splunk.es.adaptive_response_notable_event module – Manage Splunk Enterprise Security Notable Event Adaptive Responses
Note
This module is part of the splunk.es collection (version 1.0.2).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install splunk.es
.
To use it in a playbook, specify: splunk.es.adaptive_response_notable_event
.
New in version 1.0.0: of splunk.es
Synopsis
This module allows for creation, deletion, and modification of Splunk Enterprise Security Notable Event Adaptive Responses that are associated with a correlation search
Parameters
Parameter |
Comments |
---|---|
list of assets to extract, select any one or many of the available choices defaults to all available choices Choices:
Default: [“src”, “dest”, “dvc”, “orig_host”] |
|
Name of correlation search to associate this notable event adaptive response with |
|
Default owner of the notable event, if unset it will default to Splunk System Defaults |
|
Default status of the notable event, if unset it will default to Splunk System Defaults Choices:
|
|
Description of the notable event, this will populate the description field for the web console |
|
Set the amount of time before the triggering event to search for related events. For example, 2h. Use “$info_min_time$” to set the drill-down time to match the earliest time of the search Default: “$info_min_time$” |
|
Set the amount of time after the triggering event to search for related events. For example, 1m. Use “$info_max_time$” to set the drill-down time to match the latest time of the search Default: “$info_max_time$” |
|
Name for drill down search, Supports variable substitution with fields from the matching event. |
|
Drill down search, Supports variable substitution with fields from the matching event. |
|
list of identity fields to extract, select any one or many of the available choices defaults to all available choices Choices:
Default: [“user”, “src_user”] |
|
Investigation profile to assiciate the notable event with. |
|
Name of notable event |
|
List of adaptive responses that should be run next Describe next steps and response actions that an analyst could take to address this threat. |
|
List of adaptive responses that are recommended to be run next Identifying Recommended Adaptive Responses will highlight those actions for the analyst when looking at the list of response actions available, making it easier to find them among the longer list of available actions. |
|
Splunk Security Domain Choices:
|
|
Severity rating Choices:
|
|
Add or remove a data source. Choices:
|
Examples
- name: Example of using splunk.es.adaptive_response_notable_event module
splunk.es.adaptive_response_notable_event:
name: "Example notable event from Ansible"
correlation_search_name: "Example Correlation Search From Ansible"
description: "Example notable event from Ansible, description."
state: "present"
next_steps:
- ping
- nslookup
recommended_actions:
- script
- ansiblesecurityautomation
Authors
Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>