From 38b7c80217c4e72b1d8988eb1e60bb6e77334114 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 18 Apr 2024 07:52:22 +0200 Subject: Adding upstream version 9.4.0+dfsg. Signed-off-by: Daniel Baumann --- .../modules/adaptive_response_notable_event.py | 153 +++++++++------------ .../es/plugins/modules/correlation_search.py | 117 +++++++--------- .../es/plugins/modules/correlation_search_info.py | 15 +- .../es/plugins/modules/data_input_monitor.py | 101 +++++++------- .../es/plugins/modules/data_input_network.py | 61 ++++---- .../splunk_adaptive_response_notable_event.py | 153 +++++++++------------ .../splunk_adaptive_response_notable_events.py | 41 +++--- .../plugins/modules/splunk_correlation_search.py | 117 +++++++--------- .../modules/splunk_correlation_search_info.py | 15 +- .../plugins/modules/splunk_correlation_searches.py | 12 +- .../plugins/modules/splunk_data_input_monitor.py | 101 +++++++------- .../plugins/modules/splunk_data_input_network.py | 61 ++++---- .../plugins/modules/splunk_data_inputs_monitor.py | 16 +-- .../plugins/modules/splunk_data_inputs_network.py | 18 +-- 14 files changed, 448 insertions(+), 533 deletions(-) (limited to 'ansible_collections/splunk/es/plugins/modules') diff --git a/ansible_collections/splunk/es/plugins/modules/adaptive_response_notable_event.py b/ansible_collections/splunk/es/plugins/modules/adaptive_response_notable_event.py index 29099424e..0947c80fc 100644 --- a/ansible_collections/splunk/es/plugins/modules/adaptive_response_notable_event.py +++ b/ansible_collections/splunk/es/plugins/modules/adaptive_response_notable_event.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -49,7 +50,7 @@ options: description: - Splunk Security Domain type: str - required: False + required: false choices: - "access" - "endpoint" @@ -62,7 +63,7 @@ options: description: - Severity rating type: str - required: False + required: false choices: - "informational" - "low" @@ -75,12 +76,12 @@ options: description: - Default owner of the notable event, if unset it will default to Splunk System Defaults type: str - required: False + required: false default_status: description: - Default status of the notable event, if unset it will default to Splunk System Defaults type: str - required: False + required: false choices: - "unassigned" - "new" @@ -92,19 +93,19 @@ options: description: - Name for drill down search, Supports variable substitution with fields from the matching event. type: str - required: False + required: false drill_down_search: description: - Drill down search, Supports variable substitution with fields from the matching event. type: str - required: False + required: false drill_down_earliest_offset: description: - Set the amount of time before the triggering event to search for related events. For example, 2h. Use \"$info_min_time$\" to set the drill-down time to match the earliest time of the search type: str - required: False + required: false default: \"$info_min_time$\" drill_down_latest_offset: description: @@ -112,20 +113,21 @@ options: events. For example, 1m. Use \"$info_max_time$\" to set the drill-down time to match the latest time of the search type: str - required: False + required: false default: \"$info_max_time$\" investigation_profiles: description: - Investigation profile to assiciate the notable event with. type: str - required: False + required: false next_steps: description: - List of adaptive responses that should be run next - Describe next steps and response actions that an analyst could take to address this threat. type: list elements: str - required: False + required: false + default: [] recommended_actions: description: - List of adaptive responses that are recommended to be run next @@ -134,7 +136,8 @@ options: making it easier to find them among the longer list of available actions. type: list elements: str - required: False + required: false + default: [] asset_extraction: description: - list of assets to extract, select any one or many of the available choices @@ -151,7 +154,7 @@ options: - dest - dvc - orig_host - required: False + required: false identity_extraction: description: - list of identity fields to extract, select any one or many of the available choices @@ -164,11 +167,10 @@ options: default: - user - src_user - required: False - + required: false author: Ansible Security Automation Team (@maxamillion) """ -# FIXME - adaptive response action association is probaby going to need to be a separate module we stitch together in a role +# FIXME - adaptive response action association is probably going to need to be a separate module we stitch together in a role EXAMPLES = """ - name: Example of using splunk.es.adaptive_response_notable_event module @@ -187,19 +189,15 @@ EXAMPLES = """ import json -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text -from ansible.module_utils.six.moves.urllib.parse import urlencode, quote_plus -from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( - utils, -) -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.six.moves.urllib.parse import quote_plus, urlencode +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import utils +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict( name=dict(required=True, type="str"), correlation_search_name=dict(required=True, type="str"), @@ -244,17 +242,22 @@ def main(): drill_down_name=dict(required=False, type="str"), drill_down_search=dict(required=False, type="str"), drill_down_earliest_offset=dict( - required=False, type="str", default="$info_min_time$" + required=False, + type="str", + default="$info_min_time$", ), drill_down_latest_offset=dict( - required=False, type="str", default="$info_max_time$" + required=False, + type="str", + default="$info_max_time$", ), investigation_profiles=dict(required=False, type="str"), - next_steps=dict( - required=False, type="list", elements="str", default=[] - ), + next_steps=dict(required=False, type="list", elements="str", default=[]), recommended_actions=dict( - required=False, type="list", elements="str", default=[] + required=False, + type="list", + elements="str", + default=[], ), asset_extraction=dict( required=False, @@ -283,8 +286,8 @@ def main(): query_dict = splunk_request.get_by_path( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["correlation_search_name"]) - ) + quote_plus(module.params["correlation_search_name"]), + ), ) # Have to custom craft the data here because they overload the saved searches @@ -297,9 +300,7 @@ def main(): # request_post_data['action.notable.param.extract_identities'] = [\"src_user\",\"user\"] if module.params["next_steps"]: if len(module.params["next_steps"]) == 1: - next_steps = "[[action|{0}]]".format( - module.params["next_steps"][0] - ) + next_steps = "[[action|{0}]]".format(module.params["next_steps"][0]) else: next_steps = "" for next_step in module.params["next_steps"]: @@ -312,66 +313,48 @@ def main(): # but I don't know what it is/means because there's no docs on it next_steps_dict = {"version": 1, "data": next_steps} request_post_data["action.notable.param.next_steps"] = json.dumps( - next_steps_dict + next_steps_dict, ) if module.params["recommended_actions"]: if len(module.params["recommended_actions"]) == 1: - request_post_data[ - "action.notable.param.recommended_actions" - ] = module.params["recommended_actions"][0] + request_post_data["action.notable.param.recommended_actions"] = module.params[ + "recommended_actions" + ][0] else: - request_post_data[ - "action.notable.param.recommended_actions" - ] = ",".join(module.params["recommended_actions"]) + request_post_data["action.notable.param.recommended_actions"] = ",".join( + module.params["recommended_actions"], + ) - request_post_data["action.notable.param.rule_description"] = module.params[ - "description" - ] - request_post_data["action.notable.param.rule_title"] = module.params[ - "name" - ] - request_post_data["action.notable.param.security_domain"] = module.params[ - "security_domain" - ] - request_post_data["action.notable.param.severity"] = module.params[ - "severity" + request_post_data["action.notable.param.rule_description"] = module.params["description"] + request_post_data["action.notable.param.rule_title"] = module.params["name"] + request_post_data["action.notable.param.security_domain"] = module.params["security_domain"] + request_post_data["action.notable.param.severity"] = module.params["severity"] + request_post_data["action.notable.param.asset_extraction"] = module.params["asset_extraction"] + request_post_data["action.notable.param.identity_extraction"] = module.params[ + "identity_extraction" ] - request_post_data["action.notable.param.asset_extraction"] = module.params[ - "asset_extraction" - ] - request_post_data[ - "action.notable.param.identity_extraction" - ] = module.params["identity_extraction"] # NOTE: this field appears to be hard coded when you create this via the splunk web UI # but I don't know what it is/means because there's no docs on it request_post_data["action.notable.param.verbose"] = "0" if module.params["default_owner"]: - request_post_data[ - "action.notable.param.default_owner" - ] = module.params["default_owner"] + request_post_data["action.notable.param.default_owner"] = module.params["default_owner"] if module.params["default_status"]: - request_post_data[ - "action.notable.param.default_status" - ] = module.params["default_status"] + request_post_data["action.notable.param.default_status"] = module.params["default_status"] request_post_data = utils.remove_empties(request_post_data) if query_dict: - request_post_data["search"] = query_dict["entry"][0]["content"][ - "search" - ] + request_post_data["search"] = query_dict["entry"][0]["content"]["search"] if "actions" in query_dict["entry"][0]["content"]: if query_dict["entry"][0]["content"]["actions"] == "notable": pass elif ( - len(query_dict["entry"][0]["content"]["actions"].split(",")) - > 0 - and "notable" - not in query_dict["entry"][0]["content"]["actions"] + len(query_dict["entry"][0]["content"]["actions"].split(",")) > 0 + and "notable" not in query_dict["entry"][0]["content"]["actions"] ): request_post_data["actions"] = ( query_dict["entry"][0]["content"]["actions"] + ", notable" @@ -389,12 +372,14 @@ def main(): for arg in request_post_data: if arg in query_dict["entry"][0]["content"]: if to_text(query_dict["entry"][0]["content"][arg]) != to_text( - request_post_data[arg] + request_post_data[arg], ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -405,15 +390,13 @@ def main(): if needs_change: splunk_data = splunk_request.create_update( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["correlation_search_name"]) + quote_plus(module.params["correlation_search_name"]), ), data=urlencode(request_post_data), ) module.exit_json( changed=True, - msg="{0} updated.".format( - module.params["correlation_search_name"] - ), + msg="{0} updated.".format(module.params["correlation_search_name"]), splunk_data=splunk_data, ) @@ -430,7 +413,9 @@ def main(): del query_dict["entry"][0]["content"][arg] if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -441,21 +426,17 @@ def main(): if needs_change: splunk_data = splunk_request.create_update( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["correlation_search_name"]) + quote_plus(module.params["correlation_search_name"]), ), data=urlencode(request_post_data), ) module.exit_json( changed=True, - msg="{0} updated.".format( - module.params["correlation_search_name"] - ), + msg="{0} updated.".format(module.params["correlation_search_name"]), splunk_data=splunk_data, ) - module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict - ) + module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict) if __name__ == "__main__": diff --git a/ansible_collections/splunk/es/plugins/modules/correlation_search.py b/ansible_collections/splunk/es/plugins/modules/correlation_search.py index 9c865507b..1664c8c8b 100644 --- a/ansible_collections/splunk/es/plugins/modules/correlation_search.py +++ b/ansible_collections/splunk/es/plugins/modules/correlation_search.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,29 +26,29 @@ options: name: description: - Name of coorelation search - required: True + required: true type: str description: description: - Description of the coorelation search, this will populate the description field for the web console - required: True + required: true type: str state: description: - Add, remove, enable, or disiable a correlation search. - required: True + required: true choices: [ "present", "absent", "enabled", "disabled" ] type: str search: description: - SPL search string type: str - required: True + required: true app: description: - Splunk app to associate the correlation seach with type: str - required: False + required: false default: "SplunkEnterpriseSecuritySuite" ui_dispatch_context: description: @@ -55,18 +56,18 @@ options: event or links in an email adaptive response action. If None, uses the Application Context. type: str - required: False + required: false time_earliest: description: - Earliest time using relative time modifiers. type: str - required: False + required: false default: "-24h" time_latest: description: - Latest time using relative time modifiers. type: str - required: False + required: false default: "now" cron_schedule: description: @@ -74,7 +75,7 @@ options: - For example C('*/5 * * * *') (every 5 minutes) or C('0 21 * * *') (every day at 9 PM). - Real-time searches use a default schedule of C('*/5 * * * *'). type: str - required: False + required: false default: "*/5 * * * *" scheduling: description: @@ -83,7 +84,7 @@ options: Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling type: str - required: False + required: false default: "real-time" choices: - "real-time" @@ -94,7 +95,7 @@ options: to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report. type: str - required: False + required: false default: "0" schedule_priority: description: @@ -102,7 +103,7 @@ options: it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. type: str - required: False + required: false default: "Default" choices: - "Default" @@ -114,7 +115,7 @@ options: it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. type: str - required: False + required: false default: "number of events" choices: - "number of events" @@ -125,7 +126,7 @@ options: description: - Conditional to pass to C(trigger_alert_when) type: str - required: False + required: false default: "greater than" choices: - "greater than" @@ -138,24 +139,24 @@ options: description: - Value to pass to C(trigger_alert_when) type: str - required: False + required: false default: "10" throttle_window_duration: description: - "How much time to ignore other events that match the field values specified in Fields to group by." type: str - required: False + required: false throttle_fields_to_group_by: description: - "Type the fields to consider for matching events for throttling." type: str - required: False + required: false suppress_alerts: description: - "To suppress alerts from this correlation search or not" type: bool - required: False - default: False + required: false + default: false notes: - > The following options are not yet supported: @@ -174,30 +175,22 @@ EXAMPLES = """ state: "present" """ -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text - -from ansible.module_utils.six.moves.urllib.parse import urlencode, quote_plus +from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six.moves.urllib.error import HTTPError -from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( - utils, -) -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible.module_utils.six.moves.urllib.parse import quote_plus, urlencode +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import utils + +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest def main(): argspec = dict( name=dict(required=True, type="str"), description=dict(required=True, type="str"), - state=dict( - choices=["present", "absent", "enabled", "disabled"], required=True - ), + state=dict(choices=["present", "absent", "enabled", "disabled"], required=True), search=dict(required=True, type="str"), - app=dict( - type="str", required=False, default="SplunkEnterpriseSecuritySuite" - ), + app=dict(type="str", required=False, default="SplunkEnterpriseSecuritySuite"), ui_dispatch_context=dict(type="str", required=False), time_earliest=dict(type="str", required=False, default="-24h"), time_latest=dict(type="str", required=False, default="now"), @@ -239,9 +232,7 @@ def main(): "rises by", ], ), - trigger_alert_when_value=dict( - type="str", required=False, default="10" - ), + trigger_alert_when_value=dict(type="str", required=False, default="10"), throttle_window_duration=dict(type="str", required=False), throttle_fields_to_group_by=dict(type="str", required=False), suppress_alerts=dict(type="bool", required=False, default=False), @@ -264,8 +255,8 @@ def main(): try: query_dict = splunk_request.get_by_path( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) except HTTPError as e: # the data monitor doesn't exist @@ -283,12 +274,8 @@ def main(): request_post_data["search"] = module.params["search"] request_post_data["request.ui_dispatch_app"] = module.params["app"] if module.params["ui_dispatch_context"]: - request_post_data["request.ui_dispatch_context"] = module.params[ - "ui_dispatch_context" - ] - request_post_data["dispatch.earliest_time"] = module.params[ - "time_earliest" - ] + request_post_data["request.ui_dispatch_context"] = module.params["ui_dispatch_context"] + request_post_data["dispatch.earliest_time"] = module.params["time_earliest"] request_post_data["dispatch.latest_time"] = module.params["time_latest"] request_post_data["cron_schedule"] = module.params["cron_schedule"] if module.params["scheduling"] == "real-time": @@ -296,16 +283,10 @@ def main(): else: request_post_data["realtime_schedule"] = False request_post_data["schedule_window"] = module.params["schedule_window"] - request_post_data["schedule_priority"] = module.params[ - "schedule_priority" - ].lower() + request_post_data["schedule_priority"] = module.params["schedule_priority"].lower() request_post_data["alert_type"] = module.params["trigger_alert_when"] - request_post_data["alert_comparator"] = module.params[ - "trigger_alert_when_condition" - ] - request_post_data["alert_threshold"] = module.params[ - "trigger_alert_when_value" - ] + request_post_data["alert_comparator"] = module.params["trigger_alert_when_condition"] + request_post_data["alert_threshold"] = module.params["trigger_alert_when_value"] request_post_data["alert.suppress"] = module.params["suppress_alerts"] request_post_data["disabled"] = module_disabled_state @@ -316,13 +297,15 @@ def main(): needs_change = False for arg in request_post_data: if arg in query_dict["entry"][0]["content"]: - if to_text( - query_dict["entry"][0]["content"][arg] - ) != to_text(request_post_data[arg]): + if to_text(query_dict["entry"][0]["content"][arg]) != to_text( + request_post_data[arg], + ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -337,12 +320,14 @@ def main(): ] # If this is present, splunk assumes we're trying to create a new one wit the same name splunk_data = splunk_request.create_update( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["name"]) + quote_plus(module.params["name"]), ), data=urlencode(request_post_data), ) module.exit_json( - changed=True, msg="{0} updated.", splunk_data=splunk_data + changed=True, + msg="{0} updated.", + splunk_data=splunk_data, ) else: # Create it @@ -350,16 +335,12 @@ def main(): "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches", data=urlencode(request_post_data), ) - module.exit_json( - changed=True, msg="{0} created.", splunk_data=splunk_data - ) + module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data) elif module.params["state"] == "absent": if query_dict: splunk_data = splunk_request.delete_by_path( - "services/saved/searches/{0}".format( - quote_plus(module.params["name"]) - ) + "services/saved/searches/{0}".format(quote_plus(module.params["name"])), ) module.exit_json( changed=True, @@ -367,9 +348,7 @@ def main(): splunk_data=splunk_data, ) - module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict - ) + module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict) if __name__ == "__main__": diff --git a/ansible_collections/splunk/es/plugins/modules/correlation_search_info.py b/ansible_collections/splunk/es/plugins/modules/correlation_search_info.py index 0ab756989..ecb36ce66 100644 --- a/ansible_collections/splunk/es/plugins/modules/correlation_search_info.py +++ b/ansible_collections/splunk/es/plugins/modules/correlation_search_info.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -40,15 +41,13 @@ EXAMPLES = """ """ from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.six.moves.urllib.parse import quote_plus from ansible.module_utils.six.moves.urllib.error import HTTPError -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible.module_utils.six.moves.urllib.parse import quote_plus +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict(name=dict(required=False, type="str")) module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) @@ -62,15 +61,15 @@ def main(): try: query_dict = splunk_request.get_by_path( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) except HTTPError as e: # the data monitor doesn't exist query_dict = {} else: query_dict = splunk_request.get_by_path( - "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches" + "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches", ) module.exit_json(changed=False, splunk_correlation_search_info=query_dict) diff --git a/ansible_collections/splunk/es/plugins/modules/data_input_monitor.py b/ansible_collections/splunk/es/plugins/modules/data_input_monitor.py index 080d23d3b..b0108d74a 100644 --- a/ansible_collections/splunk/es/plugins/modules/data_input_monitor.py +++ b/ansible_collections/splunk/es/plugins/modules/data_input_monitor.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,12 +26,12 @@ options: name: description: - The file or directory path to monitor on the system. - required: True + required: true type: str state: description: - Add or remove a data source. - required: True + required: true choices: - "present" - "absent" @@ -38,41 +39,41 @@ options: blacklist: description: - Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. - required: False + required: false type: str check_index: description: - - If set to C(True), the index value is checked to ensure that it is the name of a valid index. - required: False + - If set to C(true), the index value is checked to ensure that it is the name of a valid index. + required: false type: bool - default: False + default: false check_path: description: - - If set to C(True), the name value is checked to ensure that it exists. - required: False + - If set to C(true), the name value is checked to ensure that it exists. + required: false type: bool crc_salt: description: - A string that modifies the file tracking identity for files in this input. The magic value invokes special behavior (see admin documentation). - required: False + required: false type: str disabled: description: - Indicates if input monitoring is disabled. - required: False - default: False + required: false + default: false type: bool followTail: description: - - If set to C(True), files that are seen for the first time is read from the end. - required: False + - If set to C(true), files that are seen for the first time is read from the end. + required: false type: bool - default: False + default: false host: description: - The value to populate in the host field for events from this data input. - required: False + required: false type: str host_regex: description: @@ -80,40 +81,40 @@ options: matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. - required: False + required: false type: str host_segment: description: - Use the specified slash-separate segment of the filepath as the host field value. - required: False + required: false type: int ignore_older_than: description: - Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. - required: False + required: false type: str index: description: - Which index events from this input should be stored in. Defaults to default. - required: False + required: false type: str recursive: description: - - Setting this to False prevents monitoring of any subdirectories encountered within this data input. - required: False + - Setting this to false prevents monitoring of any subdirectories encountered within this data input. + required: false type: bool - default: False + default: false rename_source: description: - The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. - required: False + required: false type: str sourcetype: description: - The value to populate in the sourcetype field for incoming events. - required: False + required: false type: str time_before_close: description: @@ -121,12 +122,12 @@ options: file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. - required: False + required: false type: int whitelist: description: - Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. - required: False + required: false type: str author: Ansible Security Automation Team (@maxamillion) """ @@ -136,22 +137,18 @@ EXAMPLES = """ splunk.es.data_input_monitor: name: "/var/log/example.log" state: "present" - recursive: True + recursive: true """ -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six.moves.urllib.parse import quote_plus -from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( - utils, -) -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import utils +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict( name=dict(required=True, type="str"), state=dict(choices=["present", "absent"], required=True), @@ -197,8 +194,8 @@ def main(): query_dict = splunk_request.get_by_path( "servicesNS/nobody/search/data/inputs/monitor/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) query_dict = utils.remove_empties(query_dict) @@ -207,13 +204,15 @@ def main(): needs_change = False for arg in request_data: if arg in