diff options
Diffstat (limited to 'collections-debian-merged/ansible_collections/ibm/qradar/plugins')
16 files changed, 2877 insertions, 0 deletions
diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py new file mode 100644 index 00000000..f8ecb6e5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/httpapi/qradar.py @@ -0,0 +1,72 @@ +# (c) 2019 Red Hat Inc. +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +author: Ansible Security Automation Team +httpapi : qradar +short_description: HttpApi Plugin for IBM QRadar +description: + - This HttpApi plugin provides methods to connect to IBM QRadar over a + HTTP(S)-based api. +version_added: "1.0" +""" + +import json + +from ansible.module_utils.basic import to_text +from ansible.errors import AnsibleConnectionFailure +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible.plugins.httpapi import HttpApiBase +from ansible.module_utils.connection import ConnectionError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import BASE_HEADERS + + +class HttpApi(HttpApiBase): + def send_request(self, request_method, path, payload=None, headers=None): + headers = headers if headers else BASE_HEADERS + + try: + self._display_request(request_method) + response, response_data = self.connection.send( + path, payload, method=request_method, headers=headers + ) + value = self._get_response_value(response_data) + + return response.getcode(), self._response_to_json(value) + except HTTPError as e: + error = json.loads(e.read()) + return e.code, error + + def _display_request(self, request_method): + self.connection.queue_message( + "vvvv", "Web Services: %s %s" % (request_method, self.connection._url) + ) + + def _get_response_value(self, response_data): + return to_text(response_data.getvalue()) + + def _response_to_json(self, response_text): + try: + return json.loads(response_text) if response_text else {} + # JSONDecodeError only available on Python 3.5+ + except ValueError: + raise ConnectionError("Invalid JSON response: %s" % response_text) + + def update_auth(self, response, response_text): + cookie = response.info().get("Set-Cookie") + # Set the 'SEC' header + if "SEC" in cookie: + return {"SEC": cookie.split(";")[0].split("=")[-1]} + + return None + + def logout(self): + self.send_request("POST", "/auth/logout") + + # Clean up tokens + self.connection._auth = None diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py new file mode 100644 index 00000000..e3bab33d --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/module_utils/qradar.py @@ -0,0 +1,173 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type +from ansible.module_utils.urls import CertificateError +from ansible.module_utils.six.moves.urllib.parse import urlencode, quote_plus +from ansible.module_utils.connection import ConnectionError +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible.module_utils.connection import Connection +from ansible.module_utils._text import to_text + +import json + +BASE_HEADERS = {"Content-Type": "application/json", "Version": "9.1"} + + +def find_dict_in_list(some_list, key, value): + text_type = False + try: + to_text(value) + text_type = True + except TypeError: + pass + for some_dict in some_list: + if key in some_dict: + if text_type: + if to_text(some_dict[key]).strip() == to_text(value).strip(): + return some_dict, some_list.index(some_dict) + else: + if some_dict[key] == value: + return some_dict, some_list.index(some_dict) + return None + + +def set_offense_values(module, qradar_request): + if module.params["closing_reason"]: + found_closing_reason = qradar_request.get_by_path( + "api/siem/offense_closing_reasons?filter={0}".format( + quote_plus('text="{0}"'.format(module.params["closing_reason"])) + ) + ) + if found_closing_reason: + module.params["closing_reason_id"] = found_closing_reason[0]["id"] + else: + module.fail_json( + "Unable to find closing_reason text: {0}".format( + module.params["closing_reason"] + ) + ) + + if module.params["status"]: + module.params["status"] = module.params["status"].upper() + + +class QRadarRequest(object): + def __init__(self, module, headers=None, not_rest_data_keys=None): + + self.module = module + self.connection = Connection(self.module._socket_path) + + # This allows us to exclude specific argspec keys from being included by + # the rest data that don't follow the qradar_* naming convention + if not_rest_data_keys: + self.not_rest_data_keys = not_rest_data_keys + else: + self.not_rest_data_keys = [] + self.not_rest_data_keys.append("validate_certs") + self.headers = headers if headers else BASE_HEADERS + + def _httpapi_error_handle(self, method, uri, payload=None): + # FIXME - make use of handle_httperror(self, exception) where applicable + # https://docs.ansible.com/ansible/latest/network/dev_guide/developing_plugins_network.html#developing-plugins-httpapi + + try: + code, response = self.connection.send_request( + method, uri, payload=payload, headers=self.headers + ) + except ConnectionError as e: + self.module.fail_json(msg="connection error occurred: {0}".format(e)) + except CertificateError as e: + self.module.fail_json(msg="certificate error occurred: {0}".format(e)) + except ValueError as e: + self.module.fail_json(msg="certificate not found: {0}".format(e)) + + if code == 404: + if ( + to_text("Object not found") in to_text(response) + or to_text("Could not find object") in to_text(response) + or to_text("No offense was found") in to_text(response) + ): + return {} + + if code == 409: + if "code" in response: + if response["code"] in [1002, 1004]: + # https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/9.2--staged_config-deploy_status-POST.html + # Documentation says we should get 1002, but I'm getting 1004 from QRadar + return response + else: + self.module.fail_json( + msg="qradar httpapi returned error {0} with message {1}".format( + code, response + ) + ) + elif not (code >= 200 and code < 300): + self.module.fail_json( + msg="qradar httpapi returned error {0} with message {1}".format( + code, response + ) + ) + + return response + + def get(self, url, **kwargs): + return self._httpapi_error_handle("GET", url, **kwargs) + + def put(self, url, **kwargs): + return self._httpapi_error_handle("PUT", url, **kwargs) + + def post(self, url, **kwargs): + return self._httpapi_error_handle("POST", url, **kwargs) + + def patch(self, url, **kwargs): + return self._httpapi_error_handle("PATCH", url, **kwargs) + + def delete(self, url, **kwargs): + return self._httpapi_error_handle("DELETE", url, **kwargs) + + def get_data(self): + """ + Get the valid fields that should be passed to the REST API as urlencoded + data so long as the argument specification to the module follows the + convention: + - the key to the argspec item does not start with qradar_ + - the key does not exist in the not_data_keys list + """ + try: + qradar_data = {} + for param in self.module.params: + if (self.module.params[param]) is not None and ( + param not in self.not_rest_data_keys + ): + qradar_data[param] = self.module.params[param] + return qradar_data + + except TypeError as e: + self.module.fail_json(msg="invalid data type provided: {0}".format(e)) + + def post_by_path(self, rest_path, data=None): + """ + POST with data to path + """ + if data is None: + data = json.dumps(self.get_data()) + elif data is False: + # Because for some reason some QRadar REST API endpoint use the + # query string to modify state + return self.post("/{0}".format(rest_path)) + return self.post("/{0}".format(rest_path), payload=data) + + def create_update(self, rest_path, data=None): + """ + Create or Update a file/directory monitor data input in qradar + """ + if data is None: + data = json.dumps(self.get_data()) + # return self.post("/{0}".format(rest_path), payload=data) + return self.patch("/{0}".format(rest_path), payload=data) # PATCH diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py new file mode 100644 index 00000000..69baa06a --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/deploy.py @@ -0,0 +1,84 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: deploy +short_description: Trigger a qradar configuration deployment +description: + - This module allows for INCREMENTAL or FULL deployments +version_added: "1.0.0" +options: + type: + description: + - Type of deployment + required: false + type: str + choices: + - "INCREMENTAL" + - "FULL" + default: "INCREMENTAL" +notes: + - This module does not support check mode because the QRadar REST API does not offer stateful inspection of configuration deployments + +author: "Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>" +""" + +EXAMPLES = """ +- name: run an incremental deploy + ibm.qradar.deploy: + type: INCREMENTAL +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import QRadarRequest + +import json + + +def main(): + + argspec = dict( + type=dict( + choices=["INCREMENTAL", "FULL"], required=False, default="INCREMENTAL" + ) + ) + + module = AnsibleModule(argument_spec=argspec, supports_check_mode=False) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["state", "type_name", "identifier"], + ) + + qradar_return_data = qradar_request.post_by_path("api/staged_config/deploy_status") + + if "message" in qradar_return_data and ( + to_text("No changes to deploy") in to_text(qradar_return_data["message"]) + ): + module.exit_json( + msg="No changes to deploy", + qradar_return_data=qradar_return_data, + changed=False, + ) + else: + module.exit_json( + msg="Successfully initiated {0} deployment.".format(module.params["type"]), + qradar_return_data=qradar_return_data, + changed=True, + ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py new file mode 100644 index 00000000..eebb9e9b --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/log_source_management.py @@ -0,0 +1,251 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: log_source_management +short_description: Manage Log Sources in QRadar +description: + - This module allows for addition, deletion, or modification of Log Sources in QRadar +version_added: "1.0.0" +options: + name: + description: + - Name of Log Source + required: true + type: str + state: + description: + - Add or remove a log source. + required: true + choices: [ "present", "absent" ] + type: str + type_name: + description: + - Type of resource by name + required: false + type: str + type_id: + description: + - Type of resource by id, as defined in QRadar Log Source Types Documentation + required: false + type: int + protocol_type_id: + description: + - Type of protocol by id, as defined in QRadar Log Source Types Documentation + required: false + type: int + identifier: + description: + - Log Source Identifier (Typically IP Address or Hostname of log source) + required: true + type: str + description: + description: + - Description of log source + required: true + type: str + +notes: + - Either C(type) or C(type_id) is required + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + +EXAMPLES = """ +- name: Add a snort log source to IBM QRadar + ibm.qradar.log_source_management: + name: "Snort logs" + type_name: "Snort Open Source IDS" + state: present + description: "Snort IDS remote logs from rsyslog" + identifier: "192.168.1.101" +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, +) + +import json + + +def set_log_source_values(module, qradar_request): + if module.params["type_name"]: + log_source_type_found = qradar_request.get( + "/api/config/event_sources/log_source_management/log_source_types?filter={0}".format( + quote('name="{0}"'.format(module.params["type_name"])) + ) + )[0] + if module.params["type_id"]: + log_source_type_found = qradar_request.get( + "api/config/event_sources/log_source_management/log_source_types?filter={0}".format( + quote('id="{0}"'.format(module.params["type_id"])) + ) + )[0] + if log_source_type_found: + if not module.params["type_id"]: + module.params["type_id"] = log_source_type_found["id"] + else: + module.fail_json( + msg="Incompatible type provided, please consult QRadar Documentation for Log Source Types" + ) + + if module.params["protocol_type_id"]: + found_dict_in_list, _fdil_index = find_dict_in_list( + log_source_type_found["protocol_types"], + "protocol_id", + module.params["protocol_type_id"], + ) + if not found_dict_in_list: + module.fail_json( + msg="Incompatible protocol_type_id provided, please consult QRadar Documentation for Log Source Types" + ) + else: + # Set it to the default as provided by the QRadar Instance + module.params["protocol_type_id"] = log_source_type_found["protocol_types"][0][ + "protocol_id" + ] + + module.params["protocol_parameters"] = [ + { + "id": module.params["protocol_type_id"], + "name": "identifier", + "value": module.params["identifier"], + } + ] + + +def main(): + + argspec = dict( + name=dict(required=True, type="str"), + state=dict(choices=["present", "absent"], required=True), + type_name=dict(required=False, type="str"), + type_id=dict(required=False, type="int"), + identifier=dict(required=True, type="str"), + protocol_type_id=dict(required=False, type="int"), + description=dict(required=True, type="str"), + ) + + module = AnsibleModule( + argument_spec=argspec, + required_one_of=[("type_name", "type_id")], + mutually_exclusive=[("type_name", "type_id")], + supports_check_mode=True, + ) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["state", "type_name", "identifier"], + ) + + log_source_exists = qradar_request.get( + "/api/config/event_sources/log_source_management/log_sources?filter={0}".format( + quote('name="{0}"'.format(module.params["name"])) + ) + ) + + if log_source_exists: + + if module.params["state"] == "present": + existing_log_source_protocol_identifier, _elspi_index = find_dict_in_list( + log_source_exists[0]["protocol_parameters"], "name", "identifier" + ) + + set_log_source_values(module, qradar_request) + + comparison_map = [ + existing_log_source_protocol_identifier["value"] + == module.params["identifier"], + log_source_exists[0]["name"] == module.params["name"], + log_source_exists[0]["type_id"] == module.params["type_id"], + to_text(log_source_exists[0]["description"]) + == to_text(module.params["description"]), + ] + + if all(comparison_map): + module.exit_json(changed=False, msg="Nothing to do.") + else: + log_source_exists[0]["protocol_parameters"][ + _elspi_index + ] = module.params["protocol_parameters"][0] + log_source_exists[0]["name"] = module.params["name"] + log_source_exists[0]["type_id"] = module.params["type_id"] + log_source_exists[0]["description"] = module.params["description"] + if module.check_mode: + qradar_return_data = { + "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" + } + else: + qradar_return_data = qradar_request.create_update( + "api/config/event_sources/log_source_management/log_sources", + data=json.dumps(log_source_exists), + ) + + module.exit_json( + msg="Successfully updated log source: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + + if module.params["state"] == "absent": + if module.check_mode: + qradar_return_data = { + "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" + } + else: + qradar_return_data = qradar_request.delete( + "/api/config/event_sources/log_source_management/log_sources/{0}".format( + log_source_exists[0]["id"] + ) + ) + + module.exit_json( + msg="Successfully deleted log source: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + if module.params["state"] == "present": + set_log_source_values(module, qradar_request) + if module.check_mode: + qradar_return_data = { + "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" + } + else: + qradar_return_data = qradar_request.create_update( + "api/config/event_sources/log_source_management/log_sources", + data=json.dumps([qradar_request.get_data()]), + ) + + module.exit_json( + msg="Successfully created log source: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + + if module.params["state"] == "absent": + module.exit_json(changed=False, msg="Nothing to do.") + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py new file mode 100644 index 00000000..37eceb16 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_action.py @@ -0,0 +1,191 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: offense_action +short_description: Take action on a QRadar Offense +description: + - This module allows to assign, protect, follow up, set status, and assign closing reason to QRadar Offenses +version_added: "1.0.0" +options: + id: + description: + - ID of Offense + required: true + type: int + status: + description: + - One of "open", "hidden" or "closed". (Either all lower case or all caps) + required: false + choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ] + type: str + assigned_to: + description: + - Assign to an user, the QRadar username should be provided + required: false + type: str + closing_reason: + description: + - Assign a predefined closing reason here, by name. + required: false + type: str + closing_reason_id: + description: + - Assign a predefined closing reason here, by id. + required: false + type: int + follow_up: + description: + - Set or unset the flag to follow up on a QRadar Offense + required: false + type: bool + protected: + description: + - Set or unset the flag to protect a QRadar Offense + required: false + type: bool + +notes: + - Requires one of C(name) or C(id) be provided + - Only one of C(closing_reason) or C(closing_reason_id) can be provided + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + +""" +# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS +# name: +# description: +# - Name of Offense +# required: true +# type: str +""" + +EXAMPLES = """ +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + # name=dict(required=False, type='str'), + # id=dict(required=False, type='str'), + id=dict(required=True, type="int"), + assigned_to=dict(required=False, type="str"), + closing_reason=dict(required=False, type="str"), + closing_reason_id=dict(required=False, type="int"), + follow_up=dict(required=False, type="bool"), + protected=dict(required=False, type="bool"), + status=dict( + required=False, + choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"], + type="str", + ), + ) + + module = AnsibleModule( + argument_spec=argspec, + # required_one_of=[ + # ('name', 'id',), + # ], + mutually_exclusive=[("closing_reason", "closing_reason_id")], + supports_check_mode=True, + ) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"], + ) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME + # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) + + found_offense = qradar_request.get( + "/api/siem/offenses/{0}".format(module.params["id"]) + ) + + if found_offense: + set_offense_values(module, qradar_request) + + post_strs = [] + + if module.params["status"] and ( + to_text(found_offense["status"]) != to_text(module.params["status"]) + ): + post_strs.append("status={0}".format(to_text(module.params["status"]))) + + if module.params["assigned_to"] and ( + to_text(found_offense["assigned_to"]) + != to_text(module.params["assigned_to"]) + ): + post_strs.append("assigned_to={0}".format(module.params["assigned_to"])) + + if module.params["closing_reason_id"] and ( + found_offense["closing_reason_id"] != module.params["closing_reason_id"] + ): + post_strs.append( + "closing_reason_id={0}".format(module.params["closing_reason_id"]) + ) + + if module.params["follow_up"] and ( + found_offense["follow_up"] != module.params["follow_up"] + ): + post_strs.append("follow_up={0}".format(module.params["follow_up"])) + + if module.params["protected"] and ( + found_offense["protected"] != module.params["protected"] + ): + post_strs.append("protected={0}".format(module.params["protected"])) + + if post_strs: + if module.check_mode: + module.exit_json( + msg="A change would have been made but was not because of Check Mode.", + changed=True, + ) + + qradar_return_data = qradar_request.post_by_path( + "api/siem/offenses/{0}?{1}".format( + module.params["id"], "&".join(post_strs) + ) + ) + # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore + module.exit_json( + msg="Successfully updated Offense ID: {0}".format(module.params["id"]), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + else: + # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore + module.fail_json( + msg="Unable to find Offense ID: {0}".format(module.params["id"]) + ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py new file mode 100644 index 00000000..fd9e4d90 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_info.py @@ -0,0 +1,215 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: offense_info +short_description: Obtain information about one or many QRadar Offenses, with filter options +description: + - This module allows to obtain information about one or many QRadar Offenses, with filter options +version_added: "1.0.0" +options: + id: + description: + - Obtain only information of the Offense with provided ID + required: false + type: int + name: + description: + - Obtain only information of the Offense that matches the provided name + required: false + type: str + status: + description: + - Obtain only information of Offenses of a certain status + required: false + choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ] + default: "open" + type: str + assigned_to: + description: + - Obtain only information of Offenses assigned to a certain user + required: false + type: str + closing_reason: + description: + - Obtain only information of Offenses that were closed by a specific closing reason + required: false + type: str + closing_reason_id: + description: + - Obtain only information of Offenses that were closed by a specific closing reason ID + required: false + type: int + follow_up: + description: + - Obtain only information of Offenses that are marked with the follow up flag + required: false + type: bool + protected: + description: + - Obtain only information of Offenses that are protected + required: false + type: bool +notes: + - You may provide many filters and they will all be applied, except for C(id) + as that will return only + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + + +# FIXME - provide correct example here +RETURN = """ +offenses: + description: Information + returned: always + type: list + elements: dict + contains: + qradar_offenses: + description: IBM QRadar Offenses found based on provided filters + returned: always + type: complex + contains: + source: + description: Init system of the service. One of C(systemd), C(sysv), C(upstart). + returned: always + type: str + sample: sysv + state: + description: State of the service. Either C(running), C(stopped), or C(unknown). + returned: always + type: str + sample: running + status: + description: State of the service. Either C(enabled), C(disabled), or C(unknown). + returned: systemd systems or RedHat/SUSE flavored sysvinit/upstart + type: str + sample: enabled + name: + description: Name of the service. + returned: always + type: str + sample: arp-ethers.service +""" + + +EXAMPLES = """ +- name: Get list of all currently OPEN IBM QRadar Offenses + ibm.qradar.offense_info: + status: OPEN + register: offense_list + +- name: display offense information for debug purposes + debug: + var: offense_list +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + id=dict(required=False, type="int"), + name=dict(required=False, type="str"), + assigned_to=dict(required=False, type="str"), + closing_reason=dict(required=False, type="str"), + closing_reason_id=dict(required=False, type="int"), + follow_up=dict(required=False, type="bool", default=None), + protected=dict(required=False, type="bool", default=None), + status=dict( + required=False, + choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"], + default="open", + type="str", + ), + ) + + module = AnsibleModule( + argument_spec=argspec, + mutually_exclusive=[("closing_reason", "closing_reason_id")], + supports_check_mode=True, + ) + + qradar_request = QRadarRequest(module) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) + # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) + + set_offense_values(module, qradar_request) + + if module.params["id"]: + offenses = qradar_request.get( + "/api/siem/offenses/{0}".format(module.params["id"]) + ) + + else: + query_strs = [] + + if module.params["status"]: + query_strs.append( + quote("status={0}".format(to_text(module.params["status"]))) + ) + + if module.params["assigned_to"]: + query_strs.append( + quote("assigned_to={0}".format(module.params["assigned_to"])) + ) + + if module.params["closing_reason_id"]: + query_strs.append( + quote( + "closing_reason_id={0}".format(module.params["closing_reason_id"]) + ) + ) + + if module.params["follow_up"] is not None: + query_strs.append(quote("follow_up={0}".format(module.params["follow_up"]))) + + if module.params["protected"] is not None: + query_strs.append(quote("protected={0}".format(module.params["protected"]))) + + if query_strs: + offenses = qradar_request.get( + "/api/siem/offenses?filter={0}".format("&".join(query_strs)) + ) + else: + offenses = qradar_request.get("/api/siem/offenses") + + if module.params["name"]: + named_offense = find_dict_in_list( + offenses, "description", module.params["name"] + ) + if named_offense: + offenses = named_offense + else: + offenses = [] + + module.exit_json(offenses=offenses, changed=False) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py new file mode 100644 index 00000000..3a5fd6a0 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/offense_note.py @@ -0,0 +1,189 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: offense_note +short_description: Create or update a QRadar Offense Note +description: + - This module allows to create a QRadar Offense note +version_added: "1.0.0" +options: + id: + description: + - Offense ID to operate on + required: true + type: int + note_text: + description: The note's