splunk.es.splunk_correlation_searches 模块 – Splunk Enterprise Security 关联搜索资源模块
注意
此模块是 splunk.es 集合 (版本 4.0.0) 的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用: ansible-galaxy collection install splunk.es。
要在 playbook 中使用它,请指定: splunk.es.splunk_correlation_searches。
splunk.es 2.1.0 中的新增功能
概要
此模块允许创建、删除和修改 Splunk Enterprise Security 关联搜索。
已在安装了 Splunk Enterprise Security v7.0.1 的 Splunk Enterprise Server v8.2.3 上进行了测试。
注意
此模块具有相应的 action 插件。
参数
参数 |
注释 |
|---|---|
配置系统上的文件和目录监控 |
|
添加来自 Splunk Enterprise Security 中行业标准网络安全映射或自定义注释的上下文 |
|
指定 CIS20 注释 |
|
指定自定义框架和自定义注释 |
|
指定与自定义框架关联的注释 |
|
指定注释框架 |
|
指定 Kill 10 注释 |
|
指定 MITRE ATTACK 注释 |
|
指定 NIST 注释 |
|
将关联搜索与其关联的 Splunk 应用 默认值: |
|
输入 cron 样式的计划。 例如 实时搜索使用默认计划 默认值: |
|
关联搜索的描述,这将填充 Web 控制台的描述字段 |
|
禁用关联搜索 选项
|
|
关联搜索的名称 |
|
提高报告的调度优先级。设置为“更高”可将其优先级置于相同调度模式的其他搜索之上,或设置为“最高”可将其优先级置于其他搜索之上,无论模式如何。谨慎使用。 选项
|
|
让报表在计划运行时间打开的窗口中的任何时间运行,以提高许多同时计划的报表时的效率。“auto”设置会自动确定报表最佳窗口宽度。 默认值: |
|
控制调度程序计算计划搜索的下一个执行时间的方式。 选项
|
|
SPL 搜索字符串 |
|
是否禁止此关联搜索发出警报 选项
|
|
输入要考虑用于匹配限流事件的字段。 |
|
忽略与“要分组的字段”中指定的字段值匹配的其他事件的时间长度。 |
|
使用相对时间修饰符的最早时间。 默认值: |
|
使用相对时间修饰符的最新时间。 默认值: |
|
对于每个结果,始终会触发值得注意的响应操作和风险响应操作。选择触发器是激活一次还是针对每个结果激活。 选项
|
|
提高报告的调度优先级。设置为“更高”可将其优先级置于相同调度模式的其他搜索之上,或设置为“最高”可将其优先级置于其他搜索之上,无论模式如何。谨慎使用。 选项
|
|
传递给 选项
|
|
传递给 默认值: |
|
设置要用于链接的应用程序,例如重要事件中的深入搜索或电子邮件自适应响应操作中的链接。如果为 None,则使用应用程序上下文。 |
|
默认情况下,模块将连接到远程设备并检索当前运行配置,将其用作与源内容进行比较的基准。有时不需要任务为 playbook 中的每个任务获取当前运行配置。running_config 参数允许实现者传入用作比较基准配置的配置。此选项的值应为通过执行命令从设备接收到的输出。 |
|
配置应保留的状态 选项
|
示例
# Using gathered
# --------------
- name: Gather correlation searches config
splunk.es.splunk_correlation_searches:
config:
- name: Ansible Test
- name: Ansible Test 2
state: gathered
# RUN output:
# -----------
# "gathered": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# }
# ]
# Using merged
# ------------
- name: Merge and create new correlation searches configuration
splunk.es.splunk_correlation_searches:
config:
- name: Ansible Test
disabled: false
description: test description
app: DA-ESS-EndpointProtection
annotations:
cis20:
- test1
mitre_attack:
- test2
kill_chain_phases:
- test3
nist:
- test4
custom:
- framework: test_framework
custom_annotations:
- test5
ui_dispatch_context: SplunkEnterpriseSecuritySuite
time_earliest: -24h
time_latest: now
cron_schedule: "*/5 * * * *"
scheduling: realtime
schedule_window: "0"
schedule_priority: default
trigger_alert: once
trigger_alert_when: number of events
trigger_alert_when_condition: greater than
trigger_alert_when_value: "10"
throttle_window_duration: 5s
throttle_fields_to_group_by:
- test_field1
suppress_alerts: false
search: >
'| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
'n.src" as "src" | where "count">=6'
state: merged
# RUN output:
# -----------
# "after": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# },
# ],
# "before": [],
# Using replaced
# --------------
- name: Replace existing correlation searches configuration
splunk.es.splunk_correlation_searches:
state: replaced
config:
- name: Ansible Test
disabled: false
description: test description
