Beispiel #1
0
def main():

    argspec = dict(type=dict(choices=["INCREMENTAL", "FULL"],
                             required=False,
                             default="INCREMENTAL"))

    module = AnsibleModule(argument_spec=argspec, supports_check_mode=False)

    qradar_request = QRadarRequest(
        module,
        not_rest_data_keys=["state", "type_name", "identifier"],
    )

    qradar_return_data = qradar_request.post_by_path(
        "api/staged_config/deploy_status")

    if "message" in qradar_return_data and (
            to_text("No changes to deploy") in to_text(
                qradar_return_data["message"])):
        module.exit_json(
            msg="No changes to deploy",
            qradar_return_data=qradar_return_data,
            changed=False,
        )
    else:
        module.exit_json(
            msg="Successfully initiated {0} deployment.".format(
                module.params["type"]),
            qradar_return_data=qradar_return_data,
            changed=True,
        )
def main():

    argspec = dict(
        id=dict(required=False, type="int"),
        name=dict(required=False, type="str"),
        owner=dict(required=False, type="str"),
        type=dict(required=False,
                  choices=["EVENT", "FLOW", "COMMON", "USER"],
                  type="str"),
        origin=dict(required=False,
                    choices=["SYSTEM", "OVERRIDE", "USER"],
                    type="str"),
    )

    module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)

    qradar_request = QRadarRequest(module,
                                   headers={
                                       "Content-Type": "application/json",
                                       "Version": "9.1"
                                   })

    # if module.params['name']:
    #    # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
    #    found_offense = qradar_request.get_by_path('api/analytics/rules?filter={0}'.format(module.params['name']))

    if module.params["id"]:
        rules = qradar_request.get_by_path("api/analytics/rules/{0}".format(
            module.params["id"]))

    else:
        query_strs = []

        if module.params["name"]:
            query_strs.append(
                quote('name="{0}"'.format(to_text(module.params["name"]))))

        if module.params["owner"]:
            query_strs.append(quote("owner={0}".format(
                module.params["owner"])))

        if module.params["type"]:
            query_strs.append(quote("type={0}".format(module.params["type"])))

        if module.params["origin"]:
            query_strs.append(
                quote("origin={0}".format(module.params["origin"])))

        if query_strs:
            rules = qradar_request.get_by_path(
                "api/analytics/rules?filter={0}".format("&".join(query_strs)))
        else:
            rules = qradar_request.get_by_path("api/analytics/rules")

        module.exit_json(rules=rules, changed=False)
Beispiel #3
0
def main():

    argspec = dict(
        # name=dict(required=False, type='str'),
        # id=dict(required=False, type='str'),
        id=dict(required=True, type="int"),
        assigned_to=dict(required=False, type="str"),
        closing_reason=dict(required=False, type="str"),
        closing_reason_id=dict(required=False, type="int"),
        follow_up=dict(required=False, type="bool"),
        protected=dict(required=False, type="bool"),
        status=dict(
            required=False,
            choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"],
            type="str",
        ),
    )

    module = AnsibleModule(
        argument_spec=argspec,
        # required_one_of=[
        #    ('name', 'id',),
        # ],
        mutually_exclusive=[("closing_reason", "closing_reason_id")],
        supports_check_mode=True,
    )

    qradar_request = QRadarRequest(
        module,
        not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"],
    )

    # if module.params['name']:
    #    # FIXME - QUERY HERE BY NAME
    #    found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name']))

    found_offense = qradar_request.get("/api/siem/offenses/{0}".format(
        module.params["id"]))

    if found_offense:
        set_offense_values(module, qradar_request)

        post_strs = []

        if module.params["status"] and (to_text(found_offense["status"]) !=
                                        to_text(module.params["status"])):
            post_strs.append("status={0}".format(
                to_text(module.params["status"])))

        if module.params["assigned_to"] and (to_text(
                found_offense["assigned_to"]) != to_text(
                    module.params["assigned_to"])):
            post_strs.append("assigned_to={0}".format(
                module.params["assigned_to"]))

        if module.params["closing_reason_id"] and (
                found_offense["closing_reason_id"] !=
                module.params["closing_reason_id"]):
            post_strs.append("closing_reason_id={0}".format(
                module.params["closing_reason_id"]))

        if module.params["follow_up"] and (found_offense["follow_up"] !=
                                           module.params["follow_up"]):
            post_strs.append("follow_up={0}".format(
                module.params["follow_up"]))

        if module.params["protected"] and (found_offense["protected"] !=
                                           module.params["protected"]):
            post_strs.append("protected={0}".format(
                module.params["protected"]))