query_dict["entry"][0]["content"]: - if to_text( - query_dict["entry"][0]["content"][arg] - ) != to_text(request_data[arg]): + if to_text(query_dict["entry"][0]["content"][arg]) != to_text( + request_data[arg], + ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -224,11 +223,13 @@ def main(): if needs_change: splunk_data = splunk_request.create_update( "servicesNS/nobody/search/data/inputs/monitor/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) module.exit_json( - changed=True, msg="{0} updated.", splunk_data=splunk_data + changed=True, + msg="{0} updated.", + splunk_data=splunk_data, ) else: # Create it @@ -238,16 +239,14 @@ def main(): "servicesNS/nobody/search/data/inputs/monitor", data=_data, ) - module.exit_json( - changed=True, msg="{0} created.", splunk_data=splunk_data - ) + module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data) if module.params["state"] == "absent": if query_dict: splunk_data = splunk_request.delete_by_path( "servicesNS/nobody/search/data/inputs/monitor/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) module.exit_json( changed=True, @@ -255,9 +254,7 @@ def main(): splunk_data=splunk_data, ) - module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict - ) + module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict) if __name__ == "__main__": diff --git a/ansible_collections/splunk/es/plugins/modules/data_input_network.py b/ansible_collections/splunk/es/plugins/modules/data_input_network.py index 5771eb9cc..14905563a 100644 --- a/ansible_collections/splunk/es/plugins/modules/data_input_network.py +++ b/ansible_collections/splunk/es/plugins/modules/data_input_network.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,7 +26,7 @@ options: protocol: description: - Choose between tcp or udp - required: True + required: true choices: - 'tcp' - 'udp' @@ -37,7 +38,7 @@ options: - C(dns) sets the host to the reverse DNS entry for the IP address of the remote server sending data. - C(none) leaves the host as specified in inputs.conf, which is typically the Splunk system hostname. default: "ip" - required: False + required: false type: str choices: - "ip" @@ -51,7 +52,7 @@ options: - "absent" - "enabled" - "disable" - required: False + required: false default: "present" type: str datatype: @@ -62,12 +63,12 @@ options: - "cooked" - "raw" default: "raw" - required: False + required: false type: str host: description: - Host from which the indexer gets data. - required: False + required: false type: str index: description: @@ -76,7 +77,7 @@ options: name: description: - The input port which receives raw data. - required: True + required: true type: str queue: description: @@ -89,7 +90,7 @@ options: - "parsingQueue" - "indexQueue" type: str - required: False + required: false default: "parsingQueue" rawTcpDoneTimeout: description: @@ -98,16 +99,16 @@ options: number of seconds, it adds a Done-key. This implies the last event is completely received. default: 10 type: int - required: False + required: false restrictToHost: description: - Allows for restricting this input to only accept data from the host specified here. - required: False + required: false type: str ssl: description: - Enable or disble ssl for the data stream - required: False + required: false type: bool source: description: @@ -126,7 +127,7 @@ options: description: - Set the source type for events from this input. - '"sourcetype=" is automatically prepended to .' - - Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=False). + - Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=false). type: str author: Ansible Security Automation Team (@maxamillion) """ @@ -140,16 +141,14 @@ EXAMPLES = """ """ -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six.moves.urllib.parse import quote_plus -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict( state=dict( required=False, @@ -178,9 +177,7 @@ def main(): ssl=dict(required=False, type="bool", default=None), source=dict(required=False, type="str", default=None), sourcetype=dict(required=False, type="str", default=None), - datatype=dict( - required=False, choices=["cooked", "raw"], default="raw" - ), + datatype=dict(required=False, choices=["cooked", "raw"], default="raw"), ) module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) @@ -198,7 +195,7 @@ def main(): quote_plus(module.params["protocol"]), quote_plus(module.params["datatype"]), quote_plus(module.params["name"]), - ) + ), ) if module.params["state"] in ["present", "enabled", "disabled"]: @@ -211,13 +208,15 @@ def main(): needs_change = False for arg in request_data: if arg in query_dict["entry"][0]["content"]: - if to_text( - query_dict["entry"][0]["content"][arg] - ) != to_text(request_data[arg]): + if to_text(query_dict["entry"][0]["content"][arg]) != to_text( + request_data[arg], + ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -236,11 +235,15 @@ def main(): ) if module.params["state"] in ["present", "enabled"]: module.exit_json( - changed=True, msg="{0} updated.", splunk_data=splunk_data + changed=True, + msg="{0} updated.", + splunk_data=splunk_data, ) else: module.exit_json( - changed=True, msg="{0} disabled.", splunk_data=splunk_data + changed=True, + msg="{0} disabled.", + splunk_data=splunk_data, ) else: # Create it @@ -251,9 +254,7 @@ def main(): ), data=_data, ) - module.exit_json( - changed=True, msg="{0} created.", splunk_data=splunk_data - ) + module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data) elif module.params["state"] == "absent": if query_dict: splunk_data = splunk_request.delete_by_path( @@ -261,7 +262,7 @@ def main(): quote_plus(module.params["protocol"]), quote_plus(module.params["datatype"]), quote_plus(module.params["name"]), - ) + ), ) module.exit_json( changed=True, diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_event.py b/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_event.py index 29099424e..0947c80fc 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_event.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_event.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -49,7 +50,7 @@ options: description: - Splunk Security Domain type: str - required: False + required: false choices: - "access" - "endpoint" @@ -62,7 +63,7 @@ options: description: - Severity rating type: str - required: False + required: false choices: - "informational" - "low" @@ -75,12 +76,12 @@ options: description: - Default owner of the notable event, if unset it will default to Splunk System Defaults type: str - required: False + required: false default_status: description: - Default status of the notable event, if unset it will default to Splunk System Defaults type: str - required: False + required: false choices: - "unassigned" - "new" @@ -92,19 +93,19 @@ options: description: - Name for drill down search, Supports variable substitution with fields from the matching event. type: str - required: False + required: false drill_down_search: description: - Drill down search, Supports variable substitution with fields from the matching event. type: str - required: False + required: false drill_down_earliest_offset: description: - Set the amount of time before the triggering event to search for related events. For example, 2h. Use \"$info_min_time$\" to set the drill-down time to match the earliest time of the search type: str - required: False + required: false default: \"$info_min_time$\" drill_down_latest_offset: description: @@ -112,20 +113,21 @@ options: events. For example, 1m. Use \"$info_max_time$\" to set the drill-down time to match the latest time of the search type: str - required: False + required: false default: \"$info_max_time$\" investigation_profiles: description: - Investigation profile to assiciate the notable event with. type: str - required: False + required: false next_steps: description: - List of adaptive responses that should be run next - Describe next steps and response actions that an analyst could take to address this threat. type: list elements: str - required: False + required: false + default: [] recommended_actions: description: - List of adaptive responses that are recommended to be run next @@ -134,7 +136,8 @@ options: making it easier to find them among the longer list of available actions. type: list elements: str - required: False + required: false + default: [] asset_extraction: description: - list of assets to extract, select any one or many of the available choices @@ -151,7 +154,7 @@ options: - dest - dvc - orig_host - required: False + required: false identity_extraction: description: - list of identity fields to extract, select any one or many of the available choices @@ -164,11 +167,10 @@ options: default: - user - src_user - required: False - + required: false author: Ansible Security Automation Team (@maxamillion) """ -# FIXME - adaptive response action association is probaby going to need to be a separate module we stitch together in a role +# FIXME - adaptive response action association is probably going to need to be a separate module we stitch together in a role EXAMPLES = """ - name: Example of using splunk.es.adaptive_response_notable_event module @@ -187,19 +189,15 @@ EXAMPLES = """ import json -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text -from ansible.module_utils.six.moves.urllib.parse import urlencode, quote_plus -from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( - utils, -) -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.six.moves.urllib.parse import quote_plus, urlencode +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import utils +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict( name=dict(required=True, type="str"), correlation_search_name=dict(required=True, type="str"), @@ -244,17 +242,22 @@ def main(): drill_down_name=dict(required=False, type="str"), drill_down_search=dict(required=False, type="str"), drill_down_earliest_offset=dict( - required=False, type="str", default="$info_min_time$" + required=False, + type="str", + default="$info_min_time$", ), drill_down_latest_offset=dict( - required=False, type="str", default="$info_max_time$" + required=False, + type="str", + default="$info_max_time$", ), investigation_profiles=dict(required=False, type="str"), - next_steps=dict( - required=False, type="list", elements="str", default=[] - ), + next_steps=dict(required=False, type="list", elements="str", default=[]), recommended_actions=dict( - required=False, type="list", elements="str", default=[] + required=False, + type="list", + elements="str", + default=[], ), asset_extraction=dict( required=False, @@ -283,8 +286,8 @@ def main(): query_dict = splunk_request.get_by_path( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["correlation_search_name"]) - ) + quote_plus(module.params["correlation_search_name"]), + ), ) # Have to custom craft the data here because they overload the saved searches @@ -297,9 +300,7 @@ def main(): # request_post_data['action.notable.param.extract_identities'] = [\"src_user\",\"user\"] if module.params["next_steps"]: if len(module.params["next_steps"]) == 1: - next_steps = "[[action|{0}]]".format( - module.params["next_steps"][0] - ) + next_steps = "[[action|{0}]]".format(module.params["next_steps"][0]) else: next_steps = "" for next_step in module.params["next_steps"]: @@ -312,66 +313,48 @@ def main(): # but I don't know what it is/means because there's no docs on it next_steps_dict = {"version": 1, "data": next_steps} request_post_data["action.notable.param.next_steps"] = json.dumps( - next_steps_dict + next_steps_dict, ) if module.params["recommended_actions"]: if len(module.params["recommended_actions"]) == 1: - request_post_data[ - "action.notable.param.recommended_actions" - ] = module.params["recommended_actions"][0] + request_post_data["action.notable.param.recommended_actions"] = module.params[ + "recommended_actions" + ][0] else: - request_post_data[ - "action.notable.param.recommended_actions" - ] = ",".join(module.params["recommended_actions"]) + request_post_data["action.notable.param.recommended_actions"] = ",".join( + module.params["recommended_actions"], + ) - request_post_data["action.notable.param.rule_description"] = module.params[ - "description" - ] - request_post_data["action.notable.param.rule_title"] = module.params[ - "name" - ] - request_post_data["action.notable.param.security_domain"] = module.params[ - "security_domain" - ] - request_post_data["action.notable.param.severity"] = module.params[ - "severity" + request_post_data["action.notable.param.rule_description"] = module.params["description"] + request_post_data["action.notable.param.rule_title"] = module.params["name"] + request_post_data["action.notable.param.security_domain"] = module.params["security_domain"] + request_post_data["action.notable.param.severity"] = module.params["severity"] + request_post_data["action.notable.param.asset_extraction"] = module.params["asset_extraction"] + request_post_data["action.notable.param.identity_extraction"] = module.params[ + "identity_extraction" ] - request_post_data["action.notable.param.asset_extraction"] = module.params[ - "asset_extraction" - ] - request_post_data[ - "action.notable.param.identity_extraction" - ] = module.params["identity_extraction"] # NOTE: this field appears to be hard coded when you create this via the splunk web UI # but I don't know what it is/means because there's no docs on it request_post_data["action.notable.param.verbose"] = "0" if module.params["default_owner"]: - request_post_data[ - "action.notable.param.default_owner" - ] = module.params["default_owner"] + request_post_data["action.notable.param.default_owner"] = module.params["default_owner"] if module.params["default_status"]: - request_post_data[ - "action.notable.param.default_status" - ] = module.params["default_status"] + request_post_data["action.notable.param.default_status"] = module.params["default_status"] request_post_data = utils.remove_empties(request_post_data) if query_dict: - request_post_data["search"] = query_dict["entry"][0]["content"][ - "search" - ] + request_post_data["search"] = query_dict["entry"][0]["content"]["search"] if "actions" in query_dict["entry"][0]["content"]: if query_dict["entry"][0]["content"]["actions"] == "notable": pass elif ( - len(query_dict["entry"][0]["content"]["actions"].split(",")) - > 0 - and "notable" - not in query_dict["entry"][0]["content"]["actions"] + len(query_dict["entry"][0]["content"]["actions"].split(",")) > 0 + and "notable" not in query_dict["entry"][0]["content"]["actions"] ): request_post_data["actions"] = ( query_dict["entry"][0]["content"]["actions"] + ", notable" @@ -389,12 +372,14 @@ def main(): for arg in request_post_data: if arg in query_dict["entry"][0]["content"]: if to_text(query_dict["entry"][0]["content"][arg]) != to_text( - request_post_data[arg] + request_post_data[arg], ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -405,15 +390,13 @@ def main(): if needs_change: splunk_data = splunk_request.create_update( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["correlation_search_name"]) + quote_plus(module.params["correlation_search_name"]), ), data=urlencode(request_post_data), ) module.exit_json( changed=True, - msg="{0} updated.".format( - module.params["correlation_search_name"] - ), + msg="{0} updated.".format(module.params["correlation_search_name"]), splunk_data=splunk_data, ) @@ -430,7 +413,9 @@ def main(): del query_dict["entry"][0]["content"][arg] if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -441,21 +426,17 @@ def main(): if needs_change: splunk_data = splunk_request.create_update( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["correlation_search_name"]) + quote_plus(module.params["correlation_search_name"]), ), data=urlencode(request_post_data), ) module.exit_json( changed=True, - msg="{0} updated.".format( - module.params["correlation_search_name"] - ), + msg="{0} updated.".format(module.params["correlation_search_name"]), splunk_data=splunk_data, ) - module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict - ) + module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict) if __name__ == "__main__": diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_events.py b/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_events.py index fa680a511..2ee6461ae 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_events.