diff options
Diffstat (limited to 'ansible_collections/splunk/es/docs')
10 files changed, 5066 insertions, 0 deletions
diff --git a/ansible_collections/splunk/es/docs/splunk.es.adaptive_response_notable_event_module.rst b/ansible_collections/splunk/es/docs/splunk.es.adaptive_response_notable_event_module.rst new file mode 100644 index 000000000..4f2462652 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.adaptive_response_notable_event_module.rst @@ -0,0 +1,390 @@ +.. _splunk.es.adaptive_response_notable_event_module: + + +***************************************** +splunk.es.adaptive_response_notable_event +***************************************** + +**Manage Splunk Enterprise Security Notable Event Adaptive Responses** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: splunk_adaptive_response_notable_events + + + +Synopsis +-------- +- This module allows for creation, deletion, and modification of Splunk Enterprise Security Notable Event Adaptive Responses that are associated with a correlation search + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>asset_extraction</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>src</b> ←</div></li> + <li><div style="color: blue"><b>dest</b> ←</div></li> + <li><div style="color: blue"><b>dvc</b> ←</div></li> + <li><div style="color: blue"><b>orig_host</b> ←</div></li> + </ul> + <b>Default:</b><br/><div style="color: blue">["src", "dest", "dvc", "orig_host"]</div> + </td> + <td> + <div>list of assets to extract, select any one or many of the available choices</div> + <div>defaults to all available choices</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>correlation_search_name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of correlation search to associate this notable event adaptive response with</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>default_owner</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Default owner of the notable event, if unset it will default to Splunk System Defaults</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>default_status</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>unassigned</li> + <li>new</li> + <li>in progress</li> + <li>pending</li> + <li>resolved</li> + <li>closed</li> + </ul> + </td> + <td> + <div>Default status of the notable event, if unset it will default to Splunk System Defaults</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>description</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Description of the notable event, this will populate the description field for the web console</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drill_down_earliest_offset</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"$info_min_time$"</div> + </td> + <td> + <div>Set the amount of time before the triggering event to search for related events. For example, 2h. Use "$info_min_time$" to set the drill-down time to match the earliest time of the search</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drill_down_latest_offset</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"$info_max_time$"</div> + </td> + <td> + <div>Set the amount of time after the triggering event to search for related events. For example, 1m. Use "$info_max_time$" to set the drill-down time to match the latest time of the search</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drill_down_name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Name for drill down search, Supports variable substitution with fields from the matching event.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drill_down_search</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Drill down search, Supports variable substitution with fields from the matching event.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>identity_extraction</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>user</b> ←</div></li> + <li><div style="color: blue"><b>src_user</b> ←</div></li> + </ul> + <b>Default:</b><br/><div style="color: blue">["user", "src_user"]</div> + </td> + <td> + <div>list of identity fields to extract, select any one or many of the available choices</div> + <div>defaults to all available choices</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>investigation_profiles</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Investigation profile to assiciate the notable event with.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of notable event</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>next_steps</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>List of adaptive responses that should be run next</div> + <div>Describe next steps and response actions that an analyst could take to address this threat.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>recommended_actions</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>List of adaptive responses that are recommended to be run next</div> + <div>Identifying Recommended Adaptive Responses will highlight those actions for the analyst when looking at the list of response actions available, making it easier to find them among the longer list of available actions.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>security_domain</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>access</li> + <li>endpoint</li> + <li>network</li> + <li><div style="color: blue"><b>threat</b> ←</div></li> + <li>identity</li> + <li>audit</li> + </ul> + </td> + <td> + <div>Splunk Security Domain</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>severity</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>informational</li> + <li>low</li> + <li>medium</li> + <li><div style="color: blue"><b>high</b> ←</div></li> + <li>critical</li> + <li>unknown</li> + </ul> + </td> + <td> + <div>Severity rating</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>present</li> + <li>absent</li> + </ul> + </td> + <td> + <div>Add or remove a data source.</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Example of using splunk.es.adaptive_response_notable_event module + splunk.es.adaptive_response_notable_event: + name: "Example notable event from Ansible" + correlation_search_name: "Example Correlation Search From Ansible" + description: "Example notable event from Ansible, description." + state: "present" + next_steps: + - ping + - nslookup + recommended_actions: + - script + - ansiblesecurityautomation + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.correlation_search_info_module.rst b/ansible_collections/splunk/es/docs/splunk.es.correlation_search_info_module.rst new file mode 100644 index 000000000..993d65637 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.correlation_search_info_module.rst @@ -0,0 +1,81 @@ +.. _splunk.es.correlation_search_info_module: + + +********************************* +splunk.es.correlation_search_info +********************************* + +**Manage Splunk Enterprise Security Correlation Searches** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for the query of Splunk Enterprise Security Correlation Searches + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of coorelation search</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Example usage of splunk.es.correlation_search_info + splunk.es.correlation_search_info: + name: "Name of correlation search" + register: scorrelation_search_info + + - name: debug display information gathered + debug: + var: scorrelation_search_info + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.correlation_search_module.rst b/ansible_collections/splunk/es/docs/splunk.es.correlation_search_module.rst new file mode 100644 index 000000000..bde5ed420 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.correlation_search_module.rst @@ -0,0 +1,398 @@ +.. _splunk.es.correlation_search_module: + + +**************************** +splunk.es.correlation_search +**************************** + +**Manage Splunk Enterprise Security Correlation Searches** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: splunk_correlation_searches + + + +Synopsis +-------- +- This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>app</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"SplunkEnterpriseSecuritySuite"</div> + </td> + <td> + <div>Splunk app to associate the correlation seach with</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>cron_schedule</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"*/5 * * * *"</div> + </td> + <td> + <div>Enter a cron-style schedule.</div> + <div>For example <code>'*/5 * * * *'</code> (every 5 minutes) or <code>'0 21 * * *'</code> (every day at 9 PM).</div> + <div>Real-time searches use a default schedule of <code>'*/5 * * * *'</code>.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>description</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Description of the coorelation search, this will populate the description field for the web console</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of coorelation search</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>schedule_priority</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>Default</b> ←</div></li> + <li>Higher</li> + <li>Highest</li> + </ul> + </td> + <td> + <div>Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>schedule_window</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"0"</div> + </td> + <td> + <div>Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>scheduling</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>real-time</b> ←</div></li> + <li>continuous</li> + </ul> + </td> + <td> + <div>Controls the way the scheduler computes the next execution time of a scheduled search.