text contents + required: true + type: str + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + +""" +# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS +# offense_name: +# description: +# - Name of Offense +# required: true +# type: str + +# FIXME - WOULD LIKE TO MANAGE STATE +# state: +# description: Define state of the note: present or absent +# required: false +# choices: ["present", "absent"] +# default: "present" +""" + +EXAMPLES = """ +- name: Add a note to QRadar Offense ID 1 + ibm.qradar.offense_note: + id: 1 + note_text: This an example note entry that should be made on offense id 1 +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, +) + +import copy +import json + + +def set_offense_values(module, qradar_request): + if module.params["closing_reason"]: + found_closing_reason = qradar_request.get( + "/api/siem/offense_closing_reasons?filter={0}".format( + quote('text="{0}"'.format(module.params["closing_reason"])) + ) + ) + if found_closing_reason: + module.params["closing_reason_id"] = found_closing_reason[0]["id"] + else: + module.fail_json( + "Unable to find closing_reason text: {0}".format( + module.params["closing_reason"] + ) + ) + + if module.params["status"]: + module.params["status"] = module.params["status"].upper() + + +def main(): + + argspec = dict( + # state=dict(required=False, choices=["present", "absent"], type='str', default="present"), + id=dict(required=True, type="int"), + note_text=dict(required=True, type="str"), + ) + + module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) + + qradar_request = QRadarRequest(module, not_rest_data_keys=["state", "id"],) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME + # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) + # FIXME - once this is sorted, add it to module_utils + + found_notes = qradar_request.get( + "/api/siem/offenses/{0}/notes?filter={1}".format( + module.params["id"], + quote('note_text="{0}"'.format(module.params["note_text"])), + ) + ) + + # if module.params['state'] == 'present': + + if found_notes: + # The note we want exists either by ID or by text name, verify + + note = found_notes[0] + if note["note_text"] == module.params["note_text"]: + module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + else: + if module.check_mode: + module.exit_json( + msg="A change would have occured but did not because Check Mode", + changed=True, + ) + + qradar_return_data = qradar_request.post_by_path( + "api/siem/offenses/{0}/notes?note_text={1}".format( + module.params["id"], quote("{0}".format(module.params["note_text"])) + ), + data=False, + ) + module.exit_json( + msg="Successfully created Offense Note ID: {0}".format( + qradar_return_data["id"] + ), + qradar_return_data=qradar_return_data, + changed=False, + ) + + else: + if module.check_mode: + module.exit_json( + msg="A change would have occured but did not because Check Mode", + changed=True, + ) + + qradar_return_data = qradar_request.post_by_path( + "api/siem/offenses/{0}/notes?note_text={1}".format( + module.params["id"], quote("{0}".format(module.params["note_text"])) + ), + data=False, + ) + module.exit_json( + msg="Successfully created Offense Note ID: {0}".format( + qradar_return_data["id"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + + module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + + # FIXME FIXME FIXME - can we actually delete these via the REST API? + # if module.params['state'] == 'absent': + # if not found_notes: + # module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + # else: + # if module.check_mode: + # module.exit_json(msg="A change would have occured but did not because Check Mode", changed=True) + # # FIXME: fix the POST here to actually delete + # qradar_return_data = qradar_request.post_by_path( + # 'api/siem/offenses/{0}/notes?note_text={1}'.format( + # module.params['id'], + # quote("{0}".format(module.params['note_text'])), + # ), + # data=False + # ) + # module.exit_json( + # msg="Successfully created Offense Note ID: {0}".format(qradar_return_data['id']), + # qradar_return_data=qradar_return_data, + # changed=True + # ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py new file mode 100644 index 00000000..69baa06a --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_deploy.py @@ -0,0 +1,84 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: deploy +short_description: Trigger a qradar configuration deployment +description: + - This module allows for INCREMENTAL or FULL deployments +version_added: "1.0.0" +options: + type: + description: + - Type of deployment + required: false + type: str + choices: + - "INCREMENTAL" + - "FULL" + default: "INCREMENTAL" +notes: + - This module does not support check mode because the QRadar REST API does not offer stateful inspection of configuration deployments + +author: "Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>" +""" + +EXAMPLES = """ +- name: run an incremental deploy + ibm.qradar.deploy: + type: INCREMENTAL +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import QRadarRequest + +import json + + +def main(): + + argspec = dict( + type=dict( + choices=["INCREMENTAL", "FULL"], required=False, default="INCREMENTAL" + ) + ) + + module = AnsibleModule(argument_spec=argspec, supports_check_mode=False) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["state", "type_name", "identifier"], + ) + + qradar_return_data = qradar_request.post_by_path("api/staged_config/deploy_status") + + if "message" in qradar_return_data and ( + to_text("No changes to deploy") in to_text(qradar_return_data["message"]) + ): + module.exit_json( + msg="No changes to deploy", + qradar_return_data=qradar_return_data, + changed=False, + ) + else: + module.exit_json( + msg="Successfully initiated {0} deployment.".format(module.params["type"]), + qradar_return_data=qradar_return_data, + changed=True, + ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py new file mode 100644 index 00000000..eebb9e9b --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_log_source_management.py @@ -0,0 +1,251 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: log_source_management +short_description: Manage Log Sources in QRadar +description: + - This module allows for addition, deletion, or modification of Log Sources in QRadar +version_added: "1.0.0" +options: + name: + description: + - Name of Log Source + required: true + type: str + state: + description: + - Add or remove a log source. + required: true + choices: [ "present", "absent" ] + type: str + type_name: + description: + - Type of resource by name + required: false + type: str + type_id: + description: + - Type of resource by id, as defined in QRadar Log Source Types Documentation + required: false + type: int + protocol_type_id: + description: + - Type of protocol by id, as defined in QRadar Log Source Types Documentation + required: false + type: int + identifier: + description: + - Log Source Identifier (Typically IP Address or Hostname of log source) + required: true + type: str + description: + description: + - Description of log source + required: true + type: str + +notes: + - Either C(type) or C(type_id) is required + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + +EXAMPLES = """ +- name: Add a snort log source to IBM QRadar + ibm.qradar.log_source_management: + name: "Snort logs" + type_name: "Snort Open Source IDS" + state: present + description: "Snort IDS remote logs from rsyslog" + identifier: "192.168.1.101" +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, +) + +import json + + +def set_log_source_values(module, qradar_request): + if module.params["type_name"]: + log_source_type_found = qradar_request.get( + "/api/config/event_sources/log_source_management/log_source_types?filter={0}".format( + quote('name="{0}"'.format(module.params["type_name"])) + ) + )[0] + if module.params["type_id"]: + log_source_type_found = qradar_request.get( + "api/config/event_sources/log_source_management/log_source_types?filter={0}".format( + quote('id="{0}"'.format(module.params["type_id"])) + ) + )[0] + if log_source_type_found: + if not module.params["type_id"]: + module.params["type_id"] = log_source_type_found["id"] + else: + module.fail_json( + msg="Incompatible type provided, please consult QRadar Documentation for Log Source Types" + ) + + if module.params["protocol_type_id"]: + found_dict_in_list, _fdil_index = find_dict_in_list( + log_source_type_found["protocol_types"], + "protocol_id", + module.params["protocol_type_id"], + ) + if not found_dict_in_list: + module.fail_json( + msg="Incompatible protocol_type_id provided, please consult QRadar Documentation