diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:03:42 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:03:42 +0000 |
| commit | 66cec45960ce1d9c794e9399de15c138acb18aed (patch) | |
| tree | 59cd19d69e9d56b7989b080da7c20ef1a3fe2a5a /ansible_collections/ibm/qradar/docs | |
| parent | Initial commit. (diff) | |
| download | ansible-upstream.tar.xz ansible-upstream.zip | |
Adding upstream version 7.3.0+dfsg.upstream/7.3.0+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/ibm/qradar/docs')
10 files changed, 2614 insertions, 0 deletions
diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst new file mode 100644 index 00000000..10e8cf56 --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst @@ -0,0 +1,86 @@ +.. _ibm.qradar.deploy_module: + + +***************** +ibm.qradar.deploy +***************** + +**Trigger a qradar configuration deployment** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for INCREMENTAL or FULL deployments + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>type</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>INCREMENTAL</b> ←</div></li> + <li>FULL</li> + </ul> + </td> + <td> + <div>Type of deployment</div> + </td> + </tr> + </table> + <br/> + + +Notes +----- + +.. note:: + - This module does not support check mode because the QRadar REST API does not offer stateful inspection of configuration deployments + + + +Examples +-------- + +.. code-block:: yaml + + - name: run an incremental deploy + ibm.qradar.deploy: + type: INCREMENTAL + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst new file mode 100644 index 00000000..8e23256f --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst @@ -0,0 +1,195 @@ +.. _ibm.qradar.log_source_management_module: + + +******************************** +ibm.qradar.log_source_management +******************************** + +**Manage Log Sources in QRadar** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: qradar_log_sources_management + + + +Synopsis +-------- +- This module allows for addition, deletion, or modification of Log Sources in QRadar + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>description</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Description of log source</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>identifier</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Log Source Identifier (Typically IP Address or Hostname of log source)</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of Log Source</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protocol_type_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Type of protocol by id, as defined in QRadar Log Source Types Documentation</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>present</li> + <li>absent</li> + </ul> + </td> + <td> + <div>Add or remove a log source.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>type_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Type of resource by id, as defined in QRadar Log Source Types Documentation</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>type_name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Type of resource by name</div> + </td> + </tr> + </table> + <br/> + + +Notes +----- + +.. note:: + - Either ``type`` or ``type_id`` is required + + + +Examples +-------- + +.. code-block:: yaml + + - name: Add a snort log source to IBM QRadar + ibm.qradar.log_source_management: + name: "Snort logs" + type_name: "Snort Open Source IDS" + state: present + description: "Snort IDS remote logs from rsyslog" + identifier: "192.168.1.101" + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst new file mode 100644 index 00000000..2fde5b4e --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst @@ -0,0 +1,182 @@ +.. _ibm.qradar.offense_action_module: + + +************************* +ibm.qradar.offense_action +************************* + +**Take action on a QRadar Offense** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows to assign, protect, follow up, set status, and assign closing reason to QRadar Offenses + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>assigned_to</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Assign to an user, the QRadar username should be provided</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>closing_reason</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Assign a predefined closing reason here, by name.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>closing_reason_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Assign a predefined closing reason here, by id.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>follow_up</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Set or unset the flag to follow up on a QRadar Offense</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>ID of Offense</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protected</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Set or unset the flag to protect a QRadar Offense</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>status</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>open</li> + <li>OPEN</li> + <li>hidden</li> + <li>HIDDEN</li> + <li>closed</li> + <li>CLOSED</li> + </ul> + </td> + <td> + <div>One of "open", "hidden" or "closed". (Either all lower case or all caps)</div> + </td> + </tr> + </table> + <br/> + + +Notes +----- + +.. note:: + - Requires one of ``name`` or ``id`` be provided + - Only one of ``closing_reason`` or ``closing_reason_id`` can be provided + + + + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst new file mode 100644 index 00000000..ddf7a8ea --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst @@ -0,0 +1,333 @@ +.. _ibm.qradar.offense_info_module: + + +*********************** +ibm.qradar.offense_info +*********************** + +**Obtain information about one or many QRadar Offenses, with filter options** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows to obtain information about one or many QRadar Offenses, with filter options + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>assigned_to</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of Offenses assigned to a certain user</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>closing_reason</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of