blob: 812b15e5177d4a212226d28555ce38193a634bf2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
#!/usr/bin/python
# Copyright: Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = """
---
module: qradar_analytics_rules
short_description: Qradar Analytics Rules Management resource module
description:
- This module allows for modification, deletion, and checking of Analytics Rules in QRadar
version_added: "2.1.0"
options:
config:
description: A dictionary of Qradar Analytics Rules options
type: dict
suboptions:
id:
description: The sequence ID of the rule.
type: int
name:
description: The name of the rule.
type: str
enabled:
description: Check if the rule is enabled
type: bool
owner:
description: Manage ownership of a QRadar Rule
type: str
fields:
description:
- List of params filtered from the Rule config
- NOTE, this param is valid only via state GATHERED.
type: list
elements: str
choices:
- average_capacity
- base_capacity
- base_host_id
- capacity_timestamp
- creation_date
- enabled
- id
- identifier
- linked_rule_identifier
- modification_date
- name
- origin
- owner
- type
range:
description:
- Parameter to restrict the number of elements that
are returned in the list to a specified range.
- NOTE, this param is valid only via state GATHERED.
type: str
state:
description:
- The state the configuration should be left in
- The state I(gathered) will get the module API configuration from the device
and transform it into structured data in the format as per the module argspec
and the value is returned in the I(gathered) key within the result.
type: str
choices:
- merged
- gathered
- deleted
author: Ansible Security Automation Team (@justjais) <https://github.com/ansible-security>
"""
EXAMPLES = """
# Using MERGED state
# -------------------
- name: DISABLE Rule 'Ansible Example DDoS Rule'
ibm.qradar.qradar_analytics_rules:
config:
name: 'Ansible Example DDOS Rule'
enabled: false
state: merged
# RUN output:
# -----------
# qradar_analytics_rules:
# after:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929682568
# enabled: false
# id: 100443
# identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
# linked_rule_identifier: null
# modification_date: 1658929682567
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929682568
# enabled: true
# id: 100443
# identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
# linked_rule_identifier: null
# modification_date: 1658929682567
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# Using GATHERED state
# --------------------
- name: Get information about the Rule named "Ansible Example DDOS Rule"
ibm.qradar.qradar_analytics_rules:
config:
name: "Ansible Example DDOS Rule"
state: gathered
# RUN output:
# -----------
# gathered:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658918848694
# enabled: true
# id: 100443
# identifier: d6d37942-ba28-438f-b909-120df643a992
# linked_rule_identifier: null
# modification_date: 1658918848692
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
- name: Get information about the Rule with ID 100443
ibm.qradar.qradar_analytics_rules:
config:
id: 100443
state: gathered
# RUN output:
# -----------
# gathered:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658918848694
# enabled: true
# id: 100443
# identifier: d6d37942-ba28-438f-b909-120df643a992
# linked_rule_identifier: null
# modification_date: 1658918848692
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
- name: TO Get information about the Rule ID with a range
ibm.qradar.qradar_analytics_rules:
config:
range: 100300-100500
fields:
- name
- origin
- owner
state: gathered
# RUN output:
# -----------
# gathered:
# - name: Devices with High Event Rates
# origin: SYSTEM
# owner: admin
# - name: Excessive Database Connections
# origin: SYSTEM
# owner: admin
# - name: 'Anomaly: Excessive Firewall Accepts Across Multiple Hosts'
# origin: SYSTEM
# owner: admin
# - name: Excessive Firewall Denies from Single Source
# origin: SYSTEM
# owner: admin
# - name: 'AssetExclusion: Exclude DNS Name By IP'
# origin: SYSTEM
# owner: admin
# - name: 'AssetExclusion: Exclude DNS Name By MAC Address'
# origin: SYSTEM
# owner: admin
- name: Delete custom Rule by NAME
ibm.qradar.qradar_analytics_rules:
config:
name: 'Ansible Example DDOS Rule'
state: deleted
# RUN output:
# -----------
# qradar_analytics_rules:
# after: {}
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929431239
# enabled: true
# id: 100444
# identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
# linked_rule_identifier: null
# modification_date: 1658929431238
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# Using DELETED state
# -------------------
- name: Delete custom Rule by ID
ibm.qradar.qradar_analytics_rules:
config:
id: 100443
state: deleted
# RUN output:
# -----------
# qradar_analytics_rules:
# after: {}
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929431239
# enabled: true
# id: 100443
# identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
# linked_rule_identifier: null
# modification_date: 1658929431238
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
"""
RETURN = """
before:
description: The configuration as structured data prior to module invocation.
returned: always
type: dict
sample: The configuration returned will always be in the same format of the parameters above.
after:
description: The configuration as structured data after module completion.
returned: when changed
type: dict
sample: The configuration returned will always be in the same format of the parameters above.
"""
|
