splunk.es.correlation_search – Manage Splunk Enterprise Security Correlation Searches
Note
This plugin is part of the splunk.es collection (version 1.0.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.correlation_search.
New in version 1.0.0: of splunk.es
Synopsis
- This module allows for creation, deletion, and modification of Splunk Enterprise Security Correlation Searches
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| app
string
|
Default:
"SplunkEnterpriseSecuritySuite"
|
Splunk app to associate the correlation seach with
|
| cron_schedule
string
|
Default:
"*/5 * * * *"
|
Enter a cron-style schedule.
For example
'*/5 * * * *' (every 5 minutes) or '0 21 * * *' (every day at 9 PM).
Real-time searches use a default schedule of '*/5 * * * *'.
|
| description
string / required
|
Description of the coorelation search, this will populate the description field for the web console
|
|
| name
string / required
|
Name of coorelation search
|
|
| schedule_priority
string
|
|
Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.
|
| schedule_window
string
|
Default:
"0"
|
Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report.
|
| scheduling
string
|
|
Controls the way the scheduler computes the next execution time of a scheduled search.
Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling
|
| search
string / required
|
SPL search string
|
|
| state
string / required
|
|
Add, remove, enable, or disiable a correlation search.
|
| suppress_alerts
boolean
|
|
To suppress alerts from this correlation search or not
|
| throttle_fields_to_group_by
string
|
Type the fields to consider for matching events for throttling.
|
|
| throttle_window_duration
string
|
How much time to ignore other events that match the field values specified in Fields to group by.
|
|
| time_earliest
string
|
Default:
"-24h"
|
Earliest time using relative time modifiers.
|
| time_latest
string
|
Default:
"now"
|
Latest time using relative time modifiers.
|
| trigger_alert_when
string
|
|
Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.
|
| trigger_alert_when_condition
string
|
|
Conditional to pass to trigger_alert_when
|
| trigger_alert_when_value
string
|
Default:
"10"
|
Value to pass to trigger_alert_when
|
| ui_dispatch_context
string
|
Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context.
|
Notes
Note
- The following options are not yet supported: throttle_window_duration, throttle_fields_to_group_by, and adaptive_response_actions
Examples
- name: Example of creating a correlation search with splunk.es.coorelation_search
splunk.es.correlation_search:
name: "Example Coorelation Search From Ansible"
description: "Example Coorelation Search From Ansible, description."
search: 'source="/var/log/snort.log"'
state: "present"
Authors
- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/splunk/es/correlation_search_module.html