splunk.es.splunk_correlation_search – Manage Splunk Enterprise Security Correlation Searches
Note
This plugin is part of the splunk.es collection (version 1.0.2).
To install it use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_correlation_search.
New in version 1.0.0: of splunk.es
Synopsis
- This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| app string | Default: "SplunkEnterpriseSecuritySuite" | Splunk app to associate the correlation seach with |
| cron_schedule string | Default: "*/5 * * * *" | Enter a cron-style schedule. For example '*/5 * * * *' (every 5 minutes) or '0 21 * * *' (every day at 9 PM).Real-time searches use a default schedule of '*/5 * * * *'. |
| description string / required | Description of the coorelation search, this will populate the description field for the web console | |
| name string / required | Name of coorelation search | |
| schedule_priority string |
| Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. |
| schedule_window string | Default: "0" | Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report. |
| scheduling string |
| Controls the way the scheduler computes the next execution time of a scheduled search. Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling |
| search string / required | SPL search string | |
| state string / required |
| Add, remove, enable, or disiable a correlation search. |
| suppress_alerts boolean |
| To suppress alerts from this correlation search or not |
| throttle_fields_to_group_by string | Type the fields to consider for matching events for throttling. | |
| throttle_window_duration string | How much time to ignore other events that match the field values specified in Fields to group by. | |
| time_earliest string | Default: "-24h" | Earliest time using relative time modifiers. |
| time_latest string | Default: "now" | Latest time using relative time modifiers. |
| trigger_alert_when string |
| Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion. |
| trigger_alert_when_condition string |
| Conditional to pass to trigger_alert_when
|
| trigger_alert_when_value string | Default: "10" | Value to pass to trigger_alert_when
|
| ui_dispatch_context string | Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context. |
Notes
Note
- The following options are not yet supported: throttle_window_duration, throttle_fields_to_group_by, and adaptive_response_actions
Examples
- name: Example of creating a correlation search with splunk.es.coorelation_search
splunk.es.correlation_search:
name: "Example Coorelation Search From Ansible"
description: "Example Coorelation Search From Ansible, description."
search: 'source="/var/log/snort.log"'
state: "present"
Authors
- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/splunk/es/splunk_correlation_search_module.html