Try SpotterManage Splunk Enterprise Security Correlation Searches
| "added in version" 1.0 of splunk.es"
Authors: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
Install with ansible-galaxy collection install splunk.es:==0.0.2
collections:
- name: splunk.es
version: 0.0.2This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches
- name: Example of creating a correlation search with splunk.es.coorelation_search
splunk.es.correlation_search:
name: "Example Coorelation Search From Ansible"
description: "Example Coorelation Search From Ansible, description."
search: 'source="/var/log/snort.log"'
state: "present"
app:
default: SplunkEnterpriseSecuritySuite
description:
- Splunk app to associate the correlation seach with
required: false
type: str
name:
description:
- Name of coorelation search
required: true
type: str
state:
choices:
- present
- absent
- enabled
- disabled
description:
- Add, remove, enable, or disiable a correlation search.
required: true
type: str
search:
description:
- SPL search string
required: true
type: str
scheduling:
choices:
- real-time
- continuous
default: real-time
description:
- Controls the way the scheduler computes the next execution time of a scheduled search.
- 'Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling
'
required: false
type: str
description:
description:
- Description of the coorelation search, this will populate the description field
for the web console
required: true
type: str
time_latest:
default: now
description:
- Latest time using relative time modifiers.
required: false
type: str
cron_schedule:
default: '*/5 * * * *'
description:
- Enter a cron-style schedule.
- For example C('*/5 * * * *') (every 5 minutes) or C('0 21 * * *') (every day at
9 PM).
- Real-time searches use a default schedule of C('*/5 * * * *').
required: false
type: str
time_earliest:
default: -24h
description:
- Earliest time using relative time modifiers.
required: false
type: str
schedule_window:
default: '0'
description:
- Let report run at any time within a window that opens at its scheduled run time,
to improve efficiency when there are many concurrently scheduled reports. The "auto"
setting automatically determines the best window width for the report.
required: false
type: str
suppress_alerts:
default: false
description:
- To suppress alerts from this correlation search or not
required: false
type: bool
schedule_priority:
choices:
- Default
- Higher
- Highest
default: Default
description:
- Raise the scheduling priority of a report. Set to "Higher" to prioritize it above
other searches of the same scheduling mode, or "Highest" to prioritize it above
other searches regardless of mode. Use with discretion.
required: false
type: str
trigger_alert_when:
choices:
- number of events
- number of results
- number of hosts
- number of sources
default: number of events
description:
- Raise the scheduling priority of a report. Set to "Higher" to prioritize it above
other searches of the same scheduling mode, or "Highest" to prioritize it above
other searches regardless of mode. Use with discretion.
required: false
type: str
ui_dispatch_context:
description:
- Set an app to use for links such as the drill-down search in a notable event or
links in an email adaptive response action. If None, uses the Application Context.
required: false
type: str
throttle_window_duration:
description:
- How much time to ignore other events that match the field values specified in Fields
to group by.
required: false
type: str
trigger_alert_when_value:
default: '10'
description:
- Value to pass to C(trigger_alert_when)
required: false
type: str
throttle_fields_to_group_by:
description:
- Type the fields to consider for matching events for throttling.
required: false
type: str
trigger_alert_when_condition:
choices:
- greater than
- less than
- equal to
- not equal to
- drops by
- rises by
default: greater than
description:
- Conditional to pass to C(trigger_alert_when)
required: false
type: str