
+
+
+# FIXME - provide correct example here
+RETURN = """
+"""
+
+EXAMPLES = """
+- name: Get information about the Rule named "Custom Company DDoS Rule"
+ ibm.qradar.rule_info:
+ name: "Custom Company DDoS Rule"
+ register: custom_ddos_rule_info
+
+- name: debugging output of the custom_ddos_rule_info registered variable
+ debug:
+ var: custom_ddos_rule_info
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+
+from ansible.module_utils.urls import Request
+from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible.module_utils.six.moves.urllib.error import HTTPError
+from ansible_collections.ibm.qradar.plugins.module_utils.qradar import (
+ QRadarRequest,
+ find_dict_in_list,
+ set_offense_values,
+)
+
+import copy
+import json
+
+
+def main():
+
+ argspec = dict(
+ id=dict(required=False, type="int"),
+ name=dict(required=False, type="str"),
+ owner=dict(required=False, type="str"),
+ type=dict(
+ required=False, choices=["EVENT", "FLOW", "COMMON", "USER"], type="str"
+ ),
+ origin=dict(required=False, choices=["SYSTEM", "OVERRIDE", "USER"], type="str"),
+ )
+
+ module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
+
+ qradar_request = QRadarRequest(module)
+
+ # if module.params['name']:
+ # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
+ # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name']))
+
+ if module.params["id"]:
+ rules = qradar_request.get(
+ "/api/analytics/rules/{0}".format(module.params["id"])
+ )
+
+ else:
+ query_strs = []
+
+ if module.params["name"]:
+ query_strs.append(
+ quote('name="{0}"'.format(to_text(module.params["name"])))
+ )
+
+ if module.params["owner"]:
+ query_strs.append(quote("owner={0}".format(module.params["owner"])))
+
+ if module.params["type"]:
+ query_strs.append(quote("type={0}".format(module.params["type"])))
+
+ if module.params["origin"]:
+ query_strs.append(quote("origin={0}".format(module.params["origin"])))
+
+ if query_strs:
+ rules = qradar_request.get(
+ "/api/analytics/rules?filter={0}".format("&".join(query_strs))
+ )
+ else:
+ rules = qradar_request.get("/api/analytics/rules")
+
+ module.exit_json(rules=rules, changed=False)
+
+
+if __name__ == "__main__":
+ main()