splunk.es.splunk_adaptive_response_notable_events 模块 – 管理自适应响应重要事件资源模块
注意
此模块是 splunk.es 集合 (版本 4.0.0) 的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install splunk.es。
要在 playbook 中使用它,请指定:splunk.es.splunk_adaptive_response_notable_events。
splunk.es 2.1.0 中的新增功能
概要
此模块允许创建、删除和修改与关联搜索相关的 Splunk Enterprise Security 重要事件自适应响应。
针对 Splunk Enterprise Server 8.2.3 进行了测试
注意
此模块具有相应的 操作插件。
参数
参数 |
注释 |
|---|---|
配置系统上的文件和目录监控 |
|
要与此重要事件自适应响应关联的关联搜索的名称 |
|
重要事件的默认所有者,如果未设置,则默认为 Splunk 系统默认值 |
|
重要事件的默认状态,如果未设置,则默认为 Splunk 系统默认值 选项
|
|
重要事件的描述,这将填充 Web 控制台的描述字段 |
|
设置触发事件之前搜索相关事件的时间量。例如,2h。使用 '$info_min_time$' 将钻取时间设置为与搜索的最早时间匹配 默认值: |
|
设置触发事件之后搜索相关事件的时间量。例如,1m。使用 '$info_max_time$' 将钻取时间设置为与搜索的最新时间匹配 默认值: |
|
钻取搜索的名称,支持使用匹配事件中的字段进行变量替换。 |
|
钻取搜索,支持使用匹配事件中的字段进行变量替换。 |
|
要提取的资产和身份 |
|
要提取的资产列表,选择任何一个或多个可用选项 默认为所有可用选项 选项
|
|
要提取的文件列表 |
|
要提取的身份字段列表,选择任何一个或多个可用选项 默认为“user”和“src_user” 选项
|
|
要提取的 URL 列表 |
|
要将重要事件关联到的调查配置文件。 |
|
重要事件的名称 |
|
接下来应运行的自适应响应列表 描述分析师可以采取的解决此威胁的后续步骤和响应操作。 |
|
建议接下来运行的自适应响应列表 识别推荐的自适应响应将为分析师突出显示这些操作,当查看可用的响应操作列表时,使其更容易在较长的可用操作列表中找到它们。 |
|
Splunk 安全域 选项
|
|
严重性等级 选项
|
|
默认情况下,模块将连接到远程设备并检索当前运行配置,将其用作与源内容进行比较的基础。有时,不希望任务为 playbook 中的每个任务获取当前运行配置。running_config 参数允许实现者传入用作比较基础配置的配置。此选项的值应是通过执行命令从设备接收到的输出。 |
|
配置应保留的状态 选项
|
示例
# Using gathered
# --------------
- name: Gather adaptive response notable events config
splunk.es.splunk_adaptive_response_notable_events:
config:
- correlation_search_name: Ansible Test
- correlation_search_name: Ansible Test 2
state: gathered
# RUN output:
# -----------
# "gathered": [
# {
# "correlation_search_name": "Ansible Test",
# "description": "test notable event",
# "drilldown_earliest_offset": "$info_min_time$",
# "drilldown_latest_offset": "$info_max_time$",
# "drilldown_name": "test_drill_name",
# "drilldown_search": "test_drill",
# "extract_artifacts": {
# "asset": [
# "src",
# "dest",
# "dvc",
# "orig_host"
# ],
# "identity": [
# "src_user",
# "user",
# "src_user_id",
# "src_user_role",
# "user_id",
# "user_role",
# "vendor_account"
# ]
# },
# "investigation_profiles": [
# "test profile 1",
# "test profile 2",
# "test profile 3"
# ],
# "next_steps": [
# "makestreams",
# "nbtstat",
# "nslookup"
# ],
# "name": "ansible_test_notable",
# "recommended_actions": [
# "email",
# "logevent",
# "makestreams",
# "nbtstat"
# ],
# "security_domain": "threat",
# "severity": "high"
# },
# { } # there is no configuration associated with "/var"
# ]
# Using merged
# ------------
- name: Example to add config
splunk.es.splunk_adaptive_response_notable_events:
config:
- correlation_search_name: Ansible Test
description: test notable event
drilldown_earliest_offset: $info_min_time$
drilldown_latest_offset: $info_max_time$
extract_artifacts:
asset:
- src
- dest
identity:
- src_user
- user
- src_user_id
next_steps:
- makestreams
name: ansible_test_notable
recommended_actions:
- email
- logevent
security_domain: threat
severity: high
state: merged
# RUN output:
# -----------
# "after": [
# {
# "correlation_search_name": "Ansible Test",
# "description": "test notable event",
# "drilldown_earliest_offset": "$info_min_time$",
# "drilldown_latest_offset": "$info_max_time$",
# "drilldown_name": "test_drill_name",
# "drilldown_search": "test_drill",
# "extract_artifacts": {
# "asset": [
# "src",
# "dest",
# "dvc",
# "orig_host"
# ],
# "identity": [
# "src_user",
# "user",
# "src_user_id",
# "src_user_role",
# "user_id",
# "user_role",
# "vendor_account"
# ]
# },
# "investigation_profiles": [
# "test profile 1",
# "test profile 2",
# "test profile 3"
# ],
# "next_steps": [
# "makestreams",
# "nbtstat",
# "nslookup"
# ],
# "name": "ansible_test_notable",
# "recommended_actions": [
# "email",
# "logevent",
# "makestreams",
# "nbtstat"
# ],
# "security_domain": "threat",
# "severity": "high"
# }
# ],
# "before": [],
# Using replaced
# --------------
- name: Example to Replace the config