for Log Source Types" + ) + else: + # Set it to the default as provided by the QRadar Instance + module.params["protocol_type_id"] = log_source_type_found["protocol_types"][0][ + "protocol_id" + ] + + module.params["protocol_parameters"] = [ + { + "id": module.params["protocol_type_id"], + "name": "identifier", + "value": module.params["identifier"], + } + ] + + +def main(): + + argspec = dict( + name=dict(required=True, type="str"), + state=dict(choices=["present", "absent"], required=True), + type_name=dict(required=False, type="str"), + type_id=dict(required=False, type="int"), + identifier=dict(required=True, type="str"), + protocol_type_id=dict(required=False, type="int"), + description=dict(required=True, type="str"), + ) + + module = AnsibleModule( + argument_spec=argspec, + required_one_of=[("type_name", "type_id")], + mutually_exclusive=[("type_name", "type_id")], + supports_check_mode=True, + ) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["state", "type_name", "identifier"], + ) + + log_source_exists = qradar_request.get( + "/api/config/event_sources/log_source_management/log_sources?filter={0}".format( + quote('name="{0}"'.format(module.params["name"])) + ) + ) + + if log_source_exists: + + if module.params["state"] == "present": + existing_log_source_protocol_identifier, _elspi_index = find_dict_in_list( + log_source_exists[0]["protocol_parameters"], "name", "identifier" + ) + + set_log_source_values(module, qradar_request) + + comparison_map = [ + existing_log_source_protocol_identifier["value"] + == module.params["identifier"], + log_source_exists[0]["name"] == module.params["name"], + log_source_exists[0]["type_id"] == module.params["type_id"], + to_text(log_source_exists[0]["description"]) + == to_text(module.params["description"]), + ] + + if all(comparison_map): + module.exit_json(changed=False, msg="Nothing to do.") + else: + log_source_exists[0]["protocol_parameters"][ + _elspi_index + ] = module.params["protocol_parameters"][0] + log_source_exists[0]["name"] = module.params["name"] + log_source_exists[0]["type_id"] = module.params["type_id"] + log_source_exists[0]["description"] = module.params["description"] + if module.check_mode: + qradar_return_data = { + "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" + } + else: + qradar_return_data = qradar_request.create_update( + "api/config/event_sources/log_source_management/log_sources", + data=json.dumps(log_source_exists), + ) + + module.exit_json( + msg="Successfully updated log source: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + + if module.params["state"] == "absent": + if module.check_mode: + qradar_return_data = { + "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" + } + else: + qradar_return_data = qradar_request.delete( + "/api/config/event_sources/log_source_management/log_sources/{0}".format( + log_source_exists[0]["id"] + ) + ) + + module.exit_json( + msg="Successfully deleted log source: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + if module.params["state"] == "present": + set_log_source_values(module, qradar_request) + if module.check_mode: + qradar_return_data = { + "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" + } + else: + qradar_return_data = qradar_request.create_update( + "api/config/event_sources/log_source_management/log_sources", + data=json.dumps([qradar_request.get_data()]), + ) + + module.exit_json( + msg="Successfully created log source: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + + if module.params["state"] == "absent": + module.exit_json(changed=False, msg="Nothing to do.") + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py new file mode 100644 index 00000000..37eceb16 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_action.py @@ -0,0 +1,191 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: offense_action +short_description: Take action on a QRadar Offense +description: + - This module allows to assign, protect, follow up, set status, and assign closing reason to QRadar Offenses +version_added: "1.0.0" +options: + id: + description: + - ID of Offense + required: true + type: int + status: + description: + - One of "open", "hidden" or "closed". (Either all lower case or all caps) + required: false + choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ] + type: str + assigned_to: + description: + - Assign to an user, the QRadar username should be provided + required: false + type: str + closing_reason: + description: + - Assign a predefined closing reason here, by name. + required: false + type: str + closing_reason_id: + description: + - Assign a predefined closing reason here, by id. + required: false + type: int + follow_up: + description: + - Set or unset the flag to follow up on a QRadar Offense + required: false + type: bool + protected: + description: + - Set or unset the flag to protect a QRadar Offense + required: false + type: bool + +notes: + - Requires one of C(name) or C(id) be provided + - Only one of C(closing_reason) or C(closing_reason_id) can be provided + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + +""" +# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS +# name: +# description: +# - Name of Offense +# required: true +# type: str +""" + +EXAMPLES = """ +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + # name=dict(required=False, type='str'), + # id=dict(required=False, type='str'), + id=dict(required=True, type="int"), + assigned_to=dict(required=False, type="str"), + closing_reason=dict(required=False, type="str"), + closing_reason_id=dict(required=False, type="int"), + follow_up=dict(required=False, type="bool"), + protected=dict(required=False, type="bool"), + status=dict( + required=False, + choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"], + type="str", + ), + ) + + module = AnsibleModule( + argument_spec=argspec, + # required_one_of=[ + # ('name', 'id',), + # ], + mutually_exclusive=[("closing_reason", "closing_reason_id")], + supports_check_mode=True, + ) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"], + ) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME + # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) + + found_offense = qradar_request.get( + "/api/siem/offenses/{0}".format(module.params["id"]) + ) + + if found_offense: + set_offense_values(module, qradar_request) + + post_strs = [] + + if module.params["status"] and ( + to_text(found_offense["status"]) != to_text(module.params["status"]) + ): + post_strs.append("status={0}".format(to_text(module.params["status"]))) + + if module.params["assigned_to"] and ( + to_text(found_offense["assigned_to"]) + != to_text(module.params["assigned_to"]) + ): + post_strs.append("assigned_to={0}".format(module.params["assigned_to"])) + + if module.params["closing_reason_id"] and ( + found_offense["closing_reason_id"] != module.params["closing_reason_id"] + ): + post_strs.append( + "closing_reason_id={0}".format(module.params["closing_reason_id"]) + ) + + if module.params["follow_up"] and ( + found_offense["follow_up"] != module.params["follow_up"] + ): + post_strs.append("follow_up={0}".format(module.params["follow_up"])) + + if module.params["protected"] and ( + found_offense["protected"] != module.params["protected"] + ): + post_strs.append("protected={0}".format(module.params["protected"])) + + if post_strs: + if module.check_mode: + module.exit_json( + msg="A change would have been made but was not because of Check Mode.", + changed=True, + ) + + qradar_return_data = qradar_request.post_by_path( + "api/siem/offenses/{0}?