        if post_strs:
            if module.check_mode:
                module.exit_json(
                    msg=
                    "A change would have been made but was not because of Check Mode.",
                    changed=True,
                )

            qradar_return_data = qradar_request.post_by_path(
                "api/siem/offenses/{0}?{1}".format(module.params["id"],
                                                   "&".join(post_strs)))
            # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore
            module.exit_json(
                msg="Successfully updated Offense ID: {0}".format(
                    module.params["id"]),
                qradar_return_data=qradar_return_data,
                changed=True,
            )
        else:
            module.exit_json(msg="No changes necessary. Nothing to do.",
                             changed=False)
    else:
        # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore
        module.fail_json(
            msg="Unable to find Offense ID: {0}".format(module.params["id"]))
Beispiel #4
0
def main():

    argspec = dict(
        id=dict(required=False, type="int"),
        name=dict(required=False, type="str"),
        assigned_to=dict(required=False, type="str"),
        closing_reason=dict(required=False, type="str"),
        closing_reason_id=dict(required=False, type="int"),
        follow_up=dict(required=False, type="bool", default=None),
        protected=dict(required=False, type="bool", default=None),
        status=dict(
            required=False,
            choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"],
            default="open",
            type="str",
        ),
    )

    module = AnsibleModule(
        argument_spec=argspec,
        mutually_exclusive=[("closing_reason", "closing_reason_id")],
        supports_check_mode=True,
    )

    qradar_request = QRadarRequest(
        module,
        headers={
            "Content-Type": "application/json",
            "Version": "9.1"
        },
        not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"],
    )

    # if module.params['name']:
    #    # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
    #    found_offense = qradar_request.get_by_path('api/siem/offenses?filter={0}'.format(module.params['name']))

    set_offense_values(module, qradar_request)

    if module.params["id"]:
        offenses = qradar_request.get_by_path("api/siem/offenses/{0}".format(
            module.params["id"]))

    else:
        query_strs = []

        if module.params["status"]:
            query_strs.append(
                quote("status={0}".format(to_text(module.params["status"]))))

        if module.params["assigned_to"]:
            query_strs.append(
                quote("assigned_to={0}".format(module.params["assigned_to"])))

        if module.params["closing_reason_id"]:
            query_strs.append(
                quote("closing_reason_id={0}".format(
                    module.params["closing_reason_id"])))

        if module.params["follow_up"] is not None:
            query_strs.append(
                quote("follow_up={0}".format(module.params["follow_up"])))

        if module.params["protected"] is not None:
            query_strs.append(
                quote("protected={0}".format(module.params["protected"])))

        if query_strs:
            offenses = qradar_request.get_by_path(
                "api/siem/offenses?filter={0}".format("&".join(query_strs)))
        else:
            offenses = qradar_request.get_by_path("api/siem/offenses")

        if module.params["name"]:
            named_offense = find_dict_in_list(offenses, "description",
                                              module.params["name"])
            if named_offense:
                offenses = named_offense
            else:
                offenses = []

        module.exit_json(offenses=offenses, changed=False)
Beispiel #5
0
def main():

    argspec = dict(
        id=dict(required=False, type="int"),
        name=dict(required=False, type="str"),
        state=dict(required=True,
                   choices=["enabled", "disabled", "absent"],
                   type="str"),
        owner=dict(required=False, type="str"),
    )

    module = AnsibleModule(
        argument_spec=argspec,
        supports_check_mode=True,
        required_one_of=[("name", "id")],
        mutually_exclusive=[("name", "id")],
    )

    qradar_request = QRadarRequest(
        module,
        not_rest_data_keys=["id", "name", "state", "owner"],
    )

    # if module.params['name']:
    #    # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET)
    #    found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name']))
    module.params["rule"] = {}

    if module.params["id"]:
        module.params["rule"] = qradar_request.get(
            "/api/analytics/rules/{0}".format(module.params["id"]))

    elif module.params["name"]:
        rules = qradar_request.get("/api/analytics/rules?filter={0}".format(
            quote('"{0}"'.format(module.params["name"]))))
        if rules:
            module.params["rule"] = rules[0]
            module.params["id"] = rules[0]["id"]

    if module.params["state"] == "enabled":
        if module.params["rule"]:
            if module.params["rule"]["enabled"] is True:
                # Already enabled
                if module.params["id"]:
                    module.exit_json(
                        msg="No change needed for rule ID: {0}".format(
                            module.params["id"]),
                        qradar_return_data={},
                        changed=False,
                    )
                if module.params["name"]:
                    module.exit_json(
                        msg="Successfully enabled rule named: {0}".format(
                            module.params["name"]),
                        qradar_return_data={},
                        changed=False,
                    )
            else:
                # Not enabled, enable It
                module.params["rule"]["enabled"] = True

