From 66cec45960ce1d9c794e9399de15c138acb18aed Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 18:03:42 +0200 Subject: Adding upstream version 7.3.0+dfsg. Signed-off-by: Daniel Baumann --- .../ibm/qradar/docs/ibm.qradar.deploy_module.rst | 86 ++ .../ibm.qradar.log_source_management_module.rst | 195 +++++ .../docs/ibm.qradar.offense_action_module.rst | 182 ++++ .../qradar/docs/ibm.qradar.offense_info_module.rst | 333 ++++++++ .../qradar/docs/ibm.qradar.offense_note_module.rst | 94 +++ .../ibm.qradar.qradar_analytics_rules_module.rst | 451 ++++++++++ .../ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst | 43 + ...qradar.qradar_log_sources_management_module.rst | 922 +++++++++++++++++++++ .../qradar/docs/ibm.qradar.rule_info_module.rst | 169 ++++ .../ibm/qradar/docs/ibm.qradar.rule_module.rst | 139 ++++ 10 files changed, 2614 insertions(+) create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst create mode 100644 ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst (limited to 'ansible_collections/ibm/qradar/docs') diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst new file mode 100644 index 00000000..10e8cf56 --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.deploy_module.rst @@ -0,0 +1,86 @@ +.. _ibm.qradar.deploy_module: + + +***************** +ibm.qradar.deploy +***************** + +**Trigger a qradar configuration deployment** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for INCREMENTAL or FULL deployments + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ type + +
+ string +
+ 		+
    Choices: +
  • INCREMENTAL ←
    • +
  • FULL
    • +
+ 		+
Type of deployment
+
+
+ + +Notes +----- + +.. note:: + - This module does not support check mode because the QRadar REST API does not offer stateful inspection of configuration deployments + + + +Examples +-------- + +.. code-block:: yaml + + - name: run an incremental deploy + ibm.qradar.deploy: + type: INCREMENTAL + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst new file mode 100644 index 00000000..8e23256f --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.log_source_management_module.rst @@ -0,0 +1,195 @@ +.. _ibm.qradar.log_source_management_module: + + +******************************** +ibm.qradar.log_source_management +******************************** + +**Manage Log Sources in QRadar** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: qradar_log_sources_management + + + +Synopsis +-------- +- This module allows for addition, deletion, or modification of Log Sources in QRadar + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ description + +
+ string + / required +
+ 		+ +
Description of log source
+
+
+ identifier + +
+ string + / required +
+ 		+ +
Log Source Identifier (Typically IP Address or Hostname of log source)
+
+
+ name + +
+ string + / required +
+ 		+ +
Name of Log Source
+
+
+ protocol_type_id + +
+ integer +
+ 		+ +
Type of protocol by id, as defined in QRadar Log Source Types Documentation
+
+
+ state + +
+ string + / required +
+ 		+
    Choices: +
  • present
    • +
  • absent
    • +
+ 		+
Add or remove a log source.
+
+
+ type_id + +
+ integer +
+ 		+ +
Type of resource by id, as defined in QRadar Log Source Types Documentation
+
+
+ type_name + +
+ string +
+ 		+ +
Type of resource by name
+
+
+ + +Notes +----- + +.. note:: + - Either ``type`` or ``type_id`` is required + + + +Examples +-------- + +.. code-block:: yaml + + - name: Add a snort log source to IBM QRadar + ibm.qradar.log_source_management: + name: "Snort logs" + type_name: "Snort Open Source IDS" + state: present + description: "Snort IDS remote logs from rsyslog" + identifier: "192.168.1.101" + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst new file mode 100644 index 00000000..2fde5b4e --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_action_module.rst @@ -0,0 +1,182 @@ +.. _ibm.qradar.offense_action_module: + + +************************* +ibm.qradar.offense_action +************************* + +**Take action on a QRadar Offense** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows to assign, protect, follow up, set status, and assign closing reason to QRadar Offenses + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ assigned_to + +
+ string +
+ 		+ +
Assign to an user, the QRadar username should be provided
+
+
+ closing_reason + +
+ string +
+ 		+ +
Assign a predefined closing reason here, by name.