{1}".format( + module.params["id"], "&".join(post_strs) + ) + ) + # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore + module.exit_json( + msg="Successfully updated Offense ID: {0}".format(module.params["id"]), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + else: + # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore + module.fail_json( + msg="Unable to find Offense ID: {0}".format(module.params["id"]) + ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py new file mode 100644 index 00000000..fd9e4d90 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_info.py @@ -0,0 +1,215 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: offense_info +short_description: Obtain information about one or many QRadar Offenses, with filter options +description: + - This module allows to obtain information about one or many QRadar Offenses, with filter options +version_added: "1.0.0" +options: + id: + description: + - Obtain only information of the Offense with provided ID + required: false + type: int + name: + description: + - Obtain only information of the Offense that matches the provided name + required: false + type: str + status: + description: + - Obtain only information of Offenses of a certain status + required: false + choices: [ "open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED" ] + default: "open" + type: str + assigned_to: + description: + - Obtain only information of Offenses assigned to a certain user + required: false + type: str + closing_reason: + description: + - Obtain only information of Offenses that were closed by a specific closing reason + required: false + type: str + closing_reason_id: + description: + - Obtain only information of Offenses that were closed by a specific closing reason ID + required: false + type: int + follow_up: + description: + - Obtain only information of Offenses that are marked with the follow up flag + required: false + type: bool + protected: + description: + - Obtain only information of Offenses that are protected + required: false + type: bool +notes: + - You may provide many filters and they will all be applied, except for C(id) + as that will return only + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + + +# FIXME - provide correct example here +RETURN = """ +offenses: + description: Information + returned: always + type: list + elements: dict + contains: + qradar_offenses: + description: IBM QRadar Offenses found based on provided filters + returned: always + type: complex + contains: + source: + description: Init system of the service. One of C(systemd), C(sysv), C(upstart). + returned: always + type: str + sample: sysv + state: + description: State of the service. Either C(running), C(stopped), or C(unknown). + returned: always + type: str + sample: running + status: + description: State of the service. Either C(enabled), C(disabled), or C(unknown). + returned: systemd systems or RedHat/SUSE flavored sysvinit/upstart + type: str + sample: enabled + name: + description: Name of the service. + returned: always + type: str + sample: arp-ethers.service +""" + + +EXAMPLES = """ +- name: Get list of all currently OPEN IBM QRadar Offenses + ibm.qradar.offense_info: + status: OPEN + register: offense_list + +- name: display offense information for debug purposes + debug: + var: offense_list +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + id=dict(required=False, type="int"), + name=dict(required=False, type="str"), + assigned_to=dict(required=False, type="str"), + closing_reason=dict(required=False, type="str"), + closing_reason_id=dict(required=False, type="int"), + follow_up=dict(required=False, type="bool", default=None), + protected=dict(required=False, type="bool", default=None), + status=dict( + required=False, + choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"], + default="open", + type="str", + ), + ) + + module = AnsibleModule( + argument_spec=argspec, + mutually_exclusive=[("closing_reason", "closing_reason_id")], + supports_check_mode=True, + ) + + qradar_request = QRadarRequest(module) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) + # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) + + set_offense_values(module, qradar_request) + + if module.params["id"]: + offenses = qradar_request.get( + "/api/siem/offenses/{0}".format(module.params["id"]) + ) + + else: + query_strs = [] + + if module.params["status"]: + query_strs.append( + quote("status={0}".format(to_text(module.params["status"]))) + ) + + if module.params["assigned_to"]: + query_strs.append( + quote("assigned_to={0}".format(module.params["assigned_to"])) + ) + + if module.params["closing_reason_id"]: + query_strs.append( + quote( + "closing_reason_id={0}".format(module.params["closing_reason_id"]) + ) + ) + + if module.params["follow_up"] is not None: + query_strs.append(quote("follow_up={0}".format(module.params["follow_up"]))) + + if module.params["protected"] is not None: + query_strs.append(quote("protected={0}".format(module.params["protected"]))) + + if query_strs: + offenses = qradar_request.get( + "/api/siem/offenses?filter={0}".format("&".join(query_strs)) + ) + else: + offenses = qradar_request.get("/api/siem/offenses") + + if module.params["name"]: + named_offense = find_dict_in_list( + offenses, "description", module.params["name"] + ) + if named_offense: + offenses = named_offense + else: + offenses = [] + + module.exit_json(offenses=offenses, changed=False) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py new file mode 100644 index 00000000..3a5fd6a0 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_offense_note.py @@ -0,0 +1,189 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: offense_note +short_description: Create or update a QRadar Offense Note +description: + - This module allows to create a QRadar Offense note +version_added: "1.0.0" +options: + id: + description: + - Offense ID to operate on + required: true + type: int + note_text: + description: The note's text contents + required: true + type: str + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + +""" +# FIXME - WOULD LIKE TO QUERY BY NAME BUT HOW TO ACCOMPLISH THAT IS NON-OBVIOUS +# offense_name: +# description: +# - Name of Offense +# required: true +# type: str + +# FIXME - WOULD LIKE TO MANAGE STATE +# state: +# description: Define state of the note: present or absent +# required: false +# choices: ["present", "absent"] +# default: "present" +""" + +EXAMPLES = """ +- name: Add a note to QRadar Offense ID 1 + ibm.qradar.offense_note: + id: 1 + note_text: This an example note entry that should be made on offense id 1 +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, +) + +import copy +import json + + +def set_offense_values(module, qradar_request): + if module.params["closing_reason"]: + found_closing_reason = qradar_request.get( + "/api/siem/offense_closing_reasons?filter={0}".format( + quote('text="{0}"'.format(module.params["closing_reason"])) + ) + ) + if found_closing_reason: + module.params["closing_reason_id"] = found_closing_reason[0]["id"] + else: + module.fail_json( + "Unable to find closing_reason text: {0}".format( + module.params["closing_reason"] + ) + ) + + if module.params["status"]: + module.params["status"] = module.params["status"].upper() + + +def main(): + + argspec = dict( + # state=dict(required=False, choices=["present", "absent"], type='str', default="present"), + id=dict(required=True, type="int"), + note_text=dict(required=True, type="str"), + ) + + module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) + + qradar_request = QRadarRequest(module, not_rest_data_keys=["state", "id"],) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME + # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) + # FIXME - once this is sorted, add it to module_utils + + found_notes = qradar_request.get( + "/api/siem/offenses/{0}/notes?filter={1}".format( + module.params["id"], + quote('note_text="{0}"'.format(module.params["note_text"])), + ) + ) + + # if module.params['state'] == 'present': + + if found_notes: + # The note we want exists either by ID or by text name, verify + + note = found_notes[0] + if note["note_text"] == module.params["note_text"]: + module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + else: + if module.check_mode: + module.exit_json( + msg="A change would have occured but did not because Check Mode", + changed=True, + ) + + qradar_return_data = qradar_request.post_by_path( + "api/siem/offenses/{0}/notes?note_text={1}".format( + module.params["id"], quote("{0}".format(module.params["note_text"])) + ), + data=False, + ) + module.exit_json( + msg="Successfully created Offense Note ID: {0}".format( + qradar_return_data["id"] + ), + qradar_return_data=qradar_return_data, + changed=False, + ) + + else: + if module.check_mode: + module.exit_json( + msg="A change would have occured but did not because Check Mode", + changed=True, + ) + + qradar_return_data = qradar_request.post_by_path( + "api/siem/offenses/{0}/notes?note_text={1}".format( + module.params["id"], quote("{0}".format(module.params["note_text"])) + ), + data=False, + ) + module.exit_json( + msg="Successfully created Offense Note ID: {0}".format( + qradar_return_data["id"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + + module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + + # FIXME FIXME FIXME - can we actually delete these via the REST API? + # if module.params['state'] == 'absent': + # if not found_notes: + # module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) + # else: + # if module.check_mode: + # module.exit_json(msg="A change would have occured but did not because Check Mode", changed=True) + # # FIXME: fix the POST here