splunk / splunk.es / 0.0.2 / module / adaptive_response_notable_event Manage Splunk Enterprise Security Notable Event Adaptive Responses | "added in version" 1.0 of splunk.es" Authors: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>splunk.es.adaptive_response_notable_event (0.0.2) — module
Install with ansible-galaxy collection install splunk.es:==0.0.2
collections: - name: splunk.es version: 0.0.2
This module allows for creation, deletion, and modification of Splunk Enterprise Security Notable Event Adaptive Responses that are associated with a correlation search
- name: Example of using splunk.es.adaptive_response_notable_event module splunk.es.adaptive_response_notable_event: name: "Example notable event from Ansible" correlation_search_name: "Example Correlation Search From Ansible" description: "Example notable event from Ansible, description." state: "present" next_steps: - ping - nslookup recommended_actions: - script - ansiblesecurityautomation
name: description: - Name of notable event required: true type: str state: choices: - present - absent description: - Add or remove a data source. required: true type: str severity: choices: - informational - low - medium - high - critical - unknown default: high description: - Severity rating required: false type: str next_steps: description: - List of adaptive responses that should be run next - Describe next steps and response actions that an analyst could take to address this threat. required: false type: list description: description: - Description of the notable event, this will populate the description field for the web console required: true type: str default_owner: description: - Default owner of the notable event, if unset it will default to Splunk System Defaults required: false type: str default_status: choices: - unassigned - new - in progress - pending - resolved - closed description: - Default status of the notable event, if unset it will default to Splunk System Defaults required: false type: str drill_down_name: description: - Name for drill down search, Supports variable substitution with fields from the matching event. required: false type: str security_domain: choices: - access - endpoint - network - threat - identity - audit default: threat description: - Splunk Security Domain required: false type: str asset_extraction: choices: - src - dest - dvc - orig_host default: - src - dest - dvc - orig_host description: - list of assets to extract, select any one or many of the available choices - defaults to all available choices required: false type: list drill_down_search: description: - Drill down search, Supports variable substitution with fields from the matching event. required: false type: str identity_extraction: choices: - user - src_user default: - user - src_user description: - list of identity fields to extract, select any one or many of the available choices - defaults to all available choices required: false type: list recommended_actions: description: - List of adaptive responses that are recommended to be run next - Identifying Recommended Adaptive Responses will highlight those actions for the analyst when looking at the list of response actions available, making it easier to find them among the longer list of available actions. required: false type: list investigation_profiles: description: - Investigation profile to assiciate the notable event with. required: false type: str correlation_search_name: description: - Name of correlation search to associate this notable event adaptive response with required: true type: str drill_down_latest_offset: default: $info_max_time$ description: - Set the amount of time after the triggering event to search for related events. For example, 1m. Use "$info_max_time$" to set the drill-down time to match the latest time of the search required: false type: str drill_down_earliest_offset: default: $info_min_time$ description: - Set the amount of time before the triggering event to search for related events. For example, 2h. Use "$info_min_time$" to set the drill-down time to match the earliest time of the search required: false type: str