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_adaptive_response_notable_events.py @@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -255,19 +256,19 @@ EXAMPLES = """ drilldown_earliest_offset: $info_min_time$ drilldown_latest_offset: $info_max_time$ extract_artifacts: - asset: - - src - - dest - identity: - - src_user - - user - - src_user_id + asset: + - src + - dest + identity: + - src_user + - user + - src_user_id next_steps: - - makestreams + - makestreams name: ansible_test_notable recommended_actions: - - email - - logevent + - email + - logevent security_domain: threat severity: high state: merged @@ -334,19 +335,19 @@ EXAMPLES = """ drilldown_earliest_offset: $info_min_time$ drilldown_latest_offset: $info_max_time$ extract_artifacts: - asset: - - src - - dest - identity: - - src_user - - user - - src_user_id + asset: + - src + - dest + identity: + - src_user + - user + - src_user_id next_steps: - - makestreams + - makestreams name: ansible_test_notable recommended_actions: - - email - - logevent + - email + - logevent security_domain: threat severity: high state: replaced diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search.py b/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search.py index 9c865507b..1664c8c8b 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,29 +26,29 @@ options: name: description: - Name of coorelation search - required: True + required: true type: str description: description: - Description of the coorelation search, this will populate the description field for the web console - required: True + required: true type: str state: description: - Add, remove, enable, or disiable a correlation search. - required: True + required: true choices: [ "present", "absent", "enabled", "disabled" ] type: str search: description: - SPL search string type: str - required: True + required: true app: description: - Splunk app to associate the correlation seach with type: str - required: False + required: false default: "SplunkEnterpriseSecuritySuite" ui_dispatch_context: description: @@ -55,18 +56,18 @@ options: event or links in an email adaptive response action. If None, uses the Application Context. type: str - required: False + required: false time_earliest: description: - Earliest time using relative time modifiers. type: str - required: False + required: false default: "-24h" time_latest: description: - Latest time using relative time modifiers. type: str - required: False + required: false default: "now" cron_schedule: description: @@ -74,7 +75,7 @@ options: - For example C('*/5 * * * *') (every 5 minutes) or C('0 21 * * *') (every day at 9 PM). - Real-time searches use a default schedule of C('*/5 * * * *'). type: str - required: False + required: false default: "*/5 * * * *" scheduling: description: @@ -83,7 +84,7 @@ options: Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling type: str - required: False + required: false default: "real-time" choices: - "real-time" @@ -94,7 +95,7 @@ options: to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report. type: str - required: False + required: false default: "0" schedule_priority: description: @@ -102,7 +103,7 @@ options: it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. type: str - required: False + required: false default: "Default" choices: - "Default" @@ -114,7 +115,7 @@ options: it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. type: str - required: False + required: false default: "number of events" choices: - "number of events" @@ -125,7 +126,7 @@ options: description: - Conditional to pass to C(trigger_alert_when) type: str - required: False + required: false default: "greater than" choices: - "greater than" @@ -138,24 +139,24 @@ options: description: - Value to pass to C(trigger_alert_when) type: str - required: False + required: false default: "10" throttle_window_duration: description: - "How much time to ignore other events that match the field values specified in Fields to group by." type: str - required: False + required: false throttle_fields_to_group_by: description: - "Type the fields to consider for matching events for throttling." type: str - required: False + required: false suppress_alerts: description: - "To suppress alerts from this correlation search or not" type: bool - required: False - default: False + required: false + default: false notes: - > The following options are not yet supported: @@ -174,30 +175,22 @@ EXAMPLES = """ state: "present" """ -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text - -from ansible.module_utils.six.moves.urllib.parse import urlencode, quote_plus +from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six.moves.urllib.error import HTTPError -from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( - utils, -) -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible.module_utils.six.moves.urllib.parse import quote_plus, urlencode +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import utils + +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest def main(): argspec = dict( name=dict(required=True, type="str"), description=dict(required=True, type="str"), - state=dict( - choices=["present", "absent", "enabled", "disabled"], required=True - ), + state=dict(choices=["present", "absent", "enabled", "disabled"], required=True), search=dict(required=True, type="str"), - app=dict( - type="str", required=False, default="SplunkEnterpriseSecuritySuite" - ), + app=dict(type="str", required=False, default="SplunkEnterpriseSecuritySuite"), ui_dispatch_context=dict(type="str", required=False), time_earliest=dict(type="str", required=False, default="-24h"), time_latest=dict(type="str", required=False, default="now"), @@ -239,9 +232,7 @@ def main(): "rises by", ], ), - trigger_alert_when_value=dict( - type="str", required=False, default="10" - ), + trigger_alert_when_value=dict(type="str", required=False, default="10"), throttle_window_duration=dict(type="str", required=False), throttle_fields_to_group_by=dict(type="str", required=False), suppress_alerts=dict(type="bool", required=False, default=False), @@ -264,8 +255,8 @@ def main(): try: query_dict = splunk_request.get_by_path( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) except HTTPError as e: # the data monitor doesn't exist @@ -283,12 +274,8 @@ def main(): request_post_data["search"] = module.params["search"] request_post_data["request.ui_dispatch_app"] = module.params["app"] if module.params["ui_dispatch_context"]: - request_post_data["request.ui_dispatch_context"] = module.params[ - "ui_dispatch_context" - ] - request_post_data["dispatch.earliest_time"] = module.params[ - "time_earliest" - ] + request_post_data["request.ui_dispatch_context"] = module.params["ui_dispatch_context"] + request_post_data["dispatch.earliest_time"] = module.params["time_earliest"] request_post_data["dispatch.latest_time"] = module.params["time_latest"] request_post_data["cron_schedule"] = module.params["cron_schedule"] if module.params["scheduling"] == "real-time": @@ -296,16 +283,10 @@ def main(): else: request_post_data["realtime_schedule"] = False request_post_data["schedule_window"] = module.params["schedule_window"] - request_post_data["schedule_priority"] = module.params[ - "schedule_priority" - ].lower() + request_post_data["schedule_priority"] = module.params["schedule_priority"].lower() request_post_data["alert_type"] = module.params["trigger_alert_when"] - request_post_data["alert_comparator"] = module.params[ - "trigger_alert_when_condition" - ] - request_post_data["alert_threshold"] = module.params[ - "trigger_alert_when_value" - ] + request_post_data["alert_comparator"] = module.params["trigger_alert_when_condition"] + request_post_data["alert_threshold"] = module.params["trigger_alert_when_value"] request_post_data["alert.suppress"] = module.params["suppress_alerts"] request_post_data["disabled"] = module_disabled_state @@ -316,13 +297,15 @@ def main(): needs_change = False for arg in request_post_data: if arg in query_dict["entry"][0]["content"]: - if to_text( - query_dict["entry"][0]["content"][arg] - ) != to_text(request_post_data[arg]): + if to_text(query_dict["entry"][0]["content"][arg]) != to_text( + request_post_data[arg], + ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -337,12 +320,14 @@ def main(): ] # If this is present, splunk assumes we're trying to create a new one wit the same name splunk_data = splunk_request.create_update( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["name"]) + quote_plus(module.params["name"]), ), data=urlencode(request_post_data), ) module.exit_json( - changed=True, msg="{0} updated.", splunk_data=splunk_data + changed=True, + msg="{0} updated.", + splunk_data=splunk_data, ) else: # Create it @@ -350,16 +335,12 @@ def main(): "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches", data=urlencode(request_post_data), ) - module.exit_json( - changed=True, msg="{0} created.", splunk_data=splunk_data - ) + module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data) elif module.params["state"] == "absent": if query_dict: splunk_data = splunk_request.delete_by_path( - "services/saved/searches/{0}".format( - quote_plus(module.params["name"]) - ) + "services/saved/searches/{0}".format(quote_plus(module.params["name"])), ) module.exit_json( changed=True, @@ -367,9 +348,7 @@ def main(): splunk_data=splunk_data, ) - module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict - ) + module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict) if __name__ == "__main__": diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search_info.py b/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search_info.py index 0ab756989..ecb36ce66 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search_info.