</div> + <div>Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>search</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>SPL search string</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>present</li> + <li>absent</li> + <li>enabled</li> + <li>disabled</li> + </ul> + </td> + <td> + <div>Add, remove, enable, or disiable a correlation search.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>suppress_alerts</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>To suppress alerts from this correlation search or not</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>throttle_fields_to_group_by</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Type the fields to consider for matching events for throttling.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>throttle_window_duration</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>How much time to ignore other events that match the field values specified in Fields to group by.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>time_earliest</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"-24h"</div> + </td> + <td> + <div>Earliest time using relative time modifiers.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>time_latest</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"now"</div> + </td> + <td> + <div>Latest time using relative time modifiers.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert_when</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>number of events</b> ←</div></li> + <li>number of results</li> + <li>number of hosts</li> + <li>number of sources</li> + </ul> + </td> + <td> + <div>Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert_when_condition</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>greater than</b> ←</div></li> + <li>less than</li> + <li>equal to</li> + <li>not equal to</li> + <li>drops by</li> + <li>rises by</li> + </ul> + </td> + <td> + <div>Conditional to pass to <code>trigger_alert_when</code></div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert_when_value</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"10"</div> + </td> + <td> + <div>Value to pass to <code>trigger_alert_when</code></div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>ui_dispatch_context</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context.</div> + </td> + </tr> + </table> + <br/> + + +Notes +----- + +.. note:: + - The following options are not yet supported: throttle_window_duration, throttle_fields_to_group_by, and adaptive_response_actions + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Example of creating a correlation search with splunk.es.coorelation_search + splunk.es.correlation_search: + name: "Example Coorelation Search From Ansible" + description: "Example Coorelation Search From Ansible, description." + search: 'source="/var/log/snort.log"' + state: "present" + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.data_input_monitor_module.rst b/ansible_collections/splunk/es/docs/splunk.es.data_input_monitor_module.rst new file mode 100644 index 000000000..e4b7beb00 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.data_input_monitor_module.rst @@ -0,0 +1,370 @@ +.. _splunk.es.data_input_monitor_module: + + +**************************** +splunk.es.data_input_monitor +**************************** + +**Manage Splunk Data Inputs of type Monitor** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: splunk_data_inputs_monitor + + + +Synopsis +-------- +- This module allows for addition or deletion of File and Directory Monitor Data Inputs in Splunk. + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>blacklist</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>check_index</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to <code>True</code>, the index value is checked to ensure that it is the name of a valid index.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>check_path</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to <code>True</code>, the name value is checked to ensure that it exists.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>crc_salt</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>A string that modifies the file tracking identity for files in this input. The magic value <SOURCE> invokes special behavior (see admin documentation).</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>disabled</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>Indicates if input monitoring is disabled.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>followTail</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to <code>True</code>, files that are seen for the first time is read from the end.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The value to populate in the host field for events from this data input.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host_regex</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host_segment</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Use the specified slash-separate segment of the filepath as the host field value.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>ignore_older_than</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>index</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Which index events from this input should be stored in. Defaults to default.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>The file or directory path to monitor on the system.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>recursive</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>Setting this to False prevents monitoring of any subdirectories encountered within this data input.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>rename_source</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>sourcetype</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The value to populate in the sourcetype field for incoming events.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>present</li> + <li>absent</li> + </ul> + </td> + <td> + <div>Add or remove a data source.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>time_before_close</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>whitelist</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Example adding data input monitor with splunk.es.data_input_monitor + splunk.es.data_input_monitor: + name: "/var/log/example.log" + state: "present" + recursive: True + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.data_input_network_module.rst b/ansible_collections/splunk/es/docs/splunk.es.data_input_network_module.rst new file mode 100644 index 000000000..fb48a05d7 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.data_input_network_module.rst @@ -0,0 +1,309 @@ +.. _splunk.es.data_input_network_module: + + +**************************** +splunk.es.data_input_network +**************************** + +**Manage Splunk Data Inputs of type TCP or UDP** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + +DEPRECATED +---------- +:Removed in collection release after 2024-09-01 +:Why: Newer and updated modules released with more functionality. +:Alternative: splunk_data_inputs_network + + + +Synopsis +-------- +- This module allows for addition or deletion of TCP and UDP Data Inputs in Splunk. + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>connection_host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>ip</b> ←</div></li> + <li>dns</li> + <li>none</li> + </ul> + </td> + <td> + <div>Set the host for the remote server that is sending data.</div> + <div><code>ip</code> sets the host to the IP address of the remote server sending data.</div> + <div><code>dns</code> sets the host to the reverse DNS entry for the IP address of the remote server sending data.</div> + <div><code>none</code> leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>datatype</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>cooked</li> + <li><div style="color: blue"><b>raw</b> ←</div></li> + </ul> + </td> + <td> + <div>Forwarders can transmit three types of data: raw, unparsed, or parsed. <code>cooked</code> data refers to parsed and unparsed formats.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Host from which the indexer gets data.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>index</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>default Index to store generated events.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>The input port which receives raw data.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protocol</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>tcp</li> + <li>udp</li> + </ul> + </td> + <td> + <div>Choose between tcp or udp</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>queue</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>parsingQueue</b> ←</div></li> + <li>indexQueue</li> + </ul> + </td> + <td> + <div>Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.</div> + <div>Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at "Monitor files and directories with inputs.conf"</div> + <div>Set queue to indexQueue to send your data directly into the index.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>rawTcpDoneTimeout</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">10</div> + </td> + <td> + <div>Specifies in seconds the timeout value for adding a Done-key.