ibm.qradar.qradar_analytics_rules module – Qradar Analytics Rules Management resource module
Note
This module is part of the ibm.qradar collection (version 2.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install ibm.qradar.
To use it in a playbook, specify: ibm.qradar.qradar_analytics_rules.
New in ibm.qradar 2.1.0
Synopsis
This module allows for modification, deletion, and checking of Analytics Rules in QRadar
Aliases: analytics_rules
Parameters
Parameter |
Comments |
|---|---|
A dictionary of Qradar Analytics Rules options |
|
Check if the rule is enabled Choices:
|
|
List of params filtered from the Rule config NOTE, this param is valid only via state GATHERED. Choices:
|
|
The sequence ID of the rule. |
|
The name of the rule. |
|
Manage ownership of a QRadar Rule |
|
Parameter to restrict the number of elements that are returned in the list to a specified range. NOTE, this param is valid only via state GATHERED. |
|
The state the configuration should be left in The state gathered will get the module API configuration from the device and transform it into structured data in the format as per the module argspec and the value is returned in the gathered key within the result. Choices:
|
Examples
# Using MERGED state
# -------------------
- name: DISABLE Rule 'Ansible Example DDoS Rule'
ibm.qradar.qradar_analytics_rules:
config:
name: 'Ansible Example DDOS Rule'
enabled: false
state: merged
# RUN output:
# -----------
# qradar_analytics_rules:
# after:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929682568
# enabled: false
# id: 100443
# identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
# linked_rule_identifier: null
# modification_date: 1658929682567
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929682568
# enabled: true
# id: 100443
# identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
# linked_rule_identifier: null
# modification_date: 1658929682567
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# Using GATHERED state
# --------------------
- name: Get information about the Rule named "Ansible Example DDOS Rule"
ibm.qradar.qradar_analytics_rules:
config:
name: "Ansible Example DDOS Rule"
state: gathered
# RUN output:
# -----------
# gathered:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658918848694
# enabled: true
# id: 100443
# identifier: d6d37942-ba28-438f-b909-120df643a992
# linked_rule_identifier: null
# modification_date: 1658918848692
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
- name: Get information about the Rule with ID 100443
ibm.qradar.qradar_analytics_rules:
config:
id: 100443
state: gathered
# RUN output:
# -----------
# gathered:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658918848694
# enabled: true
# id: 100443
# identifier: d6d37942-ba28-438f-b909-120df643a992
# linked_rule_identifier: null
# modification_date: 1658918848692
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
- name: TO Get information about the Rule ID with a range
ibm.qradar.qradar_analytics_rules:
config:
range: 100300-100500
fields:
- name
- origin
- owner
state: gathered
# RUN output:
# -----------
# gathered:
# - name: Devices with High Event Rates
# origin: SYSTEM
# owner: admin
# - name: Excessive Database Connections
# origin: SYSTEM
# owner: admin
# - name: 'Anomaly: Excessive Firewall Accepts Across Multiple Hosts'
# origin: SYSTEM
# owner: admin
# - name: Excessive Firewall Denies from Single Source
# origin: SYSTEM
# owner: admin
# - name: 'AssetExclusion: Exclude DNS Name By IP'
# origin: SYSTEM
# owner: admin
# - name: 'AssetExclusion: Exclude DNS Name By MAC Address'
# origin: SYSTEM
# owner: admin
- name: Delete custom Rule by NAME
ibm.qradar.qradar_analytics_rules:
config:
name: 'Ansible Example DDOS Rule'
state: deleted
# RUN output:
# -----------
# qradar_analytics_rules:
# after: {}
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929431239
# enabled: true
# id: 100444
# identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
# linked_rule_identifier: null
# modification_date: 1658929431238
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# Using DELETED state
# -------------------
- name: Delete custom Rule by ID
ibm.qradar.qradar_analytics_rules:
config:
id: 100443
state: deleted
# RUN output:
# -----------
# qradar_analytics_rules:
# after: {}
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929431239
# enabled: true
# id: 100443
# identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
# linked_rule_identifier: null
# modification_date: 1658929431238
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The configuration as structured data after module completion. Returned: when changed Sample: |
|
The configuration as structured data prior to module invocation. Returned: always Sample: |