splunk.es.adaptive_response_notable_event – Manage Splunk Enterprise Security Notable Event Adaptive Responses

Note

This plugin is part of the splunk.es collection (version 1.0.2).

To install it use: ansible-galaxy collection install splunk.es.

To use it in a playbook, specify: splunk.es.adaptive_response_notable_event.

New in version 1.0.0: of splunk.es

Synopsis
Parameters
Examples

Synopsis

This module allows for creation, deletion, and modification of Splunk Enterprise Security Notable Event Adaptive Responses that are associated with a correlation search

Parameters

Parameter	Choices/Defaults	Comments
asset_extraction list / elements=string	Choices: src ← dest ← dvc ← orig_host ← Default: ["src", "dest", "dvc", "orig_host"]	list of assets to extract, select any one or many of the available choices defaults to all available choices
correlation_search_name string / required		Name of correlation search to associate this notable event adaptive response with
default_owner string		Default owner of the notable event, if unset it will default to Splunk System Defaults
default_status string	Choices: unassigned new in progress pending resolved closed	Default status of the notable event, if unset it will default to Splunk System Defaults
description string / required		Description of the notable event, this will populate the description field for the web console
drill_down_earliest_offset string	Default: "$info_min_time$"	Set the amount of time before the triggering event to search for related events. For example, 2h. Use "$info_min_time$" to set the drill-down time to match the earliest time of the search
drill_down_latest_offset string	Default: "$info_max_time$"	Set the amount of time after the triggering event to search for related events. For example, 1m. Use "$info_max_time$" to set the drill-down time to match the latest time of the search
drill_down_name string		Name for drill down search, Supports variable substitution with fields from the matching event.
drill_down_search string		Drill down search, Supports variable substitution with fields from the matching event.
identity_extraction list / elements=string	Choices: user ← src_user ← Default: ["user", "src_user"]	list of identity fields to extract, select any one or many of the available choices defaults to all available choices
investigation_profiles string		Investigation profile to assiciate the notable event with.
name string / required		Name of notable event
next_steps list / elements=string		List of adaptive responses that should be run next Describe next steps and response actions that an analyst could take to address this threat.
recommended_actions list / elements=string		List of adaptive responses that are recommended to be run next Identifying Recommended Adaptive Responses will highlight those actions for the analyst when looking at the list of response actions available, making it easier to find them among the longer list of available actions.
security_domain string	Choices: access endpoint network threat ← identity audit	Splunk Security Domain
severity string	Choices: informational low medium high ← critical unknown	Severity rating
state string / required	Choices: present absent	Add or remove a data source.

Examples

- name: Example of using splunk.es.adaptive_response_notable_event module
  splunk.es.adaptive_response_notable_event:
    name: "Example notable event from Ansible"
    correlation_search_name: "Example Correlation Search From Ansible"
    description: "Example notable event from Ansible, description."
    state: "present"
    next_steps:
      - ping
      - nslookup
    recommended_actions:
      - script
      - ansiblesecurityautomation

Authors

Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/splunk/es/adaptive_response_notable_event_module.html