Offenses that were closed by a specific closing reason</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>closing_reason_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of Offenses that were closed by a specific closing reason ID</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>follow_up</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Obtain only information of Offenses that are marked with the follow up flag</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of the Offense with provided ID</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of the Offense that matches the provided name</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protected</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Obtain only information of Offenses that are protected</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>status</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>open</b> ←</div></li> + <li>OPEN</li> + <li>hidden</li> + <li>HIDDEN</li> + <li>closed</li> + <li>CLOSED</li> + </ul> + </td> + <td> + <div>Obtain only information of Offenses of a certain status</div> + </td> + </tr> + </table> + <br/> + + +Notes +----- + +.. note:: + - You may provide many filters and they will all be applied, except for ``id`` as that will return only + + + +Examples +-------- + +.. code-block:: yaml + + - name: Get list of all currently OPEN IBM QRadar Offenses + ibm.qradar.offense_info: + status: OPEN + register: offense_list + + - name: display offense information for debug purposes + debug: + var: offense_list + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="3">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>offenses</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td>always</td> + <td> + <div>Information</div> + <br/> + </td> + </tr> + <tr> + <td class="elbow-placeholder"> </td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>qradar_offenses</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">complex</span> + </div> + </td> + <td>always</td> + <td> + <div>IBM QRadar Offenses found based on provided filters</div> + <br/> + </td> + </tr> + <tr> + <td class="elbow-placeholder"> </td> + <td class="elbow-placeholder"> </td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td>always</td> + <td> + <div>Name of the service.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">arp-ethers.service</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"> </td> + <td class="elbow-placeholder"> </td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>source</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td>always</td> + <td> + <div>Init system of the service. One of <code>systemd</code>, <code>sysv</code>, <code>upstart</code>.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">sysv</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"> </td> + <td class="elbow-placeholder"> </td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td>always</td> + <td> + <div>State of the service. Either <code>running</code>, <code>stopped</code>, or <code>unknown</code>.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">running</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"> </td> + <td class="elbow-placeholder"> </td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>status</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td>systemd systems or RedHat/SUSE flavored sysvinit/upstart</td> + <td> + <div>State of the service. Either <code>enabled</code>, <code>disabled</code>, or <code>unknown</code>.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">enabled</div> + </td> + </tr> + + + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst new file mode 100644 index 00000000..a41e51ca --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst @@ -0,0 +1,94 @@ +.. _ibm.qradar.offense_note_module: + + +*********************** +ibm.qradar.offense_note +*********************** + +**Create or update a QRadar Offense Note** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows to create a QRadar Offense note + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Offense ID to operate on</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>note_text</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>The note's text contents</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Add a note to QRadar Offense ID 1 + ibm.qradar.offense_note: + id: 1 + note_text: This an example note entry that should be made on offense id 1 + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst new file mode 100644 index 00000000..bc657fd5 --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst @@ -0,0 +1,451 @@ +.. _ibm.qradar.qradar_analytics_rules_module: + + +********************************* +ibm.qradar.qradar_analytics_rules +********************************* + +**Qradar Analytics Rules Management resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for modification, deletion, and checking of Analytics Rules in QRadar + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="2">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>A dictionary of Qradar Analytics Rules options</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>enabled</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Check if the rule is enabled</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>fields</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>average_capacity</li> + <li>base_capacity</li> + <li>base_host_id</li> + <li>capacity_timestamp</li> + <li>creation_date</li> + <li>enabled</li> + <li>id</li> + <li>identifier</li> + <li>linked_rule_identifier</li> + <li>modification_date</li> + <li>name</li> + <li>origin</li> + <li>owner</li> + <li>type</li> + </ul> + </td> + <td> + <div>List of params filtered from the Rule config</div> + <div>NOTE, this param is valid only via state GATHERED.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>The sequence ID of the rule.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The name of the rule.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>owner</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Manage ownership of a QRadar Rule</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>range</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Parameter to restrict the number of elements that are returned in the list to a specified range.