splunk / splunk.es / 0.0.2 / module / correlation_search Manage Splunk Enterprise Security Correlation Searches | "added in version" 1.0 of splunk.es" Authors: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>splunk.es.correlation_search (0.0.2) — module
Install with ansible-galaxy collection install splunk.es:==0.0.2
collections: - name: splunk.es version: 0.0.2
This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches
- name: Example of creating a correlation search with splunk.es.coorelation_search splunk.es.correlation_search: name: "Example Coorelation Search From Ansible" description: "Example Coorelation Search From Ansible, description." search: 'source="/var/log/snort.log"' state: "present"
app: default: SplunkEnterpriseSecuritySuite description: - Splunk app to associate the correlation seach with required: false type: str name: description: - Name of coorelation search required: true type: str state: choices: - present - absent - enabled - disabled description: - Add, remove, enable, or disiable a correlation search. required: true type: str search: description: - SPL search string required: true type: str scheduling: choices: - real-time - continuous default: real-time description: - Controls the way the scheduler computes the next execution time of a scheduled search. - 'Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling ' required: false type: str description: description: - Description of the coorelation search, this will populate the description field for the web console required: true type: str time_latest: default: now description: - Latest time using relative time modifiers. required: false type: str cron_schedule: default: '*/5 * * * *' description: - Enter a cron-style schedule. - For example C('*/5 * * * *') (every 5 minutes) or C('0 21 * * *') (every day at 9 PM). - Real-time searches use a default schedule of C('*/5 * * * *'). required: false type: str time_earliest: default: -24h description: - Earliest time using relative time modifiers. required: false type: str schedule_window: default: '0' description: - Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report. required: false type: str suppress_alerts: default: false description: - To suppress alerts from this correlation search or not required: false type: bool schedule_priority: choices: - Default - Higher - Highest default: Default description: - Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. required: false type: str trigger_alert_when: choices: - number of events - number of results - number of hosts - number of sources default: number of events description: - Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. required: false type: str ui_dispatch_context: description: - Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context. required: false type: str throttle_window_duration: description: - How much time to ignore other events that match the field values specified in Fields to group by. required: false type: str trigger_alert_when_value: default: '10' description: - Value to pass to C(trigger_alert_when) required: false type: str throttle_fields_to_group_by: description: - Type the fields to consider for matching events for throttling. required: false type: str trigger_alert_when_condition: choices: - greater than - less than - equal to - not equal to - drops by - rises by default: greater than description: - Conditional to pass to C(trigger_alert_when) required: false type: str