+
+
+ closing_reason_id + +
+ integer +
+ 		+ +
Assign a predefined closing reason here, by id.
+
+
+ follow_up + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Set or unset the flag to follow up on a QRadar Offense
+
+
+ id + +
+ integer + / required +
+ 		+ +
ID of Offense
+
+
+ protected + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Set or unset the flag to protect a QRadar Offense
+
+
+ status + +
+ string +
+ 		+
    Choices: +
  • open
    • +
  • OPEN
    • +
  • hidden
    • +
  • HIDDEN
    • +
  • closed
    • +
  • CLOSED
    • +
+ 		+
One of "open", "hidden" or "closed". (Either all lower case or all caps)
+
+
+ + +Notes +----- + +.. note:: + - Requires one of ``name`` or ``id`` be provided + - Only one of ``closing_reason`` or ``closing_reason_id`` can be provided + + + + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst new file mode 100644 index 00000000..ddf7a8ea --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_info_module.rst @@ -0,0 +1,333 @@ +.. _ibm.qradar.offense_info_module: + + +*********************** +ibm.qradar.offense_info +*********************** + +**Obtain information about one or many QRadar Offenses, with filter options** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows to obtain information about one or many QRadar Offenses, with filter options + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ assigned_to + +
+ string +
+ 		+ +
Obtain only information of Offenses assigned to a certain user
+
+
+ closing_reason + +
+ string +
+ 		+ +
Obtain only information of Offenses that were closed by a specific closing reason
+
+
+ closing_reason_id + +
+ integer +
+ 		+ +
Obtain only information of Offenses that were closed by a specific closing reason ID
+
+
+ follow_up + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Obtain only information of Offenses that are marked with the follow up flag
+
+
+ id + +
+ integer +
+ 		+ +
Obtain only information of the Offense with provided ID
+
+
+ name + +
+ string +
+ 		+ +
Obtain only information of the Offense that matches the provided name
+
+
+ protected + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Obtain only information of Offenses that are protected
+
+
+ status + +
+ string +
+ 		+
    Choices: +
  • open ←
    • +
  • OPEN
    • +
  • hidden
    • +
  • HIDDEN
    • +
  • closed
    • +
  • CLOSED
    • +
+ 		+
Obtain only information of Offenses of a certain status
+
+
+ + +Notes +----- + +.. note:: + - You may provide many filters and they will all be applied, except for ``id`` as that will return only + + + +Examples +-------- + +.. code-block:: yaml + + - name: Get list of all currently OPEN IBM QRadar Offenses + ibm.qradar.offense_info: + status: OPEN + register: offense_list + + - name: display offense information for debug purposes + debug: + var: offense_list + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ offenses + +
+ list + / elements=dictionary +
+ 		always +
Information
+
+
  +
+ qradar_offenses + +
+ complex +
+ 		always +
IBM QRadar Offenses found based on provided filters
+
+
   +
+ name + +
+ string +
+ 		always +
Name of the service.
+
+
Sample:
+
arp-ethers.service
+
   +
+ source + +
+ string +
+ 		always +
Init system of the service. One of systemd, sysv, upstart.
+
+
Sample:
+
sysv
+
   +
+ state + +
+ string +
+ 		always +
State of the service. Either running, stopped, or unknown.
+
+
Sample:
+
running
+
   +
+ status + +
+ string +
+ 		systemd systems or RedHat/SUSE flavored sysvinit/upstart +
State of the service. Either enabled, disabled, or unknown.
