1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2019, Adam Miller (admiller@redhat.com)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = """
---
module: rule_info
short_description: Obtain information about one or many QRadar Rules, with filter options
description:
- This module obtains information about one or many QRadar Rules, with filter options
version_added: "1.0.0"
deprecated:
alternative: qradar_analytics_rules
why: Newer and updated modules released with more functionality.
removed_at_date: '2024-09-01'
options:
id:
description:
- Obtain only information of the Rule with provided ID
required: false
type: int
name:
description:
- Obtain only information of the Rule that matches the provided name
required: false
type: str
type:
description:
- Obtain only information for the Rules of a certain type
required: false
choices: [ "EVENT", "FLOW", "COMMON", "USER"]
type: str
owner:
description:
- Obtain only information of Rules owned by a certain user
required: false
type: str
origin:
description:
- Obtain only information of Rules that are of a certain origin
required: false
choices: ["SYSTEM", "OVERRIDE", "USER"]
type: str
notes:
- You may provide many filters and they will all be applied, except for C(id)
as that will return only the Rule identified by the unique ID provided.
author: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>"
"""
# FIXME - provide correct example here
RETURN = """
"""
EXAMPLES = """
- name: Get information about the Rule named "Custom Company DDoS Rule"
ibm.qradar.rule_info:
name: "Custom Company DDoS Rule"
register: custom_ddos_rule_info
- name: debugging output of the custom_ddos_rule_info registered variable
debug:
var: custom_ddos_rule_info
"""
from ansible.module_utils._text import to_text
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.six.moves.urllib.parse import quote
from ansible_collections.ibm.qradar.plugins.module_utils.qradar import QRadarRequest
def main():
argspec = dict(
id=dict(required=False, type="int"),
name=dict(required=False, type="str"),
owner=dict(required=False, type="str"),
type=dict(
required=False,
choices=["EVENT", "FLOW", "COMMON", "USER"],
type="str",
),
origin=dict(
required=False,
choices=["SYSTEM", "OVERRIDE", "USER"],
type="str",
),
)
module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
qradar_request = QRadarRequest(module)
# if module.params['name']:
# # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
# found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name']))
if module.params["id"]:
code, rules = qradar_request.get(
"/api/analytics/rules/{0}".format(module.params["id"]),
)
else:
query_strs = []
if module.params["name"]:
query_strs.append(
quote('name="{0}"'.format(to_text(module.params["name"]))),
)
if module.params["owner"]:
query_strs.append(
quote("owner={0}".format(module.params["owner"])),
)
if module.params["type"]:
query_strs.append(quote("type={0}".format(module.params["type"])))
if module.params["origin"]:
query_strs.append(
quote("origin={0}".format(module.params["origin"])),
)
if query_strs:
code, rules = qradar_request.get(
"/api/analytics/rules?filter={0}".format("&".join(query_strs)),
)
else:
code, rules = qradar_request.get("/api/analytics/rules")
module.exit_json(rules=rules, changed=False)
if __name__ == "__main__":
main()
|
