splunk.es.correlation_search – Manage Splunk Enterprise Security Correlation Searches

Note

This plugin is part of the splunk.es collection (version 1.0.2).

To install it use: ansible-galaxy collection install splunk.es.

To use it in a playbook, specify: splunk.es.correlation_search.

New in version 1.0.0: of splunk.es

Synopsis

  • This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches

Parameters

Parameter Choices/Defaults Comments
app
string
Default:
"SplunkEnterpriseSecuritySuite"
Splunk app to associate the correlation seach with
cron_schedule
string
Default:
"*/5 * * * *"
Enter a cron-style schedule.
For example '*/5 * * * *' (every 5 minutes) or '0 21 * * *' (every day at 9 PM).
Real-time searches use a default schedule of '*/5 * * * *'.
description
string / required
Description of the coorelation search, this will populate the description field for the web console
name
string / required
Name of coorelation search
schedule_priority
string
    Choices:
  • Default ←
  • Higher
  • Highest
Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.
schedule_window
string
Default:
"0"
Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report.
scheduling
string
    Choices:
  • real-time ←
  • continuous
Controls the way the scheduler computes the next execution time of a scheduled search.
Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling
search
string / required
SPL search string
state
string / required
    Choices:
  • present
  • absent
  • enabled
  • disabled
Add, remove, enable, or disiable a correlation search.
suppress_alerts
boolean
    Choices:
  • no ←
  • yes
To suppress alerts from this correlation search or not
throttle_fields_to_group_by
string
Type the fields to consider for matching events for throttling.
throttle_window_duration
string
How much time to ignore other events that match the field values specified in Fields to group by.
time_earliest
string
Default:
"-24h"
Earliest time using relative time modifiers.
time_latest
string
Default:
"now"
Latest time using relative time modifiers.
trigger_alert_when
string
    Choices:
  • number of events ←
  • number of results
  • number of hosts
  • number of sources
Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.
trigger_alert_when_condition
string
    Choices:
  • greater than ←
  • less than
  • equal to
  • not equal to
  • drops by
  • rises by
Conditional to pass to trigger_alert_when
trigger_alert_when_value
string
Default:
"10"
Value to pass to trigger_alert_when
ui_dispatch_context
string
Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context.

Notes

Note

  • The following options are not yet supported: throttle_window_duration, throttle_fields_to_group_by, and adaptive_response_actions

Examples

- name: Example of creating a correlation search with splunk.es.coorelation_search
  splunk.es.correlation_search:
    name: "Example Coorelation Search From Ansible"
    description: "Example Coorelation Search From Ansible, description."
    search: 'source="/var/log/snort.log"'
    state: "present"

Authors