+
+
Sample:
+
enabled
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst new file mode 100644 index 00000000..a41e51ca --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.offense_note_module.rst @@ -0,0 +1,94 @@ +.. _ibm.qradar.offense_note_module: + + +*********************** +ibm.qradar.offense_note +*********************** + +**Create or update a QRadar Offense Note** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows to create a QRadar Offense note + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ id + +
+ integer + / required +
+ 		+ +
Offense ID to operate on
+
+
+ note_text + +
+ string + / required +
+ 		+ +
The note's text contents
+
+
+ + + + +Examples +-------- + +.. code-block:: yaml + + - name: Add a note to QRadar Offense ID 1 + ibm.qradar.offense_note: + id: 1 + note_text: This an example note entry that should be made on offense id 1 + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst new file mode 100644 index 00000000..bc657fd5 --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_analytics_rules_module.rst @@ -0,0 +1,451 @@ +.. _ibm.qradar.qradar_analytics_rules_module: + + +********************************* +ibm.qradar.qradar_analytics_rules +********************************* + +**Qradar Analytics Rules Management resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for modification, deletion, and checking of Analytics Rules in QRadar + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ config + +
+ dictionary +
+ 		+ +
A dictionary of Qradar Analytics Rules options
+
+
+ enabled + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Check if the rule is enabled
+
+
+ fields + +
+ list + / elements=string +
+ 		+
    Choices: +
  • average_capacity
    • +
  • base_capacity
    • +
  • base_host_id
    • +
  • capacity_timestamp
    • +
  • creation_date
    • +
  • enabled
    • +
  • id
    • +
  • identifier
    • +
  • linked_rule_identifier
    • +
  • modification_date
    • +
  • name
    • +
  • origin
    • +
  • owner
    • +
  • type
    • +
+ 		+
List of params filtered from the Rule config
+
NOTE, this param is valid only via state GATHERED.
+
+
+ id + +
+ integer +
+ 		+ +
The sequence ID of the rule.
+
+
+ name + +
+ string +
+ 		+ +
The name of the rule.
+
+
+ owner + +
+ string +
+ 		+ +
Manage ownership of a QRadar Rule
+
+
+ range + +
+ string +
+ 		+ +
Parameter to restrict the number of elements that are returned in the list to a specified range.
+
NOTE, this param is valid only via state GATHERED.
+
+
+ state + +
+ string +
+ 		+
    Choices: +
  • merged
    • +
  • gathered
    • +
  • deleted
    • +
+ 		+
The state the configuration should be left in
+
The state gathered will get the module API configuration from the device and transform it into structured data in the format as per the module argspec and the value is returned in the gathered key within the result.
+
+
+ + + + +Examples +-------- + +.. code-block:: yaml + + # Using MERGED state + # ------------------- + + - name: DISABLE Rule 'Ansible Example DDoS Rule' + ibm.qradar.qradar_analytics_rules: + config: + name: 'Ansible Example DDOS Rule' + enabled: false + state: merged + + # RUN output: + # ----------- + + # qradar_analytics_rules: + # after: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929682568 + # enabled: false + # id: 100443 + # identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c + # linked_rule_identifier: null + # modification_date: 1658929682567 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + # before: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929682568 + # enabled: true + # id: 100443 + # identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c + # linked_rule_identifier: null + # modification_date: 1658929682567 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + + # Using GATHERED state + # -------------------- + + - name: Get information about the Rule named "Ansible Example DDOS Rule" + ibm.qradar.qradar_analytics_rules: + config: + name: "Ansible Example DDOS Rule" + state: gathered + + # RUN output: + # ----------- + + # gathered: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658918848694 + # enabled: true + # id: 100443 + # identifier: d6d37942-ba28-438f-b909-120df643a992 + # linked_rule_identifier: null + # modification_date: 1658918848692 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + - name: Get information about the Rule with ID 100443 + ibm.qradar.qradar_analytics_rules: + config: + id: 100443 + state: gathered + + # RUN output: + # ----------- + + # gathered: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658918848694 + # enabled: true + # id: 100443 + # identifier: d6d37942-ba28-438f-b909-120df643a992 + # linked_rule_identifier: null + # modification_date: 1658918848692 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + - name: TO Get information about the Rule ID with a range + ibm.qradar.qradar_analytics_rules: + config: + range: 100300-100500 + fields: + - name + - origin + - owner + state: gathered + + # RUN output: + # ----------- + + # gathered: + # - name: Devices with High Event Rates + # origin: SYSTEM + # owner: admin + # - name: Excessive Database Connections + # origin: SYSTEM + # owner: admin + # - name: 'Anomaly: Excessive Firewall Accepts Across Multiple Hosts' + # origin: SYSTEM + # owner: admin + # - name: Excessive Firewall Denies from Single Source + # origin: SYSTEM + # owner: admin + # - name: 'AssetExclusion: Exclude DNS Name By IP' + # origin: SYSTEM + # owner: admin + # - name: 'AssetExclusion: Exclude DNS Name By MAC Address' + # origin: SYSTEM + # owner: admin + + - name: Delete custom Rule by NAME + ibm.qradar.qradar_analytics_rules: + config: + name: 'Ansible Example DDOS Rule' + state: deleted + + # RUN output: + # ----------- + + # qradar_analytics_rules: + # after: {} + # before: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929431239 + # enabled: true + # id: 100444 + # identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308 + # linked_rule_identifier: null + # modification_date: 1658929431238 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + # Using DELETED state + # ------------------- + + - name: Delete custom Rule by ID + ibm.qradar.qradar_analytics_rules: + config: + id: 100443 + state: deleted + + # RUN output: + # ----------- + + # qradar_analytics_rules: + # after: {} + # before: + # average_capacity: null + # base_capacity: null + # base_host_id: null + # capacity_timestamp: null + # creation_date: 1658929431239 + # enabled: true + # id: 100443 + # identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308 + # linked_rule_identifier: null + # modification_date: 1658929431238 + # name: Ansible Example DDOS Rule + # origin: USER + # owner: admin + # type: EVENT + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ after + +
+ dictionary +
+ 		when changed +
The configuration as structured data after module completion.
+
+
Sample:
+
The configuration returned will always be in the same format of the parameters above.
+
+
+ before + +
+ dictionary +
+ 		always +
The configuration as structured data prior to module invocation.
+
+
Sample:
+
The configuration returned will always be in the same format of the parameters above.
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@justjais) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst new file mode 100644 index 00000000..bd0729fc --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_httpapi.rst @@ -0,0 +1,43 @@ +.. _ibm.qradar.qradar_httpapi: + + +***************** +ibm.qradar.qradar +***************** + +**HttpApi Plugin for IBM QRadar** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This HttpApi plugin provides methods to connect to IBM QRadar over a HTTP(S)-based api. + + + + + + + + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Team (@ansible-security) + + +.. hint:: + Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst new file mode 100644 index 00000000..f8611f8d --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.qradar_log_sources_management_module.rst @@ -0,0 +1,922 @@ +.. _ibm.qradar.qradar_log_sources_management_module: + + +**************************************** +ibm.qradar.qradar_log_sources_management +**************************************** + +**Qradar Log Sources Management resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for addition, deletion, or modification of Log Sources in QRadar + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ config + +
+ list + / elements=dictionary +
+ 		+ +
A dictionary of Qradar Log Sources options
+
+
+ average_eps + +
+ integer +
+ 		+ +
The average events per second (EPS) rate of the log source over the last 60 seconds.
+
+
+ coalesce_events + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
If events collected by this log source are coalesced based on common properties, the condition is set to 'true'. If each individual event is stored, then the condition is set to 'false'.
+
+
+ description + +
+ string +
+ 		+ +
Description of log source
+
+
+ enabled + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
If the log source is enabled, the condition is set to 'true'; otherwise, the condition is set to 'false'.
+
+
+ gateway + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
If the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a stand-alone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline.
+
+
+ group_ids + +
+ list + / elements=string +
+ 		+ +
The set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group.
+
+
+ identifier + +
+ string +
+ 		+ +
Log Source Identifier (Typically IP Address or Hostname of log source)
+
+
+ internal + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
If the log source is internal (when the log source type is defined as internal), the condition is set to 'true'.
+
+
+ language_id + +
+ integer +
+ 		+ +
The language of the events that are being processed by this log source. Must correspond to an existing log source language. Individual log source types can support only a subset of all available log source languages, as indicated by the supported_language_ids field of the log source type structure
+
+
+ name + +
+ string +
+ 		+ +
Name of Log Source
+
+
+ protocol_parameters + +
+ list + / elements=dictionary +
+ 		+ +
The set of protocol parameters
+
If not provided module will set the protocol parameters by itself
+
Note, parameter will come to use mostly in case when facts are gathered and fired with some modifications to params or in case of round trip scenarios.
+
+
+ id + +
+ integer +
+ 		+ +
The ID of the protocol type.
