ibm.qradar.qradar_analytics_rules 模块 – QRadar 分析规则管理资源模块

注意

此模块是 ibm.qradar 集合 (版本 4.0.0) 的一部分。

如果您使用的是 ansible 软件包,则可能已安装此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list

要安装它,请使用:ansible-galaxy collection install ibm.qradar

要在 playbook 中使用它,请指定:ibm.qradar.qradar_analytics_rules

ibm.qradar 2.1.0 中的新增功能

概要

  • 此模块允许修改、删除和检查 QRadar 中的分析规则。

别名:analytics_rules

参数

参数

注释

config

字典

QRadar 分析规则选项的字典

enabled

布尔值

检查规则是否启用

选项

  • false

  • true

fields

列表 / 元素=字符串

从规则配置中过滤的参数列表

注意,此参数仅在 state 为 GATHERED 时有效。

选项

  • "average_capacity"

  • "base_capacity"

  • "base_host_id"

  • "capacity_timestamp"

  • "creation_date"

  • "enabled"

  • "id"

  • "identifier"

  • "linked_rule_identifier"

  • "modification_date"

  • "name"

  • "origin"

  • "owner"

  • "type"

id

整数

规则的序列 ID。

name

字符串

规则的名称。

owner

字符串

管理 QRadar 规则的所有权

range

字符串

参数用于将列表中返回的元素数量限制在指定的范围内。

注意,此参数仅在 state 为 GATHERED 时有效。

state

字符串

应将配置保留到的状态

状态 *gathered* 将从设备获取模块 API 配置,并将其转换为结构化数据(格式符合模块 argspec),该值将返回结果中的 *gathered* 键中。

选项

  • "merged"

  • "gathered"

  • "deleted"

示例

# Using MERGED state
# -------------------

- name: DISABLE Rule 'Ansible Example DDoS Rule'
  ibm.qradar.qradar_analytics_rules:
    config:
      name: 'Ansible Example DDOS Rule'
      enabled: false
    state: merged

# RUN output:
# -----------

#   qradar_analytics_rules:
#     after:
#       average_capacity: null
#       base_capacity: null
#       base_host_id: null
#       capacity_timestamp: null
#       creation_date: 1658929682568
#       enabled: false
#       id: 100443
#       identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
#       linked_rule_identifier: null
#       modification_date: 1658929682567
#       name: Ansible Example DDOS Rule
#       origin: USER
#       owner: admin
#       type: EVENT
#     before:
#       average_capacity: null
#       base_capacity: null
#       base_host_id: null
#       capacity_timestamp: null
#       creation_date: 1658929682568
#       enabled: true
#       id: 100443
#       identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
#       linked_rule_identifier: null
#       modification_date: 1658929682567
#       name: Ansible Example DDOS Rule
#       origin: USER
#       owner: admin
#       type: EVENT


# Using GATHERED state
# --------------------

- name: Get information about the Rule named "Ansible Example DDOS Rule"
  ibm.qradar.qradar_analytics_rules:
    config:
      name: "Ansible Example DDOS Rule"
    state: gathered

# RUN output:
# -----------

#   gathered:
#     average_capacity: null
#     base_capacity: null
#     base_host_id: null
#     capacity_timestamp: null
#     creation_date: 1658918848694
#     enabled: true
#     id: 100443
#     identifier: d6d37942-ba28-438f-b909-120df643a992
#     linked_rule_identifier: null
#     modification_date: 1658918848692
#     name: Ansible Example DDOS Rule
#     origin: USER
#     owner: admin
#     type: EVENT

- name: Get information about the Rule with ID 100443
  ibm.qradar.qradar_analytics_rules:
    config:
      id: 100443
    state: gathered

# RUN output:
# -----------

#   gathered:
#     average_capacity: null
#     base_capacity: null
#     base_host_id: null
#     capacity_timestamp: null
#     creation_date: 1658918848694
#     enabled: true
#     id: 100443
#     identifier: d6d37942-ba28-438f-b909-120df643a992
#     linked_rule_identifier: null
#     modification_date: 1658918848692
#     name: Ansible Example DDOS Rule
#     origin: USER
#     owner: admin
#     type: EVENT

- name: TO Get information about the Rule ID with a range
  ibm.qradar.qradar_analytics_rules:
  config:
    range: 100300-100500
    fields:
      - name
      - origin
      - owner
  state: gathered

# RUN output:
# -----------

# gathered:
#   - name: Devices with High Event Rates
#     origin: SYSTEM
#     owner: admin
#   - name: Excessive Database Connections
#     origin: SYSTEM
#     owner: admin
#   - name: 'Anomaly: Excessive Firewall Accepts Across Multiple Hosts'
#     origin: SYSTEM
#     owner: admin
#   - name: Excessive Firewall Denies from Single Source
#     origin: SYSTEM
#     owner: admin
#   - name: 'AssetExclusion: Exclude DNS Name By IP'
#     origin: SYSTEM
#     owner: admin
#   - name: 'AssetExclusion: Exclude DNS Name By MAC Address'
#     origin: SYSTEM
#     owner: admin

- name: Delete custom Rule by NAME
  ibm.qradar.qradar_analytics_rules:
    config:
      name: 'Ansible Example DDOS Rule'
    state: deleted

# RUN output:
# -----------

#   qradar_analytics_rules:
#     after: {}
#     before:
#       average_capacity: null
#       base_capacity: null
#       base_host_id: null
#       capacity_timestamp: null
#       creation_date: 1658929431239
#       enabled: true
#       id: 100444
#       identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
#       linked_rule_identifier: null
#       modification_date: 1658929431238
#       name: Ansible Example DDOS Rule
#       origin: USER
#       owner: admin
#       type: EVENT

# Using DELETED state
# -------------------

- name: Delete custom Rule by ID
  ibm.qradar.qradar_analytics_rules:
    config:
      id: 100443
    state: deleted

# RUN output:
# -----------

#   qradar_analytics_rules:
#     after: {}
#     before:
#       average_capacity: null
#       base_capacity: null
#       base_host_id: null
#       capacity_timestamp: null
#       creation_date: 1658929431239
#       enabled: true
#       id: 100443
#       identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
#       linked_rule_identifier: null
#       modification_date: 1658929431238
#       name: Ansible Example DDOS Rule
#       origin: USER
#       owner: admin
#       type: EVENT

返回值

常见的返回值已在此处 记录,以下是此模块独有的字段

描述

after

字典

模块完成后的结构化数据配置。

返回:已更改时

示例: "返回的配置始终与上述参数的格式相同。"

before

字典

模块调用之前的结构化数据配置。

返回:始终

示例: "返回的配置始终与上述参数的格式相同。"

作者