</div> + <div>If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>restrictToHost</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Allows for restricting this input to only accept data from the host specified here.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>source</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Sets the source key/field for events from this input. Defaults to the input file path.</div> + <div>Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.</div> + <div>Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>sourcetype</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Set the source type for events from this input.</div> + <div>"sourcetype=" is automatically prepended to <string>.</div> + <div>Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=False).</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>ssl</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Enable or disble ssl for the data stream</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>present</b> ←</div></li> + <li>absent</li> + <li>enabled</li> + <li>disable</li> + </ul> + </td> + <td> + <div>Enable, disable, create, or destroy</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + - name: Example adding data input network with splunk.es.data_input_network + splunk.es.data_input_network: + name: "8099" + protocol: "tcp" + state: "present" + + + + +Status +------ + + +- This module will be removed in a release after 2024-09-01. *[deprecated]* +- For more information see `DEPRECATED`_. + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.splunk_adaptive_response_notable_events_module.rst b/ansible_collections/splunk/es/docs/splunk.es.splunk_adaptive_response_notable_events_module.rst new file mode 100644 index 000000000..4838de449 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.splunk_adaptive_response_notable_events_module.rst @@ -0,0 +1,846 @@ +.. _splunk.es.splunk_adaptive_response_notable_events_module: + + +************************************************* +splunk.es.splunk_adaptive_response_notable_events +************************************************* + +**Manage Adaptive Responses notable events resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for creation, deletion, and modification of Splunk Enterprise Security Notable Event Adaptive Responses that are associated with a correlation search +- Tested against Splunk Enterprise Server 8.2.3 + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="3">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Configure file and directory monitoring on the system</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>correlation_search_name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of correlation search to associate this notable event adaptive response with</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>default_owner</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Default owner of the notable event, if unset it will default to Splunk System Defaults</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>default_status</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>unassigned</li> + <li>new</li> + <li>in progress</li> + <li>pending</li> + <li>resolved</li> + <li>closed</li> + </ul> + </td> + <td> + <div>Default status of the notable event, if unset it will default to Splunk System Defaults</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>description</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Description of the notable event, this will populate the description field for the web console</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drilldown_earliest_offset</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"$info_min_time$"</div> + </td> + <td> + <div>Set the amount of time before the triggering event to search for related events. For example, 2h. Use '$info_min_time$' to set the drill-down time to match the earliest time of the search</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drilldown_latest_offset</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"$info_max_time$"</div> + </td> + <td> + <div>Set the amount of time after the triggering event to search for related events. For example, 1m. Use '$info_max_time$' to set the drill-down time to match the latest time of the search</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drilldown_name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Name for drill down search, Supports variable substitution with fields from the matching event.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>drilldown_search</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Drill down search, Supports variable substitution with fields from the matching event.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>extract_artifacts</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Assets and identities to be extracted</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>asset</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>src</li> + <li>dest</li> + <li>dvc</li> + <li>orig_host</li> + </ul> + </td> + <td> + <div>list of assets to extract, select any one or many of the available choices</div> + <div>defaults to all available choices</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>file</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>list of files to extract</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>identity</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>user</li> + <li>src_user</li> + <li>src_user_id</li> + <li>user_id</li> + <li>src_user_role</li> + <li>user_role</li> + <li>vendor_account</li> + </ul> + </td> + <td> + <div>list of identity fields to extract, select any one or many of the available choices</div> + <div>defaults to 'user' and 'src_user'</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>url</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>list of URLs to extract</div> + </td> + </tr> + + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>investigation_profiles</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Investigation profile to associate the notable event with.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of notable event</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>next_steps</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>List of adaptive responses that should be run next</div> + <div>Describe next steps and response actions that an analyst could take to address this threat.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>recommended_actions</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>List of adaptive responses that are recommended to be run next</div> + <div>Identifying Recommended Adaptive Responses will highlight those actions for the analyst when looking at the list of response actions available, making it easier to find them among the longer list of available actions.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>security_domain</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>access</li> + <li>endpoint</li> + <li>network</li> + <li><div style="color: blue"><b>threat</b> ←</div></li> + <li>identity</li> + <li>audit</li> + </ul> + </td> + <td> + <div>Splunk Security Domain</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>severity</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>informational</li> + <li>low</li> + <li>medium</li> + <li><div style="color: blue"><b>high</b> ←</div></li> + <li>critical</li> + <li>unknown</li> + </ul> + </td> + <td> + <div>Severity rating</div> + </td> + </tr> + + <tr> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>running_config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The <em>running_config</em> argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command.</div> + </td> + </tr> + <tr> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>merged</b> ←</div></li> + <li>replaced</li> + <li>deleted</li> + <li>gathered</li> + </ul> + </td> + <td> + <div>The state the configuration should be left in</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + # Using gathered + # -------------- + + - name: Gather adaptive response notable events config + splunk.es.splunk_adaptive_response_notable_events: + config: + - correlation_search_name: Ansible Test + - correlation_search_name: Ansible Test 2 + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "correlation_search_name": "Ansible Test", + # "description": "test notable event", + # "drilldown_earliest_offset": "$info_min_time$", + # "drilldown_latest_offset": "$info_max_time$", + # "drilldown_name": "test_drill_name", + # "drilldown_search": "test_drill", + # "extract_artifacts": { + # "asset": [ + # "src", + # "dest", + # "dvc", + # "orig_host" + # ], + # "identity": [ + # "src_user", + # "user", + # "src_user_id", + # "src_user_role", + # "user_id", + # "user_role", + # "vendor_account" + # ] + # }, + # "investigation_profiles": [ + # "test profile 1", + # "test profile 2", + # "test profile 3" + # ], + # "next_steps": [ + # "makestreams", + # "nbtstat", + # "nslookup" + # ], + # "name": "ansible_test_notable", + # "recommended_actions": [ + # "email", + # "logevent", + # "makestreams", + # "nbtstat" + # ], + # "security_domain": "threat", + # "severity": "high" + # }, + # { } # there is no configuration associated with "/var" + # ] + + # Using merged + # ------------ + + - name: Example to add config + splunk.es.splunk_adaptive_response_notable_events: + config: + - correlation_search_name: Ansible Test + description: test notable event + drilldown_earliest_offset: $info_min_time$ + drilldown_latest_offset: $info_max_time$ + extract_artifacts: + asset: + - src + - dest + identity: + - src_user + - user + - src_user_id + next_steps: + - makestreams + name: ansible_test_notable + recommended_actions: + - email + - logevent + security_domain: threat + severity: high + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "correlation_search_name": "Ansible Test", + # "description": "test notable event", + # "drilldown_earliest_offset": "$info_min_time$", + # "drilldown_latest_offset": "$info_max_time$", + # "drilldown_name": "test_drill_name", + # "drilldown_search": "test_drill", + # "extract_artifacts": { + # "asset": [ + # "src", + # "dest", + # "dvc", + # "orig_host" + # ], + # "identity": [ + # "src_user", + # "user", + # "src_user_id", + # "src_user_role", + # "user_id", + # "user_role", + # "vendor_account" + # ] + # }, + # "investigation_profiles": [ + # "test profile 1", + # "test profile 2", + # "test profile 3" + # ], + # "next_steps": [ + # "makestreams", + # "nbtstat", + # "nslookup" + # ], + # "name": "ansible_test_notable", + # "recommended_actions": [ + # "email", + # "logevent", + # "makestreams", + # "nbtstat" + # ], + # "security_domain": "threat", + # "severity": "high" + # } + # ], + # "before": [], + + # Using replaced + # -------------- + + - name: Example to Replace the config + splunk.es.splunk_adaptive_response_notable_events: + config: + - correlation_search_name: Ansible Test + description: test notable event + drilldown_earliest_offset: $info_min_time$ + drilldown_latest_offset: $info_max_time$ + extract_artifacts: + asset: + - src + - dest + identity: + - src_user + - user + - src_user_id + next_steps: + - makestreams + name: ansible_test_notable + recommended_actions: + - email + - logevent + security_domain: threat + severity: high + state: replaced + + # RUN output: + # ----------- + + # "after": [ + # { + # "correlation_search_name": "Ansible Test", + # "description": "test notable event", + # "drilldown_earliest_offset": "$info_min_time$", + # "drilldown_latest_offset": "$info_max_time$", + # "extract_artifacts": { + # "asset": [ + # "src", + # "dest" + # ], + # "identity": [ + # "src_user", + # "user", + # "src_user_id" + # ] + # }, + # "next_steps": [ + # "makestreams" + # ], + # "name": "ansible_test_notable", + # "recommended_actions": [ + # "email", + # "logevent" + # ], + # "security_domain": "threat", + # "severity": "high" + # } + # ], + # "before": [ + # { + # "correlation_search_name": "Ansible Test", + # "description": "test notable event", + # "drilldown_earliest_offset": "$info_min_time$", + # "drilldown_latest_offset": "$info_max_time$", + # "drilldown_name": "test_drill_name", + # "drilldown_search": "test_drill", + # "extract_artifacts": { + # "asset": [ + # "src", + # "dest", + # "dvc", + # "orig_host" + # ], + # "identity": [ + # "src_user", + # "user", + # "src_user_id", + # "src_user_role", + # "user_id", + # "user_role", + # "vendor_account" + # ] + # }, + # "investigation_profiles": [ + # "test profile 1", + # "test profile 2", + # "test profile 3" + # ], + # "next_steps": [ + # "makestreams", + # "nbtstat", + # "nslookup" + # ], + # "name": "ansible_test_notable", + # "recommended_actions": [ + # "email", + # "logevent", + # "makestreams", + # "nbtstat" + # ], + # "security_domain": "threat", + # "severity": "high" + # } + # ], + + # USING DELETED + # ------------- + + - name: Example to remove the config + splunk.es.splunk_adaptive_response_notable_events: + config: + - correlation_search_name: Ansible Test + state: deleted + + # RUN output: + # ----------- + + # "after": [], + # "before": [ + # { + # "correlation_search_name": "Ansible Test", + # "description": "test notable event", + # "drilldown_earliest_offset": "$info_min_time$", + # "drilldown_latest_offset": "$info_max_time$", + # "drilldown_name": "test_drill_name", + # "drilldown_search": "test_drill", + # "extract_artifacts": { + # "asset": [ + # "src", + # "dest", + # "dvc", + # "orig_host" + # ], + # "identity": [ + # "src_user", + # "user", + # "src_user_id", + # "src_user_role", + # "user_id", + # "user_role", + # "vendor_account" + # ] + # }, + # "investigation_profiles": [ + # "test profile 1", + # "test profile 2", + # "test profile 3" + # ], + # "next_steps": [ + # "makestreams", + # "nbtstat", + # "nslookup" + # ], + # "name": "ansible_test_notable", + # "recommended_actions": [ + # "email", + # "logevent", + # "makestreams", + # "nbtstat" + # ], + # "security_domain": "threat", + # "severity": "high" + # } + # ] + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>after</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>when changed</td> + <td> + <div>The configuration as structured data after module completion.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>before</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>always</td> + <td> + <div>The configuration as structured data prior to module invocation.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>gathered</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td>when state is <em>gathered</em></td> + <td> + <div>Facts about the network resource gathered from the remote device as structured data.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">This output will always be in the same format as the module argspec.</div> + </td> + </tr> + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@pranav-bhatt) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.splunk_correlation_searches_module.rst b/ansible_collections/splunk/es/docs/splunk.es.splunk_correlation_searches_module.rst new file mode 100644 index 000000000..76295b5dd --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.splunk_correlation_searches_module.rst @@ -0,0 +1,1061 @@ +.. _splunk.es.splunk_correlation_searches_module: + + +************************************* +splunk.es.splunk_correlation_searches +************************************* + +**Splunk Enterprise Security Correlation searches resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allows for creation, deletion, and modification of Splunk Enterprise Security correlation searches +- Tested against Splunk Enterprise Server v8.2.3 with Splunk Enterprise Security v7.0.1 installed on it. + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="4">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="4"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Configure file and directory monitoring on the system</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>annotations</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Add context from industry standard cyber security mappings in Splunk Enterprise Security or custom annotations</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>cis20</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify CIS20 annotations</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>custom</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify custom framework and custom annotations</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>custom_annotations</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify annotations associated with custom framework</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>framework</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify annotation framework</div> + </td> + </tr> + + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>kill_chain_phases</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify Kill 10 annotations</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>mitre_attack</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify MITRE ATTACK annotations</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td class="elbow-placeholder"></td> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>nist</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify NIST annotations</div> + </td> + </tr> + + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>app</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"SplunkEnterpriseSecuritySuite"</div> + </td> + <td> + <div>Splunk app to associate the correlation seach with</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>cron_schedule</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"*/5 * * * *"</div> + </td> + <td> + <div>Enter a cron-style schedule.</div> + <div>For example <code>'*/5 * * * *'</code> (every 5 minutes) or <code>'0 21 * * *'</code> (every day at 9 PM).</div> + <div>Real-time searches use a default schedule of <code>'*/5 * * * *'</code>.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>description</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Description of the coorelation search, this will populate the description field for the web console</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>disabled</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>Disable correlation search</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>Name of correlation search</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>schedule_priority</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>default</b> ←</div></li> + <li>higher</li> + <li>highest</li> + </ul> + </td> + <td> + <div>Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>schedule_window</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"0"</div> + </td> + <td> + <div>Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>scheduling</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>realtime</b> ←</div></li> + <li>continuous</li> + </ul> + </td> + <td> + <div>Controls the way the scheduler computes the next execution time of a scheduled search.