+
+
+ name + +
+ string +
+ 		+ +
The unique name of the protocol type.
+
+
+ value + +
+ string +
+ 		+ +
The allowed protocol value.
+
+
+ protocol_type_id + +
+ integer +
+ 		+ +
Type of protocol by id, as defined in QRadar Log Source Types Documentation
+
+
+ requires_deploy + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Set to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active.
+
+
+ status + +
+ dictionary +
+ 		+ +
The status of the log source.
+
+
+ last_updated + +
+ integer +
+ 		+ +
last_updated
+
+
+ messages + +
+ string +
+ 		+ +
last_updated
+
+
+ status + +
+ string +
+ 		+ +
last_updated
+
+
+ store_event_payload + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
If the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'.
+
+
+ target_event_collector_id + +
+ integer +
+ 		+ +
The ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector.
+
+
+ type_id + +
+ integer +
+ 		+ +
The type of the log source. Must correspond to an existing log source type.
+
+
+ type_name + +
+ string +
+ 		+ +
Type of resource by name
+
+
+ state + +
+ string +
+ 		+
    Choices: +
  • merged
    • +
  • replaced
    • +
  • gathered
    • +
  • deleted
    • +
+ 		+
The state the configuration should be left in
+
The state gathered will get the module API configuration from the device and transform it into structured data in the format as per the module argspec and the value is returned in the gathered key within the result.
+
+
+ + + + +Examples +-------- + +.. code-block:: yaml + + # Using MERGED state + # ------------------- + + - name: Add Snort n Apache log sources to IBM QRadar + ibm.qradar.qradar_log_sources_management: + config: + - name: "Snort logs" + type_name: "Snort Open Source IDS" + description: "Snort IDS remote logs from rsyslog" + identifier: "192.0.2.1" + - name: "Apache HTTP Server logs" + type_name: "Apache HTTP Server" + description: "Apache HTTP Server remote logs from rsyslog" + identifier: "198.51.100.1" + state: merged + + # RUN output: + # ----------- + + # qradar_log_sources_management: + # after: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311444 + # credibility: 5 + # description: Snort IDS remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 181 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727311444 + # name: Snort logs + # protocol_parameters: + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 2 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311462 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 182 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727311462 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # - id: 0 + # name: identifier + # value: 198.51.100.1 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # before: [] + + # Using REPLACED state + # -------------------- + + - name: Replace existing Log sources to IBM QRadar + ibm.qradar.qradar_log_sources_management: + state: replaced + config: + - name: "Apache HTTP Server logs" + type_name: "Apache HTTP Server" + description: "REPLACED Apache HTTP Server remote logs from rsyslog" + identifier: "192.0.2.1" + + # RUN output: + # ----------- + + # qradar_log_sources_management: + # after: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727944017 + # credibility: 5 + # description: REPLACED Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 183 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727944017 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # before: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311462 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 182 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654727311462 + # name: Apache HTTP Server logs + # protocol_parameters: + # - name: identifier + # value: 198.51.100.1 + # - name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + + # Using GATHERED state + # -------------------- + + - name: Gather Snort n Apache log source from IBM QRadar + ibm.qradar.qradar_log_sources_management: + config: + - name: "Snort logs" + - name: "Apache HTTP Server logs" + state: gathered + + # RUN output: + # ----------- + + # gathered: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311444 + # credibility: 5 + # description: Snort IDS remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 181 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103340 + # name: Snort logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 2 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727944017 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 183 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103353 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + + - name: TO Gather ALL log sources from IBM QRadar + tags: gather_log_all + ibm.qradar.qradar_log_sources_management: + state: gathered + + # Using DELETED state + # ------------------- + + - name: Delete Snort n Apache log source from IBM QRadar + ibm.qradar.qradar_log_sources_management: + config: + - name: "Snort logs" + - name: "Apache HTTP Server logs" + state: deleted + + # RUN output: + # ----------- + + # qradar_log_sources_management: + # after: [] + # before: + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727311444 + # credibility: 5 + # description: Snort IDS remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 181 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103340 + # name: Snort logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 2 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + # - auto_discovered: false + # average_eps: 0 + # coalesce_events: true + # creation_date: 1654727944017 + # credibility: 5 + # description: Apache HTTP Server remote logs from rsyslog + # enabled: true + # gateway: false + # group_ids: + # - 0 + # id: 183 + # internal: false + # language_id: 1 + # last_event_time: 0 + # log_source_extension_id: null + # modified_date: 1654728103353 + # name: Apache HTTP Server logs + # protocol_parameters: + # - id: 0 + # name: identifier + # value: 192.0.2.1 + # - id: 1 + # name: incomingPayloadEncoding + # value: UTF-8 + # protocol_type_id: 0 + # requires_deploy: true + # status: + # last_updated: 0 + # messages: null + # status: NA + # store_event_payload: true + # target_event_collector_id: 7 + # type_id: 10 + # wincollect_external_destination_ids: null + # wincollect_internal_destination_id: null + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ after + +
+ list +
+ 		when changed +
The configuration as structured data after module completion.
