Try SpotterSplunk Enterprise Security Correlation searches resource module
| "added in version" 2.1.0 of splunk.es"
Authors: Ansible Security Automation Team (@pranav-bhatt) <https://github.com/ansible-security>
This plugin has a corresponding action plugin.
Install with ansible-galaxy collection install splunk.es:==3.0.0
collections:
- name: splunk.es
version: 3.0.0This module allows for creation, deletion, and modification of Splunk Enterprise Security correlation searches
Tested against Splunk Enterprise Server v8.2.3 with Splunk Enterprise Security v7.0.1 installed on it.
# Using gathered
# --------------
- name: Gather correlation searches config
splunk.es.splunk_correlation_searches:
config:
- name: Ansible Test
- name: Ansible Test 2
state: gathered
# RUN output:
# -----------
# "gathered": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# }
# ]
# Using merged
# ------------
- name: Merge and create new correlation searches configuration
splunk.es.splunk_correlation_searches:
config:
- name: Ansible Test
disabled: false
description: test description
app: DA-ESS-EndpointProtection
annotations:
cis20:
- test1
mitre_attack:
- test2
kill_chain_phases:
- test3
nist:
- test4
custom:
- framework: test_framework
custom_annotations:
- test5
ui_dispatch_context: SplunkEnterpriseSecuritySuite
time_earliest: -24h
time_latest: now
cron_schedule: "*/5 * * * *"
scheduling: realtime
schedule_window: "0"
schedule_priority: default
trigger_alert: once
trigger_alert_when: number of events
trigger_alert_when_condition: greater than
trigger_alert_when_value: "10"
throttle_window_duration: 5s
throttle_fields_to_group_by:
- test_field1
suppress_alerts: false
search: >
'| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
'n.src" as "src" | where "count">=6'
state: merged
# RUN output:
# -----------
# "after": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# },
# ],
# "before": [],
# Using replaced
# --------------
- name: Replace existing correlation searches configuration
splunk.es.splunk_correlation_searches:
state: replaced
config:
- name: Ansible Test
disabled: false
description: test description
app: SplunkEnterpriseSecuritySuite
annotations:
cis20:
- test1
- test2
mitre_attack:
- test3
- test4
kill_chain_phases:
- test5
- test6
nist:
- test7
- test8
custom:
- framework: test_framework2
custom_annotations:
- test9
- test10
ui_dispatch_context: SplunkEnterpriseSecuritySuite
time_earliest: -24h
time_latest: now
cron_schedule: "*/5 * * * *"
scheduling: continuous
schedule_window: auto
schedule_priority: default
trigger_alert: once
trigger_alert_when: number of events
trigger_alert_when_condition: greater than
trigger_alert_when_value: 10
throttle_window_duration: 5s
throttle_fields_to_group_by:
- test_field1
- test_field2
suppress_alerts: true
search: >
'| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
'n.src" as "src" | where "count">=6'
# RUN output:
# -----------
# "after": [
# {
# "annotations": {
# "cis20": [
# "test1",
# "test2"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test9",
# "test10"
# ],
# "framework": "test_framework2"
# }
# ],
# "kill_chain_phases": [
# "test5",
# "test6"
# ],
# "mitre_attack": [
# "test3",
# "test4"
# ],
# "nist": [
# "test7",
# "test8"
# ]
# },
# "app": "SplunkEnterpriseSecuritySuite",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "auto",
# "scheduling": "continuous",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": true,
# "throttle_fields_to_group_by": [
# "test_field1",
# "test_field2"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# }
# ],
# "before": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# }
# ]
# Using deleted
# -------------
- name: Example to delete the corelation search
splunk.es.splunk_correlation_searches:
config:
- name: Ansible Test
state: deleted
state:
choices:
- merged
- replaced
- deleted
- gathered
default: merged
description:
- The state the configuration should be left in
type: str
config:
description:
- Configure file and directory monitoring on the system
elements: dict
suboptions:
annotations:
description:
- Add context from industry standard cyber security mappings in Splunk Enterprise
Security or custom annotations
suboptions:
cis20:
description:
- Specify CIS20 annotations
elements: str
type: list
custom:
description:
- Specify custom framework and custom annotations
elements: dict
suboptions:
custom_annotations:
description:
- Specify annotations associated with custom framework
elements: str
type: list
framework:
description:
- Specify annotation framework
type: str
type: list
kill_chain_phases:
description:
- Specify Kill 10 annotations
elements: str
type: list
mitre_attack:
description:
- Specify MITRE ATTACK annotations
elements: str
type: list
nist:
description:
- Specify NIST annotations
elements: str
type: list
type: dict
app:
default: SplunkEnterpriseSecuritySuite
description:
- Splunk app to associate the correlation seach with
type: str
cron_schedule:
default: '*/5 * * * *'
description:
- Enter a cron-style schedule.