to actually delete + # qradar_return_data = qradar_request.post_by_path( + # 'api/siem/offenses/{0}/notes?note_text={1}'.format( + # module.params['id'], + # quote("{0}".format(module.params['note_text'])), + # ), + # data=False + # ) + # module.exit_json( + # msg="Successfully created Offense Note ID: {0}".format(qradar_return_data['id']), + # qradar_return_data=qradar_return_data, + # changed=True + # ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py new file mode 100644 index 00000000..57c70ee5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule.py @@ -0,0 +1,248 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: rule +short_description: Manage state of QRadar Rules, with filter options +description: + - Manage state of QRadar Rules, with filter options +version_added: "1.0.0" +options: + id: + description: + - Manage state of a QRadar Rule by ID + required: false + type: int + name: + description: + - Manage state of a QRadar Rule by name + required: false + type: str + state: + description: + - Manage state of a QRadar Rule + required: True + choices: [ "enabled", "disabled", "absent" ] + type: str + owner: + description: + - Manage ownership of a QRadar Rule + required: false + type: str + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + + +# FIXME - provide correct example here +RETURN = """ +""" + +EXAMPLES = """ +- name: Enable Rule 'Ansible Example DDoS Rule' + qradar_rule: + name: 'Ansible Example DDOS Rule' + state: enabled +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + id=dict(required=False, type="int"), + name=dict(required=False, type="str"), + state=dict( + required=True, choices=["enabled", "disabled", "absent"], type="str" + ), + owner=dict(required=False, type="str"), + ) + + module = AnsibleModule( + argument_spec=argspec, + supports_check_mode=True, + required_one_of=[("name", "id")], + mutually_exclusive=[("name", "id")], + ) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["id", "name", "state", "owner"], + ) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) + # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name'])) + module.params["rule"] = {} + + if module.params["id"]: + module.params["rule"] = qradar_request.get( + "/api/analytics/rules/{0}".format(module.params["id"]) + ) + + elif module.params["name"]: + rules = qradar_request.get( + "/api/analytics/rules?filter={0}".format( + quote('"{0}"'.format(module.params["name"])) + ) + ) + if rules: + module.params["rule"] = rules[0] + module.params["id"] = rules[0]["id"] + + if module.params["state"] == "enabled": + if module.params["rule"]: + if module.params["rule"]["enabled"] is True: + # Already enabled + if module.params["id"]: + module.exit_json( + msg="No change needed for rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data={}, + changed=False, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully enabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data={}, + changed=False, + ) + else: + # Not enabled, enable It + module.params["rule"]["enabled"] = True + + qradar_return_data = qradar_request.post_by_path( + "api/analytics/rules/{0}".format(module.params["rule"]["id"]), + data=json.dumps(module.params["rule"]), + ) + if module.params["id"]: + module.exit_json( + msg="Successfully enabled rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully enabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + if module.params["id"]: + module.fail_json( + msg="Unable to find rule ID: {0}".format(module.params["id"]) + ) + if module.params["name"]: + module.fail_json( + msg='Unable to find rule named: "{0}"'.format(module.params["name"]) + ) + + elif module.params["state"] == "disabled": + if module.params["rule"]: + if module.params["rule"]["enabled"] is False: + # Already disabled + if module.params["id"]: + module.exit_json( + msg="No change needed for rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data={}, + changed=False, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully enabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data={}, + changed=False, + ) + else: + # Not disabled, disable It + module.params["rule"]["enabled"] = False + + qradar_return_data = qradar_request.post_by_path( + "api/analytics/rules/{0}".format(module.params["rule"]["id"]), + data=json.dumps(module.params["rule"]), + ) + if module.params["id"]: + module.exit_json( + msg="Successfully disabled rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully disabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + if module.params["id"]: + module.fail_json( + msg="Unable to find rule ID: {0}".format(module.params["id"]) + ) + if module.params["name"]: + module.fail_json( + msg='Unable to find rule named: "{0}"'.format(module.params["name"]) + ) + + elif module.params["state"] == "absent": + if module.params["rule"]: + qradar_return_data = qradar_request.delete( + "/api/analytics/rules/{0}".format(module.params["rule"]["id"]) + ) + if module.params["id"]: + module.exit_json( + msg="Successfully deleted rule ID: {0}".format(module.params["id"]), + qradar_return_data=qradar_return_data, + changed=True, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully deleted rule named: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + module.exit_json(msg="Nothing to do, rule not found.") + + module.exit_json(rules=rules, changed=False) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py new file mode 100644 index 00000000..174d4079 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/qradar_rule_info.py @@ -0,0 +1,138 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: rule_info +short_description: Obtain information about one or many QRadar Rules, with filter options +description: + - This module obtains information about one or many QRadar Rules, with filter options +version_added: "1.0.0" +options: + id: + description: + - Obtain only information of the Rule with provided ID + required: false + type: int + name: + description: + - Obtain only information of the Rule that matches the provided name + required: false + type: str + type: + description: + - Obtain only information for the Rules of a certain type + required: false + choices: [ "EVENT", "FLOW", "COMMON", "USER"] + type: str + owner: + description: + - Obtain only information of Rules owned by a certain user + required: false + type: str + origin: + description: + - Obtain only information of Rules that are of a certain origin + required: false + choices: ["SYSTEM", "OVERRIDE", "USER"] + type: str +notes: + - You may provide many filters and they will all be applied, except for C(id) + as that will return only the Rule identified by the unique ID provided. + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>" +""" + + +# FIXME - provide correct example here +RETURN = """ +""" + +EXAMPLES = """ +- name: Get information about the Rule named "Custom Company DDoS Rule" + ibm.qradar.rule_info: + name: "Custom Company DDoS Rule" + register: custom_ddos_rule_info + +- name: debugging output of the custom_ddos_rule_info registered variable + debug: + var: custom_ddos_rule_info +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + id=dict(required=False, type="int"), + name=dict(required=False, type="str"), + owner=dict(required=False, type="str"), + type=dict( + required=False, choices=["EVENT", "FLOW", "COMMON", "USER"], type="str" + ), + origin=dict(required=False, choices=["SYSTEM", "OVERRIDE", "USER"], type="str"), + ) + + module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) + + qradar_request = QRadarRequest(module) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) + # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name'])) + + if module.params["id"]: + rules = qradar_request.get( + "/api/analytics/rules/{0}".format(module.params["id"]) + ) + + else: + query_strs = [] + + if module.params["name"]: + query_strs.append( + quote('name="{0}"'.format(to_text(module.params["name"]))) + ) + + if module.params["owner"]: + query_strs.append(quote("owner={0}".format(module.params["owner"]))) + + if module.params["type"]: + query_strs.append(quote("type={0}".format(module.params["type"]))) + + if module.params["origin"]: + query_strs.append(quote("origin={0}".format(module.params["origin"]))) + + if query_strs: + rules = qradar_request.get( + "/api/analytics/rules?filter={0}".format("&".join(query_strs)) + ) + else: + rules = qradar_request.get("/api/analytics/rules") + + module.exit_json(rules=rules, changed=False) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py new file mode 100644 index 00000000..57c70ee5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule.py @@ -0,0 +1,248 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: rule +short_description: Manage state of QRadar Rules, with filter options +description: + - Manage state of QRadar Rules, with filter options +version_added: "1.0.0" +options: + id: + description: + - Manage state of a QRadar Rule by ID + required: false + type: int + name: + description: + - Manage state of a QRadar Rule by name + required: false + type: str + state: + description: + - Manage state of a QRadar Rule + required: True + choices: [ "enabled", "disabled", "absent" ] + type: str + owner: + description: + - Manage ownership of a QRadar Rule + required: false + type: str + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> +""" + + +# FIXME - provide correct example here +RETURN = """ +""" + +EXAMPLES = """ +- name: Enable Rule 'Ansible Example DDoS Rule' + qradar_rule: + name: 'Ansible Example DDOS Rule' + state: enabled +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + id=dict(required=False, type="int"), + name=dict(required=False, type="str"), + state=dict( + required=True, choices=["enabled", "disabled", "absent"], type="str" + ), + owner=dict(required=False, type="str"), + ) + + module = AnsibleModule( + argument_spec=argspec, + supports_check_mode=True, + required_one_of=[("name", "id")], + mutually_exclusive=[("name", "id")], + ) + + qradar_request = QRadarRequest( + module, not_rest_data_keys=["id", "name", "state", "owner"], + ) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) + # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name'])) + module.params["rule"] = {} + + if module.params["id"]: + module.params["rule"] = qradar_request.get( + "/api/analytics/rules/{0}".format(module.params["id"]) + ) + + elif module.params["name"]: + rules = qradar_request.get( + "/api/analytics/rules?filter={0}".format( + quote('"{0}"'.format(module.params["name"])) + ) + ) + if rules: + module.params["rule"] = rules[0] + module.params["id"] = rules[0]["id"] + + if module.params["state"] == "enabled": + if module.params["rule"]: + if module.params["rule"]["enabled"] is True: + # Already enabled + if module.params["id"]: + module.exit_json( + msg="No change needed for rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data={}, + changed=False, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully enabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data={}, + changed=False, + ) + else: + # Not enabled, enable It + module.params["rule"]["enabled"] = True + + qradar_return_data = qradar_request.post_by_path( + "api/analytics/rules/{0}".format(module.params["rule"]["id"]), + data=json.dumps(module.params["rule"]), + ) + if module.params["id"]: + module.exit_json( + msg="Successfully enabled rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully enabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + if module.params["id"]: + module.fail_json( + msg="Unable to find rule ID: {0}".format(module.params["id"]) + ) + if module.params["name"]: + module.fail_json( + msg='Unable to find rule named: "{0}"'.format(module.params["name"]) + ) + + elif module.params["state"] == "disabled": + if module.params["rule"]: + if module.params["rule"]["enabled"] is False: + # Already disabled + if module.params["id"]: + module.exit_json( + msg="No change needed for rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data={}, + changed=False, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully enabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data={}, + changed=False, + ) + else: + # Not disabled, disable It + module.params["rule"]["enabled"] = False + + qradar_return_data = qradar_request.post_by_path( + "api/analytics/rules/{0}".format(module.params["rule"]["id"]), + data=json.dumps(module.params["rule"]), + ) + if module.params["id"]: + module.exit_json( + msg="Successfully disabled rule ID: {0}".format( + module.params["id"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully disabled rule named: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + if module.params["id"]: + module.fail_json( + msg="Unable to find rule ID: {0}".format(module.params["id"]) + ) + if module.params["name"]: + module.fail_json( + msg='Unable to find rule named: "{0}"'.format(module.params["name"]) + ) + + elif module.params["state"] == "absent": + if module.params["rule"]: + qradar_return_data = qradar_request.delete( + "/api/analytics/rules/{0}".format(module.params["rule"]["id"]) + ) + if module.params["id"]: + module.exit_json( + msg="Successfully deleted rule ID: {0}".format(module.params["id"]), + qradar_return_data=qradar_return_data, + changed=True, + ) + if module.params["name"]: + module.exit_json( + msg="Successfully deleted rule named: {0}".format( + module.params["name"] + ), + qradar_return_data=qradar_return_data, + changed=True, + ) + else: + module.exit_json(msg="Nothing to do, rule not found.") + + module.exit_json(rules=rules, changed=False) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py new file mode 100644 index 00000000..174d4079 --- /dev/null +++ b/collections-debian-merged/ansible_collections/ibm/qradar/plugins/modules/rule_info.py @@ -0,0 +1,138 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2019, Adam Miller (admiller@redhat.com) +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = """ +--- +module: rule_info +short_description: Obtain information about one or many QRadar Rules, with filter options +description: + - This module obtains information about one or many QRadar Rules, with filter options +version_added: "1.0.0" +options: + id: + description: + - Obtain only information of the Rule with provided ID + required: false + type: int + name: + description: + - Obtain only information of the Rule that matches the provided name + required: false + type: str + type: + description: + - Obtain only information for the Rules of a certain type + required: false + choices: [ "EVENT", "FLOW", "COMMON", "USER"] + type: str + owner: + description: + - Obtain only information of Rules owned by a certain user + required: false + type: str + origin: + description: + - Obtain only information of Rules that are of a certain origin + required: false + choices: ["SYSTEM", "OVERRIDE", "USER"] + type: str +notes: + - You may provide many filters and they will all be applied, except for C(id) + as that will return only the Rule identified by the unique ID provided. + +author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>" +""" + + +# FIXME - provide correct example here +RETURN = """ +""" + +EXAMPLES = """ +- name: Get information about the Rule named "Custom Company DDoS Rule" + ibm.qradar.rule_info: + name: "Custom Company DDoS Rule" + register: custom_ddos_rule_info + +- name: debugging output of the custom_ddos_rule_info registered variable + debug: + var: custom_ddos_rule_info +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text + +from ansible.module_utils.urls import Request +from ansible.module_utils.six.moves.urllib.parse import quote +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible_collections.ibm.qradar.plugins.module_utils.qradar import ( + QRadarRequest, + find_dict_in_list, + set_offense_values, +) + +import copy +import json + + +def main(): + + argspec = dict( + id=dict(required=False, type="int"), + name=dict(required=False, type="str"), + owner=dict(required=False, type="str"), + type=dict( + required=False, choices=["EVENT", "FLOW", "COMMON", "USER"], type="str" + ), + origin=dict(required=False, choices=["SYSTEM", "OVERRIDE", "USER"], type="str"), + ) + + module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) + + qradar_request = QRadarRequest(module) + + # if module.params['name']: + # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) + # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name'])) + + if module.params["id"]: + rules = qradar_request.get( + "/api/analytics/rules/{0}".format(module.params["id"]) + ) + + else: + query_strs = [] + + if module.params["name"]: + query_strs.append( + quote('name="{0}"'.format(to_text(module.params["name"]))) + ) + + if module.params["owner"]: + query_strs.append(quote("owner={0}".format(module.params["owner"]))) + + if module.params["type"]: + query_strs.append(quote("type={0}".format(module.params["type"]))) + + if module.params["origin"]: + query_strs.append(quote("origin={0}".format(module.params["origin"]))) + + if query_strs: + rules = qradar_request.get( + "/api/analytics/rules?filter={0}".format("&".join(query_strs)) + ) + else: + rules = qradar_request.get("/api/analytics/rules") + + module.exit_json(rules=rules, changed=False) + + +if __name__ == "__main__": + main() |