</div> + <div>NOTE, this param is valid only via state GATHERED.</div> + </td> + </tr> + + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>merged</li> + <li>gathered</li> + <li>deleted</li> + </ul> + </td> + <td> + <div>The state the configuration should be left in</div> + <div>The state <em>gathered</em> will get the module API configuration from the device and transform it into structured data in the format as per the module argspec and the value is returned in the <em>gathered</em> key within the result.</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + # Using MERGED state + # ------------------- + + - name: DISABLE Rule 'Ansible Example DDoS Rule' + ibm.qradar.qradar_analytics_rules: + config: + name: 'Ansible Example DDOS Rule' + enabled: false + state: merged + + # RUN output: + # ----------- + + # qradar_analytics_rules: + # after: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929682568 + # enabled: false + # id: 100443 + # identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c + # linked_rule_identifier: null + # modification_date: 1658929682567 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + # before: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929682568 + # enabled: true + # id: 100443 + # identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c + # linked_rule_identifier: null + # modification_date: 1658929682567 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + + # Using GATHERED state + # -------------------- + + - name: Get information about the Rule named "Ansible Example DDOS Rule" + ibm.qradar.qradar_analytics_rules: + config: + name: "Ansible Example DDOS Rule" + state: gathered + + # RUN output: + # ----------- + + # gathered: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658918848694 + # enabled: true + # id: 100443 + # identifier: d6d37942-ba28-438f-b909-120df643a992 + # linked_rule_identifier: null + # modification_date: 1658918848692 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + - name: Get information about the Rule with ID 100443 + ibm.qradar.qradar_analytics_rules: + config: + id: 100443 + state: gathered + + # RUN output: + # ----------- + + # gathered: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658918848694 + # enabled: true + # id: 100443 + # identifier: d6d37942-ba28-438f-b909-120df643a992 + # linked_rule_identifier: null + # modification_date: 1658918848692 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + - name: TO Get information about the Rule ID with a range + ibm.qradar.qradar_analytics_rules: + config: + range: 100300-100500 + fields: + - name + - origin + - owner + state: gathered + + # RUN output: + # ----------- + + # gathered: + # - name: Devices with High Event Rates + # origin: SYSTEM + # owner: admin + # - name: Excessive Database Connections + # origin: SYSTEM + # owner: admin + # - name: 'Anomaly: Excessive Firewall Accepts Across Multiple Hosts' + # origin: SYSTEM + # owner: admin + # - name: Excessive Firewall Denies from Single Source + # origin: SYSTEM + # owner: admin + # - name: 'AssetExclusion: Exclude DNS Name By IP' + # origin: SYSTEM + # owner: admin + # - name: 'AssetExclusion: Exclude DNS Name By MAC Address' + # origin: SYSTEM + # owner: admin + + - name: Delete custom Rule by NAME + ibm.qradar.qradar_analytics_rules: + config: + name: 'Ansible Example DDOS Rule' + state: deleted + + # RUN output: + # ----------- + + # qradar_analytics_rules: + # after: {} + # before: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929431239 + # enabled: true + # id: 100444 + # identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308 + # linked_rule_identifier: null + # modification_date: 1658929431238 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + # Using DELETED state + # ------------------- + + - name: Delete custom Rule by ID + ibm.qradar.qradar_analytics_rules: + config: + id: 100443 + state: deleted + + # RUN output: + # ----------- + + # qradar_analytics_rules: + # after: {} + # before: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929431239 + # enabled: true + # id: 100443 + # identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308 + # linked_rule_identifier: null + # modification_date: 1658929431238 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>after</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td>when changed</td> + <td> + <div>The configuration as structured data after module completion.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>before</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td>always</td> + <td> + <div>The configuration as structured data prior to module invocation.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@justjais) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst new file mode 100644 index 00000000..bd0729fc --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst @@ -0,0 +1,43 @@ +.. _ibm.qradar.qradar_httpapi: + + +***************** +ibm.qradar.qradar +***************** + +**HttpApi Plugin for IBM QRadar** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This HttpApi plugin provides methods to connect to IBM QRadar over a HTTP(S)-based api. + + + + + + + + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Team (@ansible-security) + + +.. hint:: + Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst new file mode 100644 index 00000000..f8611f8d --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst @@ -0,0 +1,922 @@ +.. _ibm.qradar.qradar_log_sources_management_module: + + +**************************************** +ibm.qradar.qradar_log_sources_management +**************************************** + +**Qradar Log Sources Management resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for addition, deletion, or modification of Log Sources in QRadar + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="3">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>A dictionary of Qradar Log Sources options</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>average_eps</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>The average events per second (EPS) rate of the log source over the last 60 seconds.