def main(): argspec = dict(type=dict(choices=["INCREMENTAL", "FULL"], required=False, default="INCREMENTAL")) module = AnsibleModule(argument_spec=argspec, supports_check_mode=False) qradar_request = QRadarRequest( module, not_rest_data_keys=["state", "type_name", "identifier"], ) qradar_return_data = qradar_request.post_by_path( "api/staged_config/deploy_status") if "message" in qradar_return_data and ( to_text("No changes to deploy") in to_text( qradar_return_data["message"])): module.exit_json( msg="No changes to deploy", qradar_return_data=qradar_return_data, changed=False, ) else: module.exit_json( msg="Successfully initiated {0} deployment.".format( module.params["type"]), qradar_return_data=qradar_return_data, changed=True, )
def main(): argspec = dict( id=dict(required=False, type="int"), name=dict(required=False, type="str"), owner=dict(required=False, type="str"), type=dict(required=False, choices=["EVENT", "FLOW", "COMMON", "USER"], type="str"), origin=dict(required=False, choices=["SYSTEM", "OVERRIDE", "USER"], type="str"), ) module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) qradar_request = QRadarRequest(module, headers={ "Content-Type": "application/json", "Version": "9.1" }) # if module.params['name']: # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) # found_offense = qradar_request.get_by_path('api/analytics/rules?filter={0}'.format(module.params['name'])) if module.params["id"]: rules = qradar_request.get_by_path("api/analytics/rules/{0}".format( module.params["id"])) else: query_strs = [] if module.params["name"]: query_strs.append( quote('name="{0}"'.format(to_text(module.params["name"])))) if module.params["owner"]: query_strs.append(quote("owner={0}".format( module.params["owner"]))) if module.params["type"]: query_strs.append(quote("type={0}".format(module.params["type"]))) if module.params["origin"]: query_strs.append( quote("origin={0}".format(module.params["origin"]))) if query_strs: rules = qradar_request.get_by_path( "api/analytics/rules?filter={0}".format("&".join(query_strs))) else: rules = qradar_request.get_by_path("api/analytics/rules") module.exit_json(rules=rules, changed=False)
def main(): argspec = dict( # name=dict(required=False, type='str'), # id=dict(required=False, type='str'), id=dict(required=True, type="int"), assigned_to=dict(required=False, type="str"), closing_reason=dict(required=False, type="str"), closing_reason_id=dict(required=False, type="int"), follow_up=dict(required=False, type="bool"), protected=dict(required=False, type="bool"), status=dict( required=False, choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"], type="str", ), ) module = AnsibleModule( argument_spec=argspec, # required_one_of=[ # ('name', 'id',), # ], mutually_exclusive=[("closing_reason", "closing_reason_id")], supports_check_mode=True, ) qradar_request = QRadarRequest( module, not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"], ) # if module.params['name']: # # FIXME - QUERY HERE BY NAME # found_offense = qradar_request.get('/api/siem/offenses?filter={0}'.format(module.params['name'])) found_offense = qradar_request.get("/api/siem/offenses/{0}".format( module.params["id"])) if found_offense: set_offense_values(module, qradar_request) post_strs = [] if module.params["status"] and (to_text(found_offense["status"]) != to_text(module.params["status"])): post_strs.append("status={0}".format( to_text(module.params["status"]))) if module.params["assigned_to"] and (to_text( found_offense["assigned_to"]) != to_text( module.params["assigned_to"])): post_strs.append("assigned_to={0}".format( module.params["assigned_to"])) if module.params["closing_reason_id"] and ( found_offense["closing_reason_id"] != module.params["closing_reason_id"]): post_strs.append("closing_reason_id={0}".format( module.params["closing_reason_id"])) if module.params["follow_up"] and (found_offense["follow_up"] != module.params["follow_up"]): post_strs.append("follow_up={0}".format( module.params["follow_up"])) if module.params["protected"] and (found_offense["protected"] != module.params["protected"]): post_strs.append("protected={0}".format( module.params["protected"])) if post_strs: if module.check_mode: module.exit_json( msg= "A change would have been made but was not because of Check Mode.", changed=True, ) qradar_return_data = qradar_request.post_by_path( "api/siem/offenses/{0}?{1}".format(module.params["id"], "&".join(post_strs))) # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore module.exit_json( msg="Successfully updated Offense ID: {0}".format( module.params["id"]), qradar_return_data=qradar_return_data, changed=True, ) else: module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) else: # FIXME - handle the scenario in which we can search by name and this isn't a required param anymore module.fail_json( msg="Unable to find Offense ID: {0}".format(module.params["id"]))
