splunk.es.correlation_search module – Manage Splunk Enterprise Security Correlation Searches
Note
This module is part of the splunk.es collection (version 1.0.2).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install splunk.es
.
To use it in a playbook, specify: splunk.es.correlation_search
.
New in version 1.0.0: of splunk.es
Synopsis
This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches
Parameters
Parameter |
Comments |
---|---|
Splunk app to associate the correlation seach with Default: “SplunkEnterpriseSecuritySuite” |
|
Enter a cron-style schedule. For example Real-time searches use a default schedule of Default: “*/5 * * * *” |
|
Description of the coorelation search, this will populate the description field for the web console |
|
Name of coorelation search |
|
Raise the scheduling priority of a report. Set to “Higher” to prioritize it above other searches of the same scheduling mode, or “Highest” to prioritize it above other searches regardless of mode. Use with discretion. Choices:
|
|
Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The “auto” setting automatically determines the best window width for the report. Default: “0” |
|
Controls the way the scheduler computes the next execution time of a scheduled search. Choices:
|
|
SPL search string |
|
Add, remove, enable, or disiable a correlation search. Choices:
|
|
To suppress alerts from this correlation search or not Choices:
|
|
Type the fields to consider for matching events for throttling. |
|
How much time to ignore other events that match the field values specified in Fields to group by. |
|
Earliest time using relative time modifiers. Default: “-24h” |
|
Latest time using relative time modifiers. Default: “now” |
|
Raise the scheduling priority of a report. Set to “Higher” to prioritize it above other searches of the same scheduling mode, or “Highest” to prioritize it above other searches regardless of mode. Use with discretion. Choices:
|
|
Conditional to pass to Choices:
|
|
Value to pass to Default: “10” |
|
Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context. |
Notes
Note
The following options are not yet supported: throttle_window_duration, throttle_fields_to_group_by, and adaptive_response_actions
Examples
- name: Example of creating a correlation search with splunk.es.coorelation_search
splunk.es.correlation_search:
name: "Example Coorelation Search From Ansible"
description: "Example Coorelation Search From Ansible, description."
search: 'source="/var/log/snort.log"'
state: "present"
Authors
Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>