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_correlation_search_info.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -40,15 +41,13 @@ EXAMPLES = """ """ from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.six.moves.urllib.parse import quote_plus from ansible.module_utils.six.moves.urllib.error import HTTPError -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible.module_utils.six.moves.urllib.parse import quote_plus +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict(name=dict(required=False, type="str")) module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) @@ -62,15 +61,15 @@ def main(): try: query_dict = splunk_request.get_by_path( "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) except HTTPError as e: # the data monitor doesn't exist query_dict = {} else: query_dict = splunk_request.get_by_path( - "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches" + "servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches", ) module.exit_json(changed=False, splunk_correlation_search_info=query_dict) diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_correlation_searches.py b/ansible_collections/splunk/es/plugins/modules/splunk_correlation_searches.py index ac834d1b9..bcecf9926 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_correlation_searches.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_correlation_searches.py @@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -29,12 +30,12 @@ options: description: - Name of correlation search type: str - required: True + required: true disabled: description: - Disable correlation search type: bool - default: False + default: false description: description: - Description of the coorelation search, this will populate the description field for the web console @@ -192,7 +193,7 @@ options: description: - To suppress alerts from this correlation search or not type: bool - default: False + default: false running_config: description: - The module, by default, will connect to the remote device and retrieve the current @@ -319,7 +320,7 @@ EXAMPLES = """ throttle_window_duration: 5s throttle_fields_to_group_by: - test_field1 - suppress_alerts: False + suppress_alerts: false search: > '| tstats summariesonly=true values(\"Authentication.tag\") as \"tag\",dc(\"Authentication.user\") as \"user_count\",dc(\"Authent' 'ication.dest\") as \"dest_count\",count from datamodel=\"Authentication\".\"Authentication\" where nodename=\"Authentication.Fai' @@ -426,7 +427,7 @@ EXAMPLES = """ throttle_fields_to_group_by: - test_field1 - test_field2 - suppress_alerts: True + suppress_alerts: true search: > '| tstats summariesonly=true values(\"Authentication.tag\") as \"tag\",dc(\"Authentication.user\") as \"user_count\",dc(\"Authent' 'ication.dest\") as \"dest_count\",count from datamodel=\"Authentication\".\"Authentication\" where nodename=\"Authentication.Fai' @@ -606,7 +607,6 @@ EXAMPLES = """ # "ui_dispatch_context": "SplunkEnterpriseSecuritySuite" # }, # ], - """ RETURN = """ diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_data_input_monitor.py b/ansible_collections/splunk/es/plugins/modules/splunk_data_input_monitor.py index 080d23d3b..b0108d74a 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_data_input_monitor.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_data_input_monitor.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,12 +26,12 @@ options: name: description: - The file or directory path to monitor on the system. - required: True + required: true type: str state: description: - Add or remove a data source. - required: True + required: true choices: - "present" - "absent" @@ -38,41 +39,41 @@ options: blacklist: description: - Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. - required: False + required: false type: str check_index: description: - - If set to C(True), the index value is checked to ensure that it is the name of a valid index. - required: False + - If set to C(true), the index value is checked to ensure that it is the name of a valid index. + required: false type: bool - default: False + default: false check_path: description: - - If set to C(True), the name value is checked to ensure that it exists. - required: False + - If set to C(true), the name value is checked to ensure that it exists. + required: false type: bool crc_salt: description: - A string that modifies the file tracking identity for files in this input. The magic value invokes special behavior (see admin documentation). - required: False + required: false type: str disabled: description: - Indicates if input monitoring is disabled. - required: False - default: False + required: false + default: false type: bool followTail: description: - - If set to C(True), files that are seen for the first time is read from the end. - required: False + - If set to C(true), files that are seen for the first time is read from the end. + required: false type: bool - default: False + default: false host: description: - The value to populate in the host field for events from this data input. - required: False + required: false type: str host_regex: description: @@ -80,40 +81,40 @@ options: matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. - required: False + required: false type: str host_segment: description: - Use the specified slash-separate segment of the filepath as the host field value. - required: False + required: false type: int ignore_older_than: description: - Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. - required: False + required: false type: str index: description: - Which index events from this input should be stored in. Defaults to default. - required: False + required: false type: str recursive: description: - - Setting this to False prevents monitoring of any subdirectories encountered within this data input. - required: False + - Setting this to false prevents monitoring of any subdirectories encountered within this data input. + required: false type: bool - default: False + default: false rename_source: description: - The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. - required: False + required: false type: str sourcetype: description: - The value to populate in the sourcetype field for incoming events. - required: False + required: false type: str time_before_close: description: @@ -121,12 +122,12 @@ options: file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. - required: False + required: false type: int whitelist: description: - Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. - required: False + required: false type: str author: Ansible Security Automation Team (@maxamillion) """ @@ -136,22 +137,18 @@ EXAMPLES = """ splunk.es.data_input_monitor: name: "/var/log/example.log" state: "present" - recursive: True + recursive: true """ -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six.moves.urllib.parse import quote_plus -from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( - utils, -) -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import utils +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict( name=dict(required=True, type="str"), state=dict(choices=["present", "absent"], required=True), @@ -197,8 +194,8 @@ def main(): query_dict = splunk_request.get_by_path( "servicesNS/nobody/search/data/inputs/monitor/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) query_dict = utils.remove_empties(query_dict) @@ -207,13 +204,15 @@ def main(): needs_change = False for arg in request_data: if arg in query_dict["entry"][0]["content"]: - if to_text( - query_dict["entry"][0]["content"][arg] - ) != to_text(request_data[arg]): + if to_text(query_dict["entry"][0]["content"][arg]) != to_text( + request_data[arg], + ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -224,11 +223,13 @@ def main(): if needs_change: splunk_data = splunk_request.create_update( "servicesNS/nobody/search/data/inputs/monitor/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) module.exit_json( - changed=True, msg="{0} updated.", splunk_data=splunk_data + changed=True, + msg="{0} updated.", + splunk_data=splunk_data, ) else: # Create it @@ -238,16 +239,14 @@ def main(): "servicesNS/nobody/search/data/inputs/monitor", data=_data, ) - module.exit_json( - changed=True, msg="{0} created.", splunk_data=splunk_data - ) + module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data) if module.params["state"] == "absent": if query_dict: splunk_data = splunk_request.delete_by_path( "servicesNS/nobody/search/data/inputs/monitor/{0}".format( - quote_plus(module.params["name"]) - ) + quote_plus(module.params["name"]), + ), ) module.exit_json( changed=True, @@ -255,9 +254,7 @@ def main(): splunk_data=splunk_data, ) - module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict - ) + module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict) if __name__ == "__main__": diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_data_input_network.py b/ansible_collections/splunk/es/plugins/modules/splunk_data_input_network.py index 5771eb9cc..14905563a 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_data_input_network.