Try SpotterManage Splunk Enterprise Security Notable Event Adaptive Responses
| "added in version" 1.0 of splunk.es"
Authors: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
Install with ansible-galaxy collection install splunk.es:==0.0.2
collections:
- name: splunk.es
version: 0.0.2This module allows for creation, deletion, and modification of Splunk Enterprise Security Notable Event Adaptive Responses that are associated with a correlation search
- name: Example of using splunk.es.adaptive_response_notable_event module
splunk.es.adaptive_response_notable_event:
name: "Example notable event from Ansible"
correlation_search_name: "Example Correlation Search From Ansible"
description: "Example notable event from Ansible, description."
state: "present"
next_steps:
- ping
- nslookup
recommended_actions:
- script
- ansiblesecurityautomation
name:
description:
- Name of notable event
required: true
type: str
state:
choices:
- present
- absent
description:
- Add or remove a data source.
required: true
type: str
severity:
choices:
- informational
- low
- medium
- high
- critical
- unknown
default: high
description:
- Severity rating
required: false
type: str
next_steps:
description:
- List of adaptive responses that should be run next
- Describe next steps and response actions that an analyst could take to address this
threat.
required: false
type: list
description:
description:
- Description of the notable event, this will populate the description field for the
web console
required: true
type: str
default_owner:
description:
- Default owner of the notable event, if unset it will default to Splunk System Defaults
required: false
type: str
default_status:
choices:
- unassigned
- new
- in progress
- pending
- resolved
- closed
description:
- Default status of the notable event, if unset it will default to Splunk System Defaults
required: false
type: str
drill_down_name:
description:
- Name for drill down search, Supports variable substitution with fields from the
matching event.
required: false
type: str
security_domain:
choices:
- access
- endpoint
- network
- threat
- identity
- audit
default: threat
description:
- Splunk Security Domain
required: false
type: str
asset_extraction:
choices:
- src
- dest
- dvc
- orig_host
default:
- src
- dest
- dvc
- orig_host
description:
- list of assets to extract, select any one or many of the available choices
- defaults to all available choices
required: false
type: list
drill_down_search:
description:
- Drill down search, Supports variable substitution with fields from the matching
event.
required: false
type: str
identity_extraction:
choices:
- user
- src_user
default:
- user
- src_user
description:
- list of identity fields to extract, select any one or many of the available choices
- defaults to all available choices
required: false
type: list
recommended_actions:
description:
- List of adaptive responses that are recommended to be run next
- Identifying Recommended Adaptive Responses will highlight those actions for the
analyst when looking at the list of response actions available, making it easier
to find them among the longer list of available actions.
required: false
type: list
investigation_profiles:
description:
- Investigation profile to assiciate the notable event with.
required: false
type: str
correlation_search_name:
description:
- Name of correlation search to associate this notable event adaptive response with
required: true
type: str
drill_down_latest_offset:
default: $info_max_time$
description:
- Set the amount of time after the triggering event to search for related events.
For example, 1m. Use "$info_max_time$" to set the drill-down time to match the latest
time of the search
required: false
type: str
drill_down_earliest_offset:
default: $info_min_time$
description:
- Set the amount of time before the triggering event to search for related events.
For example, 2h. Use "$info_min_time$" to set the drill-down time to match the earliest
time of the search
required: false
type: str