</div> + <div>Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>search</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>SPL search string</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>suppress_alerts</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>To suppress alerts from this correlation search or not</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>throttle_fields_to_group_by</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=string</span> + </div> + </td> + <td> + </td> + <td> + <div>Type the fields to consider for matching events for throttling.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>throttle_window_duration</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>How much time to ignore other events that match the field values specified in Fields to group by.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>time_earliest</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"-24h"</div> + </td> + <td> + <div>Earliest time using relative time modifiers.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>time_latest</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"now"</div> + </td> + <td> + <div>Latest time using relative time modifiers.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>once</b> ←</div></li> + <li>for each result</li> + </ul> + </td> + <td> + <div>Notable response actions and risk response actions are always triggered for each result. Choose whether the trigger is activated once or for each result.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert_when</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>number of events</b> ←</div></li> + <li>number of results</li> + <li>number of hosts</li> + <li>number of sources</li> + </ul> + </td> + <td> + <div>Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert_when_condition</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>greater than</b> ←</div></li> + <li>less than</li> + <li>equal to</li> + <li>not equal to</li> + <li>drops by</li> + <li>rises by</li> + </ul> + </td> + <td> + <div>Conditional to pass to <code>trigger_alert_when</code></div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>trigger_alert_when_value</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"10"</div> + </td> + <td> + <div>Value to pass to <code>trigger_alert_when</code></div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="3"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>ui_dispatch_context</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context.</div> + </td> + </tr> + + <tr> + <td colspan="4"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>running_config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The <em>running_config</em> argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command.</div> + </td> + </tr> + <tr> + <td colspan="4"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>merged</b> ←</div></li> + <li>replaced</li> + <li>deleted</li> + <li>gathered</li> + </ul> + </td> + <td> + <div>The state the configuration should be left in</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + # Using gathered + # -------------- + + - name: Gather correlation searches config + splunk.es.splunk_correlation_searches: + config: + - name: Ansible Test + - name: Ansible Test 2 + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "annotations": { + # "cis20": [ + # "test1" + # ], + # "custom": [ + # { + # "custom_annotations": [ + # "test5" + # ], + # "framework": "test_framework" + # } + # ], + # "kill_chain_phases": [ + # "test3" + # ], + # "mitre_attack": [ + # "test2" + # ], + # "nist": [ + # "test4" + # ] + # }, + # "app": "DA-ESS-EndpointProtection", + # "cron_schedule": "*/5 * * * *", + # "description": "test description", + # "disabled": false, + # "name": "Ansible Test", + # "schedule_priority": "default", + # "schedule_window": "0", + # "scheduling": "realtime", + # "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + # 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + # 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + # 'n.src" as "src" | where "count">=6', + # "suppress_alerts": false, + # "throttle_fields_to_group_by": [ + # "test_field1" + # ], + # "throttle_window_duration": "5s", + # "time_earliest": "-24h", + # "time_latest": "now", + # "trigger_alert": "once", + # "trigger_alert_when": "number of events", + # "trigger_alert_when_condition": "greater than", + # "trigger_alert_when_value": "10", + # "ui_dispatch_context": "SplunkEnterpriseSecuritySuite" + # } + # ] + + # Using merged + # ------------ + + - name: Merge and create new correlation searches configuration + splunk.es.splunk_correlation_searches: + config: + - name: Ansible Test + disabled: false + description: test description + app: DA-ESS-EndpointProtection + annotations: + cis20: + - test1 + mitre_attack: + - test2 + kill_chain_phases: + - test3 + nist: + - test4 + custom: + - framework: test_framework + custom_annotations: + - test5 + ui_dispatch_context: SplunkEnterpriseSecuritySuite + time_earliest: -24h + time_latest: now + cron_schedule: "*/5 * * * *" + scheduling: realtime + schedule_window: "0" + schedule_priority: default + trigger_alert: once + trigger_alert_when: number of events + trigger_alert_when_condition: greater than + trigger_alert_when_value: "10" + throttle_window_duration: 5s + throttle_fields_to_group_by: + - test_field1 + suppress_alerts: False + search: > + '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + 'n.src" as "src" | where "count">=6' + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "annotations": { + # "cis20": [ + # "test1" + # ], + # "custom": [ + # { + # "custom_annotations": [ + # "test5" + # ], + # "framework": "test_framework" + # } + # ], + # "kill_chain_phases": [ + # "test3" + # ], + # "mitre_attack": [ + # "test2" + # ], + # "nist": [ + # "test4" + # ] + # }, + # "app": "DA-ESS-EndpointProtection", + # "cron_schedule": "*/5 * * * *", + # "description": "test description", + # "disabled": false, + # "name": "Ansible Test", + # "schedule_priority": "default", + # "schedule_window": "0", + # "scheduling": "realtime", + # "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + # 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + # 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + # 'n.src" as "src" | where "count">=6', + # "suppress_alerts": false, + # "throttle_fields_to_group_by": [ + # "test_field1" + # ], + # "throttle_window_duration": "5s", + # "time_earliest": "-24h", + # "time_latest": "now", + # "trigger_alert": "once", + # "trigger_alert_when": "number of events", + # "trigger_alert_when_condition": "greater than", + # "trigger_alert_when_value": "10", + # "ui_dispatch_context": "SplunkEnterpriseSecuritySuite" + # }, + # ], + # "before": [], + + # Using replaced + # -------------- + + - name: Replace existing correlation searches configuration + splunk.es.splunk_correlation_searches: + state: replaced + config: + - name: Ansible Test + disabled: false + description: test description + app: SplunkEnterpriseSecuritySuite + annotations: + cis20: + - test1 + - test2 + mitre_attack: + - test3 + - test4 + kill_chain_phases: + - test5 + - test6 + nist: + - test7 + - test8 + custom: + - framework: test_framework2 + custom_annotations: + - test9 + - test10 + ui_dispatch_context: SplunkEnterpriseSecuritySuite + time_earliest: -24h + time_latest: now + cron_schedule: "*/5 * * * *" + scheduling: continuous + schedule_window: auto + schedule_priority: default + trigger_alert: once + trigger_alert_when: number of events + trigger_alert_when_condition: greater than + trigger_alert_when_value: 10 + throttle_window_duration: 5s + throttle_fields_to_group_by: + - test_field1 + - test_field2 + suppress_alerts: True + search: > + '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + 'n.src" as "src" | where "count">=6' + + # RUN output: + # ----------- + + # "after": [ + # { + # "annotations": { + # "cis20": [ + # "test1", + # "test2" + # ], + # "custom": [ + # { + # "custom_annotations": [ + # "test9", + # "test10" + # ], + # "framework": "test_framework2" + # } + # ], + # "kill_chain_phases": [ + # "test5", + # "test6" + # ], + # "mitre_attack": [ + # "test3", + # "test4" + # ], + # "nist": [ + # "test7", + # "test8" + # ] + # }, + # "app": "SplunkEnterpriseSecuritySuite", + # "cron_schedule": "*/5 * * * *", + # "description": "test description", + # "disabled": false, + # "name": "Ansible Test", + # "schedule_priority": "default", + # "schedule_window": "auto", + # "scheduling": "continuous", + # "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + # 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + # 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + # 'n.src" as "src" | where "count">=6', + # "suppress_alerts": true, + # "throttle_fields_to_group_by": [ + # "test_field1", + # "test_field2" + # ], + # "throttle_window_duration": "5s", + # "time_earliest": "-24h", + # "time_latest": "now", + # "trigger_alert": "once", + # "trigger_alert_when": "number of events", + # "trigger_alert_when_condition": "greater than", + # "trigger_alert_when_value": "10", + # "ui_dispatch_context": "SplunkEnterpriseSecuritySuite" + # } + # ], + # "before": [ + # { + # "annotations": { + # "cis20": [ + # "test1" + # ], + # "custom": [ + # { + # "custom_annotations": [ + # "test5" + # ], + # "framework": "test_framework" + # } + # ], + # "kill_chain_phases": [ + # "test3" + # ], + # "mitre_attack": [ + # "test2" + # ], + # "nist": [ + # "test4" + # ] + # }, + # "app": "DA-ESS-EndpointProtection", + # "cron_schedule": "*/5 * * * *", + # "description": "test description", + # "disabled": false, + # "name": "Ansible Test", + # "schedule_priority": "default", + # "schedule_window": "0", + # "scheduling": "realtime", + # "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + # 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + # 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + # 'n.src" as "src" | where "count">=6', + # "suppress_alerts": false, + # "throttle_fields_to_group_by": [ + # "test_field1" + # ], + # "throttle_window_duration": "5s", + # "time_earliest": "-24h", + # "time_latest": "now", + # "trigger_alert": "once", + # "trigger_alert_when": "number of events", + # "trigger_alert_when_condition": "greater than", + # "trigger_alert_when_value": "10", + # "ui_dispatch_context": "SplunkEnterpriseSecuritySuite" + # } + # ] + + # Using deleted + # ------------- + + - name: Example to delete the corelation search + splunk.es.splunk_correlation_searches: + config: + - name: Ansible Test + state: deleted + + # RUN output: + # ----------- + + # "after": [], + # "before": [ + # { + # "annotations": { + # "cis20": [ + # "test1" + # ], + # "custom": [ + # { + # "custom_annotations": [ + # "test5" + # ], + # "framework": "test_framework" + # } + # ], + # "kill_chain_phases": [ + # "test3" + # ], + # "mitre_attack": [ + # "test2" + # ], + # "nist": [ + # "test4" + # ] + # }, + # "app": "DA-ESS-EndpointProtection", + # "cron_schedule": "*/5 * * * *", + # "description": "test description", + # "disabled": false, + # "name": "Ansible Test", + # "schedule_priority": "default", + # "schedule_window": "0", + # "scheduling": "realtime", + # "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent' + # 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai' + # 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio' + # 'n.src" as "src" | where "count">=6', + # "suppress_alerts": false, + # "throttle_fields_to_group_by": [ + # "test_field1" + # ], + # "throttle_window_duration": "5s", + # "time_earliest": "-24h", + # "time_latest": "now", + # "trigger_alert": "once", + # "trigger_alert_when": "number of events", + # "trigger_alert_when_condition": "greater than", + # "trigger_alert_when_value": "10", + # "ui_dispatch_context": "SplunkEnterpriseSecuritySuite" + # }, + # ], + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>after</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>when changed</td> + <td> + <div>The configuration as structured data after module completion.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>before</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>always</td> + <td> + <div>The configuration as structured data prior to module invocation.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>gathered</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td>when state is <em>gathered</em></td> + <td> + <div>Facts about the network resource gathered from the remote device as structured data.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">This output will always be in the same format as the module argspec.</div> + </td> + </tr> + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@pranav-bhatt) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.splunk_data_inputs_monitor_module.rst b/ansible_collections/splunk/es/docs/splunk.es.splunk_data_inputs_monitor_module.rst new file mode 100644 index 000000000..54cb445ea --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.splunk_data_inputs_monitor_module.rst @@ -0,0 +1,603 @@ +.. _splunk.es.splunk_data_inputs_monitor_module: + + +************************************ +splunk.es.splunk_data_inputs_monitor +************************************ + +**Splunk Data Inputs of type Monitor resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- Module to add/modify or delete, File and Directory Monitor Data Inputs in Splunk. +- Tested against Splunk Enterprise Server 8.2.3 + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="2">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Configure file and directory monitoring on the system</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>blacklist</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>check_index</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to <code>True</code>, the index value is checked to ensure that it is the name of a valid index.</div> + <div>This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>check_path</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to <code>True</code>, the name value is checked to ensure that it exists.</div> + <div>This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>crc_salt</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>A string that modifies the file tracking identity for files in this input. The magic value <SOURCE> invokes special behavior (see admin documentation).</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>disabled</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>no</b> ←</div></li> + <li>yes</li> + </ul> + </td> + <td> + <div>Indicates if input monitoring is disabled.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>follow_tail</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to <code>True</code>, files that are seen for the first time is read from the end.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"$decideOnStartup"</div> + </td> + <td> + <div>The value to populate in the host field for events from this data input.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host_regex</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host_segment</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Use the specified slash-separate segment of the filepath as the host field value.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>ignore_older_than</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.</div> + <div>This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>index</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <b>Default:</b><br/><div style="color: blue">"default"</div> + </td> + <td> + <div>Which index events from this input should be stored in. Defaults to default.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>The file or directory path to monitor on the system.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>recursive</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Setting this to False prevents monitoring of any subdirectories encountered within this data input.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>rename_source</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.</div> + <div>This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>sourcetype</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The value to populate in the sourcetype field for incoming events.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>time_before_close</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.</div> + <div>This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>whitelist</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.</div> + </td> + </tr> + + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>running_config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The <em>running_config</em> argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command.</div> + </td> + </tr> + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>merged</b> ←</div></li> + <li>replaced</li> + <li>deleted</li> + <li>gathered</li> + </ul> + </td> + <td> + <div>The state the configuration should be left in</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + # Using gathered + # -------------- + + - name: Gather config for specified Data inputs monitors + splunk.es.splunk_data_inputs_monitor: + config: + - name: "/var/log" + - name: "/var" + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "blacklist": "//var/log/[a-z0-9]/gm", + # "crc_salt": "<SOURCE>", + # "disabled": false, + # "host": "$decideOnStartup", + # "host_regex": "/(test_host)/gm", + # "host_segment": 3, + # "index": "default", + # "name": "/var/log", + # "recursive": true, + # "sourcetype": "test_source", + # "whitelist": "//var/log/[0-9]/gm" + # } + # ] + # + + # Using merged + # ------------ + + - name: Update Data inputs monitors config + splunk.es.splunk_data_inputs_monitor: + config: + - name: "/var/log" + blacklist: "//var/log/[a-z]/gm" + check_index: True + check_path: True + crc_salt: <SOURCE> + rename_source: "test" + whitelist: "//var/log/[0-9]/gm" + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "blacklist": "//var/log/[a-z]/gm", + # "crc_salt": "<SOURCE>", + # "disabled": false, + # "host": "$decideOnStartup", + # "host_regex": "/(test_host)/gm", + # "host_segment": 3, + # "index": "default", + # "name": "/var/log", + # "recursive": true, + # "sourcetype": "test_source", + # "whitelist": "//var/log/[0-9]/gm" + # } + # ], + # "before": [ + # { + # "blacklist": "//var/log/[a-z0-9]/gm", + # "crc_salt": "<SOURCE>", + # "disabled": false, + # "host": "$decideOnStartup", + # "host_regex": "/(test_host)/gm", + # "host_segment": 3, + # "index": "default", + # "name": "/var/log", + # "recursive": true, + # "sourcetype": "test_source", + # "whitelist": "//var/log/[0-9]/gm" + # } + # ], + + # Using replaced + # -------------- + + - name: To Replace Data inputs monitors config + splunk.es.splunk_data_inputs_monitor: + config: + - name: "/var/log" + blacklist: "//var/log/[a-z0-9]/gm" + crc_salt: <SOURCE> + index: default + state: replaced + + # RUN output: + # ----------- + + # "after": [ + # { + # "blacklist": "//var/log/[a-z0-9]/gm", + # "crc_salt": "<SOURCE>", + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "/var/log" + # } + # ], + # "before": [ + # { + # "blacklist": "//var/log/[a-z0-9]/gm", + # "crc_salt": "<SOURCE>", + # "disabled": false, + # "host": "$decideOnStartup", + # "host_regex": "/(test_host)/gm", + # "host_segment": 3, + # "index": "default", + # "name": "/var/log", + # "recursive": true, + # "sourcetype": "test_source", + # "whitelist": "//var/log/[0-9]/gm" + # } + # ], + + # Using deleted + # ----------- + - name: To Delete Data inpur monitor config + splunk.es.splunk_data_inputs_monitor: + config: + - name: "/var/log" + state: deleted + + # RUN output: + # ----------- + # + # "after": [], + # "before": [ + # { + # "blacklist": "//var/log/[a-z0-9]/gm", + # "crc_salt": "<SOURCE>", + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "/var/log" + # } + # ], + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>after</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>when changed</td> + <td> + <div>The configuration as structured data after module completion.