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_data_input_network.py @@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,7 +26,7 @@ options: protocol: description: - Choose between tcp or udp - required: True + required: true choices: - 'tcp' - 'udp' @@ -37,7 +38,7 @@ options: - C(dns) sets the host to the reverse DNS entry for the IP address of the remote server sending data. - C(none) leaves the host as specified in inputs.conf, which is typically the Splunk system hostname. default: "ip" - required: False + required: false type: str choices: - "ip" @@ -51,7 +52,7 @@ options: - "absent" - "enabled" - "disable" - required: False + required: false default: "present" type: str datatype: @@ -62,12 +63,12 @@ options: - "cooked" - "raw" default: "raw" - required: False + required: false type: str host: description: - Host from which the indexer gets data. - required: False + required: false type: str index: description: @@ -76,7 +77,7 @@ options: name: description: - The input port which receives raw data. - required: True + required: true type: str queue: description: @@ -89,7 +90,7 @@ options: - "parsingQueue" - "indexQueue" type: str - required: False + required: false default: "parsingQueue" rawTcpDoneTimeout: description: @@ -98,16 +99,16 @@ options: number of seconds, it adds a Done-key. This implies the last event is completely received. default: 10 type: int - required: False + required: false restrictToHost: description: - Allows for restricting this input to only accept data from the host specified here. - required: False + required: false type: str ssl: description: - Enable or disble ssl for the data stream - required: False + required: false type: bool source: description: @@ -126,7 +127,7 @@ options: description: - Set the source type for events from this input. - '"sourcetype=" is automatically prepended to .' - - Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=False). + - Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=false). type: str author: Ansible Security Automation Team (@maxamillion) """ @@ -140,16 +141,14 @@ EXAMPLES = """ """ -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six.moves.urllib.parse import quote_plus -from ansible_collections.splunk.es.plugins.module_utils.splunk import ( - SplunkRequest, -) +from ansible_collections.splunk.es.plugins.module_utils.splunk import SplunkRequest -def main(): +def main(): argspec = dict( state=dict( required=False, @@ -178,9 +177,7 @@ def main(): ssl=dict(required=False, type="bool", default=None), source=dict(required=False, type="str", default=None), sourcetype=dict(required=False, type="str", default=None), - datatype=dict( - required=False, choices=["cooked", "raw"], default="raw" - ), + datatype=dict(required=False, choices=["cooked", "raw"], default="raw"), ) module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) @@ -198,7 +195,7 @@ def main(): quote_plus(module.params["protocol"]), quote_plus(module.params["datatype"]), quote_plus(module.params["name"]), - ) + ), ) if module.params["state"] in ["present", "enabled", "disabled"]: @@ -211,13 +208,15 @@ def main(): needs_change = False for arg in request_data: if arg in query_dict["entry"][0]["content"]: - if to_text( - query_dict["entry"][0]["content"][arg] - ) != to_text(request_data[arg]): + if to_text(query_dict["entry"][0]["content"][arg]) != to_text( + request_data[arg], + ): needs_change = True if not needs_change: module.exit_json( - changed=False, msg="Nothing to do.", splunk_data=query_dict + changed=False, + msg="Nothing to do.", + splunk_data=query_dict, ) if module.check_mode and needs_change: module.exit_json( @@ -236,11 +235,15 @@ def main(): ) if module.params["state"] in ["present", "enabled"]: module.exit_json( - changed=True, msg="{0} updated.", splunk_data=splunk_data + changed=True, + msg="{0} updated.", + splunk_data=splunk_data, ) else: module.exit_json( - changed=True, msg="{0} disabled.", splunk_data=splunk_data + changed=True, + msg="{0} disabled.", + splunk_data=splunk_data, ) else: # Create it @@ -251,9 +254,7 @@ def main(): ), data=_data, ) - module.exit_json( - changed=True, msg="{0} created.", splunk_data=splunk_data - ) + module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data) elif module.params["state"] == "absent": if query_dict: splunk_data = splunk_request.delete_by_path( @@ -261,7 +262,7 @@ def main(): quote_plus(module.params["protocol"]), quote_plus(module.params["datatype"]), quote_plus(module.params["name"]), - ) + ), ) module.exit_json( changed=True, diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_monitor.py b/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_monitor.py index 0f4922f77..1f664afb2 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_monitor.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_monitor.py @@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -26,7 +27,7 @@ options: name: description: - The file or directory path to monitor on the system. - required: True + required: true type: str blacklist: description: @@ -34,13 +35,13 @@ options: type: str check_index: description: - - If set to C(True), the index value is checked to ensure that it is the name of a valid index. + - If set to C(true), the index value is checked to ensure that it is the name of a valid index. - This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks type: bool check_path: description: - - If set to C(True), the name value is checked to ensure that it exists. + - If set to C(true), the name value is checked to ensure that it exists. - This parameter is not returned back by Splunk while obtaining object information. It is therefore left out while performing idempotency checks type: bool @@ -53,10 +54,10 @@ options: description: - Indicates if input monitoring is disabled. type: bool - default: False + default: false follow_tail: description: - - If set to C(True), files that are seen for the first time is read from the end. + - If set to C(true), files that are seen for the first time is read from the end. type: bool host: description: @@ -179,8 +180,8 @@ EXAMPLES = """ config: - name: "/var/log" blacklist: "//var/log/[a-z]/gm" - check_index: True - check_path: True + check_index: true + check_path: true crc_salt: rename_source: "test" whitelist: "//var/log/[0-9]/gm" @@ -283,7 +284,6 @@ EXAMPLES = """ # "name": "/var/log" # } # ], - """ RETURN = """ diff --git a/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_network.py b/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_network.py index 688e806f1..cf259c2d6 100644 --- a/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_network.py +++ b/ansible_collections/splunk/es/plugins/modules/splunk_data_inputs_network.py @@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function + __metaclass__ = type DOCUMENTATION = """ @@ -25,12 +26,12 @@ options: name: description: - The input port which receives raw data. - required: True + required: true type: str protocol: description: - Choose whether to manage TCP or UDP inputs - required: True + required: true choices: - 'tcp' - 'udp' @@ -58,7 +59,7 @@ options: - "raw" - "splunktcptoken" - "ssl" - required: False + required: false type: str disabled: description: @@ -124,7 +125,7 @@ options: description: - Set the source type for events from this input. - '"sourcetype=" is automatically prepended to .' - - Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=False). + - Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). type: str token: description: @@ -358,7 +359,7 @@ EXAMPLES = """ datatype: raw name: 8100 connection_host: ip - disabled: True + disabled: true raw_tcp_done_timeout: 9 restrict_to_host: default queue: parsingQueue @@ -409,7 +410,7 @@ EXAMPLES = """ datatype: cooked name: 8101 connection_host: ip - disabled: False + disabled: false restrict_to_host: default state: merged @@ -460,7 +461,7 @@ EXAMPLES = """ # ], # "before": [], -- name: To add the Splunk SSL +- name: To add the Splunk SSL splunk.es.splunk_data_inputs_network: config: - protocol: tcp @@ -531,7 +532,7 @@ EXAMPLES = """ datatype: raw name: 8100 connection_host: ip - disabled: True + disabled: true host: "$decideOnStartup" index: default queue: parsingQueue @@ -575,7 +576,6 @@ EXAMPLES = """ # "sourcetype": "test_source_type" # } # ], - """ RETURN = """ -- cgit v1.2.3