                qradar_return_data = qradar_request.post_by_path(
                    "api/analytics/rules/{0}".format(
                        module.params["rule"]["id"]),
                    data=json.dumps(module.params["rule"]),
                )
                if module.params["id"]:
                    module.exit_json(
                        msg="Successfully enabled rule ID: {0}".format(
                            module.params["id"]),
                        qradar_return_data=qradar_return_data,
                        changed=True,
                    )
                if module.params["name"]:
                    module.exit_json(
                        msg="Successfully enabled rule named: {0}".format(
                            module.params["name"]),
                        qradar_return_data=qradar_return_data,
                        changed=True,
                    )
        else:
            if module.params["id"]:
                module.fail_json(msg="Unable to find rule ID: {0}".format(
                    module.params["id"]))
            if module.params["name"]:
                module.fail_json(msg='Unable to find rule named: "{0}"'.format(
                    module.params["name"]))

    elif module.params["state"] == "disabled":
        if module.params["rule"]:
            if module.params["rule"]["enabled"] is False:
                # Already disabled
                if module.params["id"]:
                    module.exit_json(
                        msg="No change needed for rule ID: {0}".format(
                            module.params["id"]),
                        qradar_return_data={},
                        changed=False,
                    )
                if module.params["name"]:
                    module.exit_json(
                        msg="Successfully enabled rule named: {0}".format(
                            module.params["name"]),
                        qradar_return_data={},
                        changed=False,
                    )
            else:
                # Not disabled, disable It
                module.params["rule"]["enabled"] = False

                qradar_return_data = qradar_request.post_by_path(
                    "api/analytics/rules/{0}".format(
                        module.params["rule"]["id"]),
                    data=json.dumps(module.params["rule"]),
                )
                if module.params["id"]:
                    module.exit_json(
                        msg="Successfully disabled rule ID: {0}".format(
                            module.params["id"]),
                        qradar_return_data=qradar_return_data,
                        changed=True,
                    )
                if module.params["name"]:
                    module.exit_json(
                        msg="Successfully disabled rule named: {0}".format(
                            module.params["name"]),
                        qradar_return_data=qradar_return_data,
                        changed=True,
                    )
        else:
            if module.params["id"]:
                module.fail_json(msg="Unable to find rule ID: {0}".format(
                    module.params["id"]))
            if module.params["name"]:
                module.fail_json(msg='Unable to find rule named: "{0}"'.format(
                    module.params["name"]))

    elif module.params["state"] == "absent":
        if module.params["rule"]:
            qradar_return_data = qradar_request.delete(
                "/api/analytics/rules/{0}".format(module.params["rule"]["id"]))
            if module.params["id"]:
                module.exit_json(
                    msg="Successfully deleted rule ID: {0}".format(
                        module.params["id"]),
                    qradar_return_data=qradar_return_data,
                    changed=True,
                )
            if module.params["name"]:
                module.exit_json(
                    msg="Successfully deleted rule named: {0}".format(
                        module.params["name"]),
                    qradar_return_data=qradar_return_data,
                    changed=True,
                )
        else:
            module.exit_json(msg="Nothing to do, rule not found.")

        module.exit_json(rules=rules, changed=False)
Beispiel #6
0
def main():

    argspec = dict(
        name=dict(required=True, type="str"),
        state=dict(choices=["present", "absent"], required=True),
        type_name=dict(required=False, type="str"),
        type_id=dict(required=False, type="int"),
        identifier=dict(required=True, type="str"),
        protocol_type_id=dict(required=False, type="int"),
        description=dict(required=True, type="str"),
    )

    module = AnsibleModule(
        argument_spec=argspec,
        required_one_of=[("type_name", "type_id")],
        mutually_exclusive=[("type_name", "type_id")],
        supports_check_mode=True,
    )

    qradar_request = QRadarRequest(
        module,
        headers={
            "Content-Type": "application/json",
            "Version": "9.1"
        },
        not_rest_data_keys=["state", "type_name", "identifier"],
    )

    log_source_exists = qradar_request.get_by_path(
        "api/config/event_sources/log_source_management/log_sources?filter={0}"
        .format(quote('name="{0}"'.format(module.params["name"]))))

    if log_source_exists:

        if module.params["state"] == "present":
            existing_log_source_protocol_identifier, _elspi_index = find_dict_in_list(
                log_source_exists[0]["protocol_parameters"], "name",
                "identifier")

            set_log_source_values(module, qradar_request)