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>before</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>always</td> + <td> + <div>The configuration as structured data prior to module invocation.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">The configuration returned will always be in the same format of the parameters above.</div> + </td> + </tr> + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@pranav-bhatt) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.splunk_data_inputs_network_module.rst b/ansible_collections/splunk/es/docs/splunk.es.splunk_data_inputs_network_module.rst new file mode 100644 index 000000000..aa561b1f0 --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.splunk_data_inputs_network_module.rst @@ -0,0 +1,965 @@ +.. _splunk.es.splunk_data_inputs_network_module: + + +************************************ +splunk.es.splunk_data_inputs_network +************************************ + +**Manage Splunk Data Inputs of type TCP or UDP resource module** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- Module that allows to add/update or delete of TCP and UDP Data Inputs in Splunk. + + + + +Parameters +---------- + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="2">Parameter</th> + <th>Choices/<font color="blue">Defaults</font></th> + <th width="100%">Comments</th> + </tr> + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + / <span style="color: purple">elements=dictionary</span> + </div> + </td> + <td> + </td> + <td> + <div>Manage and preview protocol input data.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>cipher_suite</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Specifies list of acceptable ciphers to use in ssl.</div> + <div>Only obtained for TCP SSL configuration present on device.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>connection_host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>ip</li> + <li>dns</li> + <li>none</li> + </ul> + </td> + <td> + <div>Set the host for the remote server that is sending data.</div> + <div><code>ip</code> sets the host to the IP address of the remote server sending data.</div> + <div><code>dns</code> sets the host to the reverse DNS entry for the IP address of the remote server sending data.</div> + <div><code>none</code> leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>datatype</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>cooked</li> + <li>raw</li> + <li>splunktcptoken</li> + <li>ssl</li> + </ul> + </td> + <td> + <div><code>cooked</code> lets one access cooked TCP input information and create new containers for managing cooked data.</div> + <div><code>raw</code> lets one manage raw tcp inputs from forwarders.</div> + <div><code>splunktcptoken</code> lets one manage receiver access using tokens.</div> + <div><code>ssl</code> Provides access to the SSL configuration of a Splunk server. This option does not support states <em>deleted</em> and <em>replaced</em>.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>disabled</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Indicates whether the input is disabled.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Host from which the indexer gets data.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>index</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>default Index to store generated events.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>name</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + </td> + <td> + <div>The input port which receives raw data.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>no_appending_timestamp</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to true, prevents Splunk software from prepending a timestamp and hostname to incoming events.</div> + <div>Only for UDP data input configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>no_priority_stripping</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>If set to true, Splunk software does not remove the priority field from incoming syslog events.</div> + <div>Only for UDP data input configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>password</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Server certificate password, if any.</div> + <div>Only for TCP SSL configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>protocol</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + / <span style="color: red">required</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>tcp</li> + <li>udp</li> + </ul> + </td> + <td> + <div>Choose whether to manage TCP or UDP inputs</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>queue</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>parsingQueue</li> + <li>indexQueue</li> + </ul> + </td> + <td> + <div>Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.</div> + <div>Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at "Monitor files and directories with inputs.conf"</div> + <div>Set queue to indexQueue to send your data directly into the index.</div> + <div>Only applicable for "/tcp/raw" and "/udp" APIs</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>raw_tcp_done_timeout</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">integer</span> + </div> + </td> + <td> + </td> + <td> + <div>Specifies in seconds the timeout value for adding a Done-key.</div> + <div>If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.</div> + <div>Only for TCP raw input configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>require_client_cert</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Determines whether a client must authenticate.</div> + <div>Only for TCP SSL configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>restrict_to_host</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Allows for restricting this input to only accept data from the host specified here.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>root_ca</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Certificate authority list (root file).</div> + <div>Only for TCP SSL configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>server_cert</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Full path to the server certificate.</div> + <div>Only for TCP SSL configuration.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>source</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Sets the source key/field for events from this input. Defaults to the input file path.</div> + <div>Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.</div> + <div>Note that Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>sourcetype</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Set the source type for events from this input.</div> + <div>"sourcetype=" is automatically prepended to <string>.</div> + <div>Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=False).</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>ssl</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">boolean</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li>no</li> + <li>yes</li> + </ul> + </td> + <td> + <div>Enable or disble ssl for the data stream</div> + </td> + </tr> + <tr> + <td class="elbow-placeholder"></td> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>token</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>Token value to use for SplunkTcpToken. If unspecified, a token is generated automatically.</div> + </td> + </tr> + + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>running_config</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + </td> + <td> + <div>The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The <em>running_config</em> argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command.