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>coalesce_events</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If events collected by this log source are coalesced based on common properties, the condition is set to 'true'. If each individual event is stored, then the condition is set to 'false'.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>description</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Description of log source</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>enabled</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If the log source is enabled, the condition is set to 'true'; otherwise, the condition is set to 'false'.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>gateway</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a stand-alone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>group_ids</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>The set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>identifier</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Log Source Identifier (Typically IP Address or Hostname of log source)</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>internal</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If the log source is internal (when the log source type is defined as internal), the condition is set to 'true'.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>language_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>The language of the events that are being processed by this log source. Must correspond to an existing log source language. Individual log source types can support only a subset of all available log source languages, as indicated by the supported_language_ids field of the log source type structure</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of Log Source</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protocol_parameters</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>The set of protocol parameters</div> + <div>If not provided module will set the protocol parameters by itself</div> + <div>Note, parameter will come to use mostly in case when facts are gathered and fired with some modifications to params or in case of round trip scenarios.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>The ID of the protocol type.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The unique name of the protocol type.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>value</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The allowed protocol value.</div> + </td> + </tr> + + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protocol_type_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Type of protocol by id, as defined in QRadar Log Source Types Documentation</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>requires_deploy</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Set to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>status</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>The status of the log source.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>last_updated</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>last_updated</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>messages</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>last_updated</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>status</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>last_updated</div> + </td> + </tr> + + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>store_event_payload</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>target_event_collector_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>The ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>type_id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>The type of the log source. Must correspond to an existing log source type.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>type_name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Type of resource by name</div> + </td> + </tr> + + <tr> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>merged</li> + <li>replaced</li> + <li>gathered</li> + <li>deleted</li> + </ul> + </td> + <td> + <div>The state the configuration should be left in</div> + <div>The state <em>gathered</em> will get the module API configuration from the device and transform it into structured data in the format as per the module argspec and the value is returned in the <em>gathered</em> key within the result.</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + # Using MERGED state + # ------------------- + + - name: Add Snort n Apache log sources to IBM QRadar + ibm.qradar.qradar_log_sources_management: + config: + - name: "Snort logs" + type_name: "Snort Open Source IDS" + description: "Snort IDS remote logs from rsyslog" + identifier: "192.0.2.1" + - name: "Apache HTTP Server logs" + type_name: "Apache HTTP Server" + description: "Apache HTTP Server remote logs from rsyslog" + identifier: "198.51.100.1" + state: merged + + # RUN output: + # ----------- + + # qradar_log_sources_management: + # after: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311444 + # credibility: 5 + # description: Snort IDS remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 181 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727311444 + # name: Snort logs + # protocol_parameters: + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 2 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311462 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 182 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727311462 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # - id: 0 + # name: identifier + # value: 198.51.100.1 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # before: [] + + # Using REPLACED state + # -------------------- + + - name: Replace existing Log sources to IBM QRadar + ibm.qradar.qradar_log_sources_management: + state: replaced + config: + - name: "Apache HTTP Server logs" + type_name: "Apache HTTP Server" + description: "REPLACED Apache HTTP Server remote logs from rsyslog" + identifier: "192.0.2.1" + + # RUN output: + # ----------- + + # qradar_log_sources_management: + # after: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727944017 + # credibility: 5 + # description: REPLACED Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 183 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727944017 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # before: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311462 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 182 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727311462 + # name: Apache HTTP Server logs + # protocol_parameters: + # - name: identifier + # value: 198.51.100.1 + # - name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + + # Using GATHERED state + # -------------------- + + - name: Gather Snort n Apache log source from IBM QRadar + ibm.qradar.qradar_log_sources_management: + config: + - name: "Snort logs" + - name: "Apache HTTP Server logs" + state: gathered + + # RUN output: + # ----------- + + # gathered: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311444 + # credibility: 5 + # description: Snort IDS remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 181 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103340 + # name: Snort logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 2 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727944017 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 183 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103353 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + + - name: TO Gather ALL log sources from IBM QRadar + tags: gather_log_all + ibm.qradar.qradar_log_sources_management: + state: gathered + + # Using DELETED state + # ------------------- + + - name: Delete Snort n Apache log source from IBM QRadar + ibm.qradar.qradar_log_sources_management: + config: + - name: "Snort logs" + - name: "Apache HTTP Server logs" + state: deleted + + # RUN output: + # ----------- + + # qradar_log_sources_management: + # after: [] + # before: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311444 + # credibility: 5 + # description: Snort IDS remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 181 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103340 + # name: Snort logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 2 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727944017 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 183 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103353 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>after</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>when changed</td> + <td> + <div>The configuration as structured data after module completion.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>before</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>always</td> + <td> + <div>The configuration as structured data prior to module invocation.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@justjais) <https://github.com/ansible-security> diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst new file mode 100644 index 00000000..ec4d9fc8 --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst @@ -0,0 +1,169 @@ +.. _ibm.qradar.rule_info_module: + + +******************** +ibm.qradar.rule_info +******************** + +**Obtain information about one or many QRadar Rules, with filter options** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: qradar_analytics_rules + + + +Synopsis +-------- +- This module obtains information about one or many QRadar Rules, with filter options + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of the Rule with provided ID</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of the Rule that matches the provided name</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>origin</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>SYSTEM</li> + <li>OVERRIDE</li> + <li>USER</li> + </ul> + </td> + <td> + <div>Obtain only information of Rules that are of a certain origin</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>owner</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Obtain only information of Rules owned by a certain user</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>type</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>EVENT</li> + <li>FLOW</li> + <li>COMMON</li> + <li>USER</li> + </ul> + </td> + <td> + <div>Obtain only information for the Rules of a certain type</div> + </td> + </tr> + </table> + <br/> + + +Notes +----- + +.. note:: + - You may provide many filters and they will all be applied, except for ``id`` as that will return only the Rule identified by the unique ID provided. + + + +Examples +-------- + +.. code-block:: yaml + + - name: Get information about the Rule named "Custom Company DDoS Rule" + ibm.qradar.rule_info: + name: "Custom Company DDoS Rule" + register: custom_ddos_rule_info + + - name: debugging output of the custom_ddos_rule_info registered variable + debug: + var: custom_ddos_rule_info + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>" diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst new file mode 100644 index 00000000..d6dae97c --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst @@ -0,0 +1,139 @@ +.. _ibm.qradar.rule_module: + + +*************** +ibm.qradar.rule +*************** + +**Manage state of QRadar Rules, with filter options** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: qradar_analytics_rules + + + +Synopsis +-------- +- Manage state of QRadar Rules, with filter options + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>id</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Manage state of a QRadar Rule by ID</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Manage state of a QRadar Rule by name</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>owner</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Manage ownership of a QRadar Rule</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>enabled</li> + <li>disabled</li> + <li>absent</li> + </ul> + </td> + <td> + <div>Manage state of a QRadar Rule</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Enable Rule 'Ansible Example DDoS Rule' + qradar_rule: + name: 'Ansible Example DDOS Rule' + state: enabled + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> |