app: SplunkEnterpriseSecuritySuite
annotations:
cis20:
- test1
- test2
mitre_attack:
- test3
- test4
kill_chain_phases:
- test5
- test6
nist:
- test7
- test8
custom:
- framework: test_framework2
custom_annotations:
- test9
- test10
ui_dispatch_context: SplunkEnterpriseSecuritySuite
time_earliest: -24h
time_latest: now
cron_schedule: "*/5 * * * *"
scheduling: continuous
schedule_window: auto
schedule_priority: default
trigger_alert: once
trigger_alert_when: number of events
trigger_alert_when_condition: greater than
trigger_alert_when_value: 10
throttle_window_duration: 5s
throttle_fields_to_group_by:
- test_field1
- test_field2
suppress_alerts: true
search: >
'| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
'n.src" as "src" | where "count">=6'
# RUN output:
# -----------
# "after": [
# {
# "annotations": {
# "cis20": [
# "test1",
# "test2"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test9",
# "test10"
# ],
# "framework": "test_framework2"
# }
# ],
# "kill_chain_phases": [
# "test5",
# "test6"
# ],
# "mitre_attack": [
# "test3",
# "test4"
# ],
# "nist": [
# "test7",
# "test8"
# ]
# },
# "app": "SplunkEnterpriseSecuritySuite",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "auto",
# "scheduling": "continuous",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": true,
# "throttle_fields_to_group_by": [
# "test_field1",
# "test_field2"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# }
# ],
# "before": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# }
# ]
# Using deleted
# -------------
- name: Example to delete the corelation search
splunk.es.splunk_correlation_searches:
config:
- name: Ansible Test
state: deleted
# RUN output:
# -----------
# "after": [],
# "before": [
# {
# "annotations": {
# "cis20": [
# "test1"
# ],
# "custom": [
# {
# "custom_annotations": [
# "test5"
# ],
# "framework": "test_framework"
# }
# ],
# "kill_chain_phases": [
# "test3"
# ],
# "mitre_attack": [
# "test2"
# ],
# "nist": [
# "test4"
# ]
# },
# "app": "DA-ESS-EndpointProtection",
# "cron_schedule": "*/5 * * * *",
# "description": "test description",
# "disabled": false,
# "name": "Ansible Test",
# "schedule_priority": "default",
# "schedule_window": "0",
# "scheduling": "realtime",
# "search": '| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",dc("Authent'
# 'ication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Fai'
# 'led_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authenticatio'
# 'n.src" as "src" | where "count">=6',
# "suppress_alerts": false,
# "throttle_fields_to_group_by": [
# "test_field1"
# ],
# "throttle_window_duration": "5s",
# "time_earliest": "-24h",
# "time_latest": "now",
# "trigger_alert": "once",
# "trigger_alert_when": "number of events",
# "trigger_alert_when_condition": "greater than",
# "trigger_alert_when_value": "10",
# "ui_dispatch_context": "SplunkEnterpriseSecuritySuite"
# },
# ],
返回值
常见的返回值已在此处记录,以下是此模块特有的字段
键 |
描述 |
|---|---|
模块完成后的结构化数据配置。 返回:发生更改时 示例: |
|
模块调用之前的结构化数据配置。 返回:始终返回 示例: |
|
从远程设备收集的网络资源信息,以结构化数据形式呈现。 返回:当 state 为 gathered 时 示例: |