</div> + </td> + </tr> + <tr> + <td colspan="2"> + <div class="ansibleOptionAnchor" id="parameter-"></div> + <b>state</b> + <a class="ansibleOptionLink" href="#parameter-" title="Permalink to this option"></a> + <div style="font-size: small"> + <span style="color: purple">string</span> + </div> + </td> + <td> + <ul style="margin: 0; padding: 0"><b>Choices:</b> + <li><div style="color: blue"><b>merged</b> ←</div></li> + <li>replaced</li> + <li>deleted</li> + <li>gathered</li> + </ul> + </td> + <td> + <div>The state the configuration should be left in</div> + </td> + </tr> + </table> + <br/> + + + + +Examples +-------- + +.. code-block:: yaml + + # Using gathered + # -------------- + + - name: Gathering information about TCP Cooked Inputs + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: cooked + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "connection_host": "ip", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "8101" + # }, + # { + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "9997" + # }, + # { + # "connection_host": "ip", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8101", + # "restrict_to_host": "default" + # } + # ] + + + - name: Gathering information about TCP Cooked Inputs by Name + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: cooked + name: 9997 + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "datatype": "cooked", + # "disabled": false, + # "host": "$decideOnStartup", + # "name": "9997", + # "protocol": "tcp" + # } + # ] + + + - name: Gathering information about TCP Raw Inputs + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: raw + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "connection_host": "ip", + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "8099", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 10 + # }, + # { + # "connection_host": "ip", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8100", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 10, + # "restrict_to_host": "default", + # "source": "test_source", + # "sourcetype": "test_source_type" + # } + # ] + + - name: Gathering information about TCP Raw inputs by Name + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: raw + name: 8099 + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "connection_host": "ip", + # "datatype": "raw", + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "8099", + # "protocol": "tcp", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 10 + # } + # ] + + - name: Gathering information about TCP SSL configuration + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: ssl + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "cipher_suite": <cipher-suites>, + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "test_host" + # } + # ] + + - name: Gathering information about TCP SplunkTcpTokens + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: splunktcptoken + state: gathered + + # RUN output: + # ----------- + + # "gathered": [ + # { + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "splunktcptoken://test_token1", + # "token": <token1> + # }, + # { + # "disabled": false, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "splunktcptoken://test_token2", + # "token": <token2> + # } + # ] + + # Using merged + # ------------ + + - name: To add the TCP raw config + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: raw + name: 8100 + connection_host: ip + disabled: True + raw_tcp_done_timeout: 9 + restrict_to_host: default + queue: parsingQueue + source: test_source + sourcetype: test_source_type + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "connection_host": "ip", + # "datatype": "raw", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8100", + # "protocol": "tcp", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 9, + # "restrict_to_host": "default", + # "source": "test_source", + # "sourcetype": "test_source_type" + # } + # ], + # "before": [ + # { + # "connection_host": "ip", + # "datatype": "raw", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8100", + # "protocol": "tcp", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 10, + # "restrict_to_host": "default", + # "source": "test_source", + # "sourcetype": "test_source_type" + # } + # ] + + - name: To add the TCP cooked config + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: cooked + name: 8101 + connection_host: ip + disabled: False + restrict_to_host: default + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "connection_host": "ip", + # "datatype": "cooked", + # "disabled": false, + # "host": "$decideOnStartup", + # "name": "default:8101", + # "protocol": "tcp", + # "restrict_to_host": "default" + # } + # ], + # "before": [ + # { + # "connection_host": "ip", + # "datatype": "cooked", + # "disabled": true, + # "host": "$decideOnStartup", + # "name": "default:8101", + # "protocol": "tcp", + # "restrict_to_host": "default" + # } + # ], + + - name: To add the Splunk TCP token + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: splunktcptoken + name: test_token + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "datatype": "splunktcptoken", + # "name": "splunktcptoken://test_token", + # "protocol": "tcp", + # "token": <token> + # } + # ], + # "before": [], + + - name: To add the Splunk SSL + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: ssl + name: test_host + root_ca: {root CA directory} + server_cert: {server cretificate directory} + state: merged + + # RUN output: + # ----------- + + # "after": [ + # { + # "cipher_suite": <cipher suite>, + # "datatype": "ssl", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "test_host", + # "protocol": "tcp" + # } + # ], + # "before": [] + + + # Using deleted + # ------------- + + - name: To Delete TCP Raw + splunk.es.splunk_data_inputs_network: + config: + - protocol: tcp + datatype: raw + name: default:8100 + state: deleted + + # RUN output: + # ----------- + + # "after": [], + # "before": [ + # { + # "connection_host": "ip", + # "datatype": "raw", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8100", + # "protocol": "tcp", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 9, + # "restrict_to_host": "default", + # "source": "test_source", + # "sourcetype": "test_source_type" + # } + # ] + + # Using replaced + # -------------- + + - name: Replace existing data inputs networks configuration + register: result + splunk.es.splunk_data_inputs_network: + state: replaced + config: + - protocol: tcp + datatype: raw + name: 8100 + connection_host: ip + disabled: True + host: "$decideOnStartup" + index: default + queue: parsingQueue + raw_tcp_done_timeout: 10 + restrict_to_host: default + source: test_source + sourcetype: test_source_type + + # RUN output: + # ----------- + + # "after": [ + # { + # "connection_host": "ip", + # "datatype": "raw", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8100", + # "protocol": "tcp", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 9, + # "restrict_to_host": "default", + # "source": "test_source", + # "sourcetype": "test_source_type" + # } + # ], + # "before": [ + # { + # "connection_host": "ip", + # "datatype": "raw", + # "disabled": true, + # "host": "$decideOnStartup", + # "index": "default", + # "name": "default:8100", + # "protocol": "tcp", + # "queue": "parsingQueue", + # "raw_tcp_done_timeout": 10, + # "restrict_to_host": "default", + # "source": "test_source", + # "sourcetype": "test_source_type" + # } + # ], + + + +Return Values +------------- +Common return values are documented `here <https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values>`_, the following are the fields unique to this module: + +.. raw:: html + + <table border=0 cellpadding=0 class="documentation-table"> + <tr> + <th colspan="1">Key</th> + <th>Returned</th> + <th width="100%">Description</th> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>after</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>when changed</td> + <td> + <div>The resulting configuration after module execution.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">This output will always be in the same format as the module argspec.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>before</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">list</span> + </div> + </td> + <td>when state is <em>merged</em>, <em>replaced</em>, <em>deleted</em></td> + <td> + <div>The configuration prior to the module execution.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">This output will always be in the same format as the module argspec.</div> + </td> + </tr> + <tr> + <td colspan="1"> + <div class="ansibleOptionAnchor" id="return-"></div> + <b>gathered</b> + <a class="ansibleOptionLink" href="#return-" title="Permalink to this return value"></a> + <div style="font-size: small"> + <span style="color: purple">dictionary</span> + </div> + </td> + <td>when state is <em>gathered</em></td> + <td> + <div>Facts about the network resource gathered from the remote device as structured data.</div> + <br/> + <div style="font-size: smaller"><b>Sample:</b></div> + <div style="font-size: smaller; color: blue; word-wrap: break-word; word-break: break-all;">This output will always be in the same format as the module argspec.</div> + </td> + </tr> + </table> + <br/><br/> + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Automation Team (@pranav-bhatt) <https://github.com/ansible-security> diff --git a/ansible_collections/splunk/es/docs/splunk.es.splunk_httpapi.rst b/ansible_collections/splunk/es/docs/splunk.es.splunk_httpapi.rst new file mode 100644 index 000000000..d2c82039e --- /dev/null +++ b/ansible_collections/splunk/es/docs/splunk.es.splunk_httpapi.rst @@ -0,0 +1,43 @@ +.. _splunk.es.splunk_httpapi: + + +**************** +splunk.es.splunk +**************** + +**HttpApi Plugin for Splunk** + + +Version added: 1.0.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This HttpApi plugin provides methods to connect to Splunk over a HTTP(S)-based api. + + + + + + + + + + + +Status +------ + + +Authors +~~~~~~~ + +- Ansible Security Team (@ansible-security) + + +.. hint:: + Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. |