- For example C('*/5 * * * *') (every 5 minutes) or C('0 21 * * *') (every day
at 9 PM).
- Real-time searches use a default schedule of C('*/5 * * * *').
type: str
description:
description:
- Description of the coorelation search, this will populate the description field
for the web console
type: str
disabled:
default: false
description:
- Disable correlation search
type: bool
name:
description:
- Name of correlation search
required: true
type: str
schedule_priority:
choices:
- default
- higher
- highest
default: default
description:
- Raise the scheduling priority of a report. Set to "Higher" to prioritize it
above other searches of the same scheduling mode, or "Highest" to prioritize
it above other searches regardless of mode. Use with discretion.
type: str
schedule_window:
default: '0'
description:
- Let report run at any time within a window that opens at its scheduled run time,
to improve efficiency when there are many concurrently scheduled reports. The
"auto" setting automatically determines the best window width for the report.
type: str
scheduling:
choices:
- realtime
- continuous
default: realtime
description:
- Controls the way the scheduler computes the next execution time of a scheduled
search.
- 'Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling
'
type: str
search:
description:
- SPL search string
type: str
suppress_alerts:
default: false
description:
- To suppress alerts from this correlation search or not
type: bool
throttle_fields_to_group_by:
description:
- Type the fields to consider for matching events for throttling.
elements: str
type: list
throttle_window_duration:
description:
- How much time to ignore other events that match the field values specified in
Fields to group by.
type: str
time_earliest:
default: -24h
description:
- Earliest time using relative time modifiers.
type: str
time_latest:
default: now
description:
- Latest time using relative time modifiers.
type: str
trigger_alert:
choices:
- once
- for each result
default: once
description:
- Notable response actions and risk response actions are always triggered for
each result. Choose whether the trigger is activated once or for each result.
type: str
trigger_alert_when:
choices:
- number of events
- number of results
- number of hosts
- number of sources
default: number of events
description:
- Raise the scheduling priority of a report. Set to "Higher" to prioritize it
above other searches of the same scheduling mode, or "Highest" to prioritize
it above other searches regardless of mode. Use with discretion.
type: str
trigger_alert_when_condition:
choices:
- greater than
- less than
- equal to
- not equal to
- drops by
- rises by
default: greater than
description:
- Conditional to pass to C(trigger_alert_when)
type: str
trigger_alert_when_value:
default: '10'
description:
- Value to pass to C(trigger_alert_when)
type: str
ui_dispatch_context:
description:
- Set an app to use for links such as the drill-down search in a notable event
or links in an email adaptive response action. If None, uses the Application
Context.
type: str
type: list
running_config:
description:
- The module, by default, will connect to the remote device and retrieve the current
running-config to use as a base for comparing against the contents of source. There
are times when it is not desirable to have the task get the current running-config
for every task in a playbook. The I(running_config) argument allows the implementer
to pass in the configuration to use as the base config for comparison. This value
of this option should be the output received from device by executing command.
type: str
after:
description: The configuration as structured data after module completion.
returned: when changed
sample: The configuration returned will always be in the same format of the parameters
above.
type: list
before:
description: The configuration as structured data prior to module invocation.
returned: always
sample: The configuration returned will always be in the same format of the parameters
above.
type: list
gathered:
description: Facts about the network resource gathered from the remote device as
structured data.
returned: when state is I(gathered)
sample: 'This output will always be in the same format as the module argspec.
'
type: dict