            comparison_map = [
                existing_log_source_protocol_identifier["value"] ==
                module.params["identifier"],
                log_source_exists[0]["name"] == module.params["name"],
                log_source_exists[0]["type_id"] == module.params["type_id"],
                to_text(log_source_exists[0]["description"]) == to_text(
                    module.params["description"]),
            ]

            if all(comparison_map):
                module.exit_json(changed=False, msg="Nothing to do.")
            else:
                log_source_exists[0]["protocol_parameters"][
                    _elspi_index] = module.params["protocol_parameters"][0]
                log_source_exists[0]["name"] = module.params["name"]
                log_source_exists[0]["type_id"] = module.params["type_id"]
                log_source_exists[0]["description"] = module.params[
                    "description"]
                if module.check_mode:
                    qradar_return_data = {
                        "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
                    }
                else:
                    qradar_return_data = qradar_request.create_update(
                        "api/config/event_sources/log_source_management/log_sources",
                        data=json.dumps(log_source_exists),
                    )

                module.exit_json(
                    msg="Successfully updated log source: {0}".format(
                        module.params["name"]),
                    qradar_return_data=qradar_return_data,
                    changed=True,
                )

        if module.params["state"] == "absent":
            if module.check_mode:
                qradar_return_data = {
                    "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
                }
            else:
                qradar_return_data = qradar_request.delete_by_path(
                    "api/config/event_sources/log_source_management/log_sources/{0}"
                    .format(log_source_exists[0]["id"]))

            module.exit_json(
                msg="Successfully deleted log source: {0}".format(
                    module.params["name"]),
                qradar_return_data=qradar_return_data,
                changed=True,
            )
    else:
        if module.params["state"] == "present":
            set_log_source_values(module, qradar_request)
            if module.check_mode:
                qradar_return_data = {
                    "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE"
                }
            else:
                qradar_return_data = qradar_request.create_update(
                    "api/config/event_sources/log_source_management/log_sources",
                    data=json.dumps([qradar_request.get_data()]),
                )

            module.exit_json(
                msg="Successfully created log source: {0}".format(
                    module.params["name"]),
                qradar_return_data=qradar_return_data,
                changed=True,
            )

        if module.params["state"] == "absent":
            module.exit_json(changed=False, msg="Nothing to do.")
Beispiel #7
0
def main():

    argspec = dict(
        #        state=dict(required=False, choices=["present", "absent"], type='str', default="present"),
        id=dict(required=True, type="int"),
        note_text=dict(required=True, type="str"),
    )

    module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)

    qradar_request = QRadarRequest(
        module,
        headers={
            "Content-Type": "application/json",
            "Version": "9.1"
        },
        not_rest_data_keys=["state", "id"],
    )

    # if module.params['name']:
    #    # FIXME - QUERY HERE BY NAME
    #    found_offense = qradar_request.get_by_path('api/siem/offenses?filter={0}'.format(module.params['name']))
    # FIXME - once this is sorted, add it to module_utils

    found_notes = qradar_request.get_by_path(
        "api/siem/offenses/{0}/notes?filter={1}".format(
            module.params["id"],
            quote('note_text="{0}"'.format(module.params["note_text"])),
        ))

    # if module.params['state'] == 'present':

    if found_notes:
        # The note we want exists either by ID or by text name, verify

        note = found_notes[0]
        if note["note_text"] == module.params["note_text"]:
            module.exit_json(msg="No changes necessary. Nothing to do.",
                             changed=False)
        else:
            if module.check_mode:
                module.exit_json(
                    msg=
                    "A change would have occured but did not because Check Mode",
                    changed=True,
                )

            qradar_return_data = qradar_request.post_by_path(
                "api/siem/offenses/{0}/notes?note_text={1}".format(
                    module.params["id"],
                    quote("{0}".format(module.params["note_text"]))),
                data=False,
            )
            module.exit_json(
                msg="Successfully created Offense Note ID: {0}".format(
                    qradar_return_data["id"]),
                qradar_return_data=qradar_offense_note,
                changed=False,
            )

    else:
        if module.check_mode:
            module.exit_json(
                msg=
                "A change would have occured but did not because Check Mode",
                changed=True,
            )

        qradar_return_data = qradar_request.post_by_path(
            "api/siem/offenses/{0}/notes?note_text={1}".format(
                module.params["id"],
                quote("{0}".format(module.params["note_text"]))),
            data=False,
        )
        module.exit_json(
            msg="Successfully created Offense Note ID: {0}".format(
                qradar_return_data["id"]),
            qradar_return_data=qradar_return_data,
            changed=True,
        )

    module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)