splunk.es.splunk_adaptive_response_notable_events:
config:
- correlation_search_name: Ansible Test
description: test notable event
drilldown_earliest_offset: $info_min_time$
drilldown_latest_offset: $info_max_time$
extract_artifacts:
asset:
- src
- dest
identity:
- src_user
- user
- src_user_id
next_steps:
- makestreams
name: ansible_test_notable
recommended_actions:
- email
- logevent
security_domain: threat
severity: high
state: replaced
# RUN output:
# -----------
# "after": [
# {
# "correlation_search_name": "Ansible Test",
# "description": "test notable event",
# "drilldown_earliest_offset": "$info_min_time$",
# "drilldown_latest_offset": "$info_max_time$",
# "extract_artifacts": {
# "asset": [
# "src",
# "dest"
# ],
# "identity": [
# "src_user",
# "user",
# "src_user_id"
# ]
# },
# "next_steps": [
# "makestreams"
# ],
# "name": "ansible_test_notable",
# "recommended_actions": [
# "email",
# "logevent"
# ],
# "security_domain": "threat",
# "severity": "high"
# }
# ],
# "before": [
# {
# "correlation_search_name": "Ansible Test",
# "description": "test notable event",
# "drilldown_earliest_offset": "$info_min_time$",
# "drilldown_latest_offset": "$info_max_time$",
# "drilldown_name": "test_drill_name",
# "drilldown_search": "test_drill",
# "extract_artifacts": {
# "asset": [
# "src",
# "dest",
# "dvc",
# "orig_host"
# ],
# "identity": [
# "src_user",
# "user",
# "src_user_id",
# "src_user_role",
# "user_id",
# "user_role",
# "vendor_account"
# ]
# },
# "investigation_profiles": [
# "test profile 1",
# "test profile 2",
# "test profile 3"
# ],
# "next_steps": [
# "makestreams",
# "nbtstat",
# "nslookup"
# ],
# "name": "ansible_test_notable",
# "recommended_actions": [
# "email",
# "logevent",
# "makestreams",
# "nbtstat"
# ],
# "security_domain": "threat",
# "severity": "high"
# }
# ],
# USING DELETED
# -------------
- name: Example to remove the config
splunk.es.splunk_adaptive_response_notable_events:
config:
- correlation_search_name: Ansible Test
state: deleted
# RUN output:
# -----------
# "after": [],
# "before": [
# {
# "correlation_search_name": "Ansible Test",
# "description": "test notable event",
# "drilldown_earliest_offset": "$info_min_time$",
# "drilldown_latest_offset": "$info_max_time$",
# "drilldown_name": "test_drill_name",
# "drilldown_search": "test_drill",
# "extract_artifacts": {
# "asset": [
# "src",
# "dest",
# "dvc",
# "orig_host"
# ],
# "identity": [
# "src_user",
# "user",
# "src_user_id",
# "src_user_role",
# "user_id",
# "user_role",
# "vendor_account"
# ]
# },
# "investigation_profiles": [
# "test profile 1",
# "test profile 2",
# "test profile 3"
# ],
# "next_steps": [
# "makestreams",
# "nbtstat",
# "nslookup"
# ],
# "name": "ansible_test_notable",
# "recommended_actions": [
# "email",
# "logevent",
# "makestreams",
# "nbtstat"
# ],
# "security_domain": "threat",
# "severity": "high"
# }
# ]
返回值
常见的返回值已在 此处 记录,以下是此模块特有的字段
键 |
描述 |
|---|---|
模块完成后的结构化数据配置。 返回: 已更改时 示例: |
|
模块调用前的结构化数据配置。 返回: 始终 示例: |
|
从远程设备收集的关于网络资源的结构化数据。 返回:当状态为*已收集*时 示例: |