| Server IP : 85.214.239.14 / Your IP : 3.15.1.45 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Mon Sep 30 15:36:27 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /lib/python3/dist-packages/ansible_collections/ibm/qradar/plugins/modules/ |
Upload File : |
#!/usr/bin/python
# Copyright: Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = """
---
module: qradar_analytics_rules
short_description: Qradar Analytics Rules Management resource module
description:
- This module allows for modification, deletion, and checking of Analytics Rules in QRadar
version_added: "2.1.0"
options:
config:
description: A dictionary of Qradar Analytics Rules options
type: dict
suboptions:
id:
description: The sequence ID of the rule.
type: int
name:
description: The name of the rule.
type: str
enabled:
description: Check if the rule is enabled
type: bool
owner:
description: Manage ownership of a QRadar Rule
type: str
fields:
description:
- List of params filtered from the Rule config
- NOTE, this param is valid only via state GATHERED.
type: list
elements: str
choices:
- average_capacity
- base_capacity
- base_host_id
- capacity_timestamp
- creation_date
- enabled
- id
- identifier
- linked_rule_identifier
- modification_date
- name
- origin
- owner
- type
range:
description:
- Parameter to restrict the number of elements that
are returned in the list to a specified range.
- NOTE, this param is valid only via state GATHERED.
type: str
state:
description:
- The state the configuration should be left in
- The state I(gathered) will get the module API configuration from the device
and transform it into structured data in the format as per the module argspec
and the value is returned in the I(gathered) key within the result.
type: str
choices:
- merged
- gathered
- deleted
author: Ansible Security Automation Team (@justjais) <https://github.com/ansible-security>
"""
EXAMPLES = """
# Using MERGED state
# -------------------
- name: DISABLE Rule 'Ansible Example DDoS Rule'
ibm.qradar.qradar_analytics_rules:
config:
name: 'Ansible Example DDOS Rule'
enabled: false
state: merged
# RUN output:
# -----------
# qradar_analytics_rules:
# after:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929682568
# enabled: false
# id: 100443
# identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
# linked_rule_identifier: null
# modification_date: 1658929682567
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929682568
# enabled: true
# id: 100443
# identifier: ae5a1268-02a0-4976-84c5-dbcbcf854b9c
# linked_rule_identifier: null
# modification_date: 1658929682567
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# Using GATHERED state
# --------------------
- name: Get information about the Rule named "Ansible Example DDOS Rule"
ibm.qradar.qradar_analytics_rules:
config:
name: "Ansible Example DDOS Rule"
state: gathered
# RUN output:
# -----------
# gathered:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658918848694
# enabled: true
# id: 100443
# identifier: d6d37942-ba28-438f-b909-120df643a992
# linked_rule_identifier: null
# modification_date: 1658918848692
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
- name: Get information about the Rule with ID 100443
ibm.qradar.qradar_analytics_rules:
config:
id: 100443
state: gathered
# RUN output:
# -----------
# gathered:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658918848694
# enabled: true
# id: 100443
# identifier: d6d37942-ba28-438f-b909-120df643a992
# linked_rule_identifier: null
# modification_date: 1658918848692
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
- name: TO Get information about the Rule ID with a range
ibm.qradar.qradar_analytics_rules:
config:
range: 100300-100500
fields:
- name
- origin
- owner
state: gathered
# RUN output:
# -----------
# gathered:
# - name: Devices with High Event Rates
# origin: SYSTEM
# owner: admin
# - name: Excessive Database Connections
# origin: SYSTEM
# owner: admin
# - name: 'Anomaly: Excessive Firewall Accepts Across Multiple Hosts'
# origin: SYSTEM
# owner: admin
# - name: Excessive Firewall Denies from Single Source
# origin: SYSTEM
# owner: admin
# - name: 'AssetExclusion: Exclude DNS Name By IP'
# origin: SYSTEM
# owner: admin
# - name: 'AssetExclusion: Exclude DNS Name By MAC Address'
# origin: SYSTEM
# owner: admin
- name: Delete custom Rule by NAME
ibm.qradar.qradar_analytics_rules:
config:
name: 'Ansible Example DDOS Rule'
state: deleted
# RUN output:
# -----------
# qradar_analytics_rules:
# after: {}
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929431239
# enabled: true
# id: 100444
# identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
# linked_rule_identifier: null
# modification_date: 1658929431238
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
# Using DELETED state
# -------------------
- name: Delete custom Rule by ID
ibm.qradar.qradar_analytics_rules:
config:
id: 100443
state: deleted
# RUN output:
# -----------
# qradar_analytics_rules:
# after: {}
# before:
# average_capacity: null
# base_capacity: null
# base_host_id: null
# capacity_timestamp: null
# creation_date: 1658929431239
# enabled: true
# id: 100443
# identifier: 3c2cbd9d-d141-49fc-b5d5-29009a9b5308
# linked_rule_identifier: null
# modification_date: 1658929431238
# name: Ansible Example DDOS Rule
# origin: USER
# owner: admin
# type: EVENT
"""
RETURN = """
before:
description: The configuration as structured data prior to module invocation.
returned: always
type: dict
sample: The configuration returned will always be in the same format of the parameters above.
after:
description: The configuration as structured data after module completion.
returned: when changed
type: dict
sample: The configuration returned will always be in the same format of the parameters above.
"""