+
+
Sample:
+
The configuration returned will always be in the same format of the parameters above.
+
+
+ before + +
+ list +
+ 		always +
The configuration as structured data prior to module invocation.
+
+
Sample:
+
The configuration returned will always be in the same format of the parameters above.
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@justjais) diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst new file mode 100644 index 00000000..ec4d9fc8 --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_info_module.rst @@ -0,0 +1,169 @@ +.. _ibm.qradar.rule_info_module: + + +******************** +ibm.qradar.rule_info +******************** + +**Obtain information about one or many QRadar Rules, with filter options** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: qradar_analytics_rules + + + +Synopsis +-------- +- This module obtains information about one or many QRadar Rules, with filter options + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ id + +
+ integer +
+ 		+ +
Obtain only information of the Rule with provided ID
+
+
+ name + +
+ string +
+ 		+ +
Obtain only information of the Rule that matches the provided name
+
+
+ origin + +
+ string +
+ 		+
    Choices: +
  • SYSTEM
    • +
  • OVERRIDE
    • +
  • USER
    • +
+ 		+
Obtain only information of Rules that are of a certain origin
+
+
+ owner + +
+ string +
+ 		+ +
Obtain only information of Rules owned by a certain user
+
+
+ type + +
+ string +
+ 		+
    Choices: +
  • EVENT
    • +
  • FLOW
    • +
  • COMMON
    • +
  • USER
    • +
+ 		+
Obtain only information for the Rules of a certain type
+
+
+ + +Notes +----- + +.. note:: + - You may provide many filters and they will all be applied, except for ``id`` as that will return only the Rule identified by the unique ID provided. + + + +Examples +-------- + +.. code-block:: yaml + + - name: Get information about the Rule named "Custom Company DDoS Rule" + ibm.qradar.rule_info: + name: "Custom Company DDoS Rule" + register: custom_ddos_rule_info + + - name: debugging output of the custom_ddos_rule_info registered variable + debug: + var: custom_ddos_rule_info + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) " diff --git a/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst new file mode 100644 index 00000000..d6dae97c --- /dev/null +++ b/ansible_collections/ibm/qradar/docs/ibm.qradar.rule_module.rst @@ -0,0 +1,139 @@ +.. _ibm.qradar.rule_module: + + +*************** +ibm.qradar.rule +*************** + +**Manage state of QRadar Rules, with filter options** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: qradar_analytics_rules + + + +Synopsis +-------- +- Manage state of QRadar Rules, with filter options + + + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ id + +
+ integer +
+ 		+ +
Manage state of a QRadar Rule by ID
+
+
+ name + +
+ string +
+ 		+ +
Manage state of a QRadar Rule by name
+
+
+ owner + +
+ string +
+ 		+ +
Manage ownership of a QRadar Rule
+
+
+ state + +
+ string + / required +
+ 		+
    Choices: +
  • enabled
    • +
  • disabled
    • +
  • absent
    • +
+ 		+
Manage state of a QRadar Rule
+
+
+ + + + +Examples +-------- + +.. code-block:: yaml + + - name: Enable Rule 'Ansible Example DDoS Rule' + qradar_rule: + name: 'Ansible Example DDOS Rule' + state: enabled + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) -- cgit v1.2.3