def main(): argspec = dict( id=dict(required=False, type="int"), name=dict(required=False, type="str"), assigned_to=dict(required=False, type="str"), closing_reason=dict(required=False, type="str"), closing_reason_id=dict(required=False, type="int"), follow_up=dict(required=False, type="bool", default=None), protected=dict(required=False, type="bool", default=None), status=dict( required=False, choices=["open", "OPEN", "hidden", "HIDDEN", "closed", "CLOSED"], default="open", type="str", ), ) module = AnsibleModule( argument_spec=argspec, mutually_exclusive=[("closing_reason", "closing_reason_id")], supports_check_mode=True, ) qradar_request = QRadarRequest( module, headers={ "Content-Type": "application/json", "Version": "9.1" }, not_rest_data_keys=["name", "id", "assigned_to", "closing_reason"], ) # if module.params['name']: # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) # found_offense = qradar_request.get_by_path('api/siem/offenses?filter={0}'.format(module.params['name'])) set_offense_values(module, qradar_request) if module.params["id"]: offenses = qradar_request.get_by_path("api/siem/offenses/{0}".format( module.params["id"])) else: query_strs = [] if module.params["status"]: query_strs.append( quote("status={0}".format(to_text(module.params["status"])))) if module.params["assigned_to"]: query_strs.append( quote("assigned_to={0}".format(module.params["assigned_to"]))) if module.params["closing_reason_id"]: query_strs.append( quote("closing_reason_id={0}".format( module.params["closing_reason_id"]))) if module.params["follow_up"] is not None: query_strs.append( quote("follow_up={0}".format(module.params["follow_up"]))) if module.params["protected"] is not None: query_strs.append( quote("protected={0}".format(module.params["protected"]))) if query_strs: offenses = qradar_request.get_by_path( "api/siem/offenses?filter={0}".format("&".join(query_strs))) else: offenses = qradar_request.get_by_path("api/siem/offenses") if module.params["name"]: named_offense = find_dict_in_list(offenses, "description", module.params["name"]) if named_offense: offenses = named_offense else: offenses = [] module.exit_json(offenses=offenses, changed=False)
def main(): argspec = dict( id=dict(required=False, type="int"), name=dict(required=False, type="str"), state=dict(required=True, choices=["enabled", "disabled", "absent"], type="str"), owner=dict(required=False, type="str"), ) module = AnsibleModule( argument_spec=argspec, supports_check_mode=True, required_one_of=[("name", "id")], mutually_exclusive=[("name", "id")], ) qradar_request = QRadarRequest( module, not_rest_data_keys=["id", "name", "state", "owner"], ) # if module.params['name']: # # FIXME - QUERY HERE BY NAME NATIVELY VIA REST API (DOESN'T EXIST YET) # found_offense = qradar_request.get('/api/analytics/rules?filter={0}'.format(module.params['name'])) module.params["rule"] = {} if module.params["id"]: module.params["rule"] = qradar_request.get( "/api/analytics/rules/{0}".format(module.params["id"])) elif module.params["name"]: rules = qradar_request.get("/api/analytics/rules?filter={0}".format( quote('"{0}"'.format(module.params["name"])))) if rules: module.params["rule"] = rules[0] module.params["id"] = rules[0]["id"] if module.params["state"] == "enabled": if module.params["rule"]: if module.params["rule"]["enabled"] is True: # Already enabled if module.params["id"]: module.exit_json( msg="No change needed for rule ID: {0}".format( module.params["id"]), qradar_return_data={}, changed=False, ) if module.params["name"]: module.exit_json( msg="Successfully enabled rule named: {0}".format( module.params["name"]), qradar_return_data={}, changed=False, ) else: # Not enabled, enable It module.params["rule"]["enabled"] = True qradar_return_data = qradar_request.post_by_path( "api/analytics/rules/{0}".format( module.params["rule"]["id"]), data=json.dumps(module.params["rule"]), ) if module.params["id"]: module.exit_json( msg="Successfully enabled rule ID: {0}".format( module.params["id"]), qradar_return_data=qradar_return_data, changed=True, ) if module.params["name"]: module.exit_json( msg="Successfully enabled rule named: {0}".format( module.params["name"]), qradar_return_data=qradar_return_data, changed=True, ) else: if module.params["id"]: module.fail_json(msg="Unable to find rule ID: {0}".format( module.params["id"])) if module.params["name"]: module.fail_json(msg='Unable to find rule named: "{0}"'.format( module.params["name"])) elif module.params["state"] == "disabled": if module.params["rule"]: if module.params["rule"]["enabled"] is False: # Already disabled if module.params["id"]: module.exit_json( msg="No change needed for rule ID: {0}".format( module.params["id"]), qradar_return_data={}, changed=False, ) if module.params["name"]: module.exit_json( msg="Successfully enabled rule named: {0}".format( module.params["name"]), qradar_return_data={}, changed=False, ) else: # Not disabled, disable It module.params["rule"]["enabled"] = False qradar_return_data = qradar_request.post_by_path( "api/analytics/rules/{0}".format( module.params["rule"]["id"]), data=json.dumps(module.params["rule"]), ) if module.params["id"]: module.exit_json( msg="Successfully disabled rule ID: {0}".format( module.params["id"]), qradar_return_data=qradar_return_data, changed=True, ) if module.params["name"]: module.exit_json( msg="Successfully disabled rule named: {0}".format( module.params["name"]), qradar_return_data=qradar_return_data, changed=True, ) else: if module.params["id"]: module.fail_json(msg="Unable to find rule ID: {0}".format( module.params["id"])) if module.params["name"]: module.fail_json(msg='Unable to find rule named: "{0}"'.format( module.params["name"])) elif module.params["state"] == "absent": if module.params["rule"]: qradar_return_data = qradar_request.delete( "/api/analytics/rules/{0}".format(module.params["rule"]["id"])) if module.params["id"]: module.exit_json( msg="Successfully deleted rule ID: {0}".format( module.params["id"]), qradar_return_data=qradar_return_data, changed=True, ) if module.params["name"]: module.exit_json( msg="Successfully deleted rule named: {0}".format( module.params["name"]), qradar_return_data=qradar_return_data, changed=True, ) else: module.exit_json(msg="Nothing to do, rule not found.") module.exit_json(rules=rules, changed=False)
def main(): argspec = dict( name=dict(required=True, type="str"), state=dict(choices=["present", "absent"], required=True), type_name=dict(required=False, type="str"), type_id=dict(required=False, type="int"), identifier=dict(required=True, type="str"), protocol_type_id=dict(required=False, type="int"), description=dict(required=True, type="str"), ) module = AnsibleModule( argument_spec=argspec, required_one_of=[("type_name", "type_id")], mutually_exclusive=[("type_name", "type_id")], supports_check_mode=True, ) qradar_request = QRadarRequest( module, headers={ "Content-Type": "application/json", "Version": "9.1" }, not_rest_data_keys=["state", "type_name", "identifier"], ) log_source_exists = qradar_request.get_by_path( "api/config/event_sources/log_source_management/log_sources?filter={0}" .format(quote('name="{0}"'.format(module.params["name"])))) if log_source_exists: if module.params["state"] == "present": existing_log_source_protocol_identifier, _elspi_index = find_dict_in_list( log_source_exists[0]["protocol_parameters"], "name", "identifier") set_log_source_values(module, qradar_request) comparison_map = [ existing_log_source_protocol_identifier["value"] == module.params["identifier"], log_source_exists[0]["name"] == module.params["name"], log_source_exists[0]["type_id"] == module.params["type_id"], to_text(log_source_exists[0]["description"]) == to_text( module.params["description"]), ] if all(comparison_map): module.exit_json(changed=False, msg="Nothing to do.") else: log_source_exists[0]["protocol_parameters"][ _elspi_index] = module.params["protocol_parameters"][0] log_source_exists[0]["name"] = module.params["name"] log_source_exists[0]["type_id"] = module.params["type_id"] log_source_exists[0]["description"] = module.params[ "description"] if module.check_mode: qradar_return_data = { "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" } else: qradar_return_data = qradar_request.create_update( "api/config/event_sources/log_source_management/log_sources", data=json.dumps(log_source_exists), ) module.exit_json( msg="Successfully updated log source: {0}".format( module.params["name"]), qradar_return_data=qradar_return_data, changed=True, ) if module.params["state"] == "absent": if module.check_mode: qradar_return_data = { "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" } else: qradar_return_data = qradar_request.delete_by_path( "api/config/event_sources/log_source_management/log_sources/{0}" .format(log_source_exists[0]["id"])) module.exit_json( msg="Successfully deleted log source: {0}".format( module.params["name"]), qradar_return_data=qradar_return_data, changed=True, ) else: if module.params["state"] == "present": set_log_source_values(module, qradar_request) if module.check_mode: qradar_return_data = { "EMPTY": "IN CHECK MODE, NO TRANSACTION TOOK PLACE" } else: qradar_return_data = qradar_request.create_update( "api/config/event_sources/log_source_management/log_sources", data=json.dumps([qradar_request.get_data()]), ) module.exit_json( msg="Successfully created log source: {0}".format( module.params["name"]), qradar_return_data=qradar_return_data, changed=True, ) if module.params["state"] == "absent": module.exit_json(changed=False, msg="Nothing to do.")
def main(): argspec = dict( # state=dict(required=False, choices=["present", "absent"], type='str', default="present"), id=dict(required=True, type="int"), note_text=dict(required=True, type="str"), ) module = AnsibleModule(argument_spec=argspec, supports_check_mode=True) qradar_request = QRadarRequest( module, headers={ "Content-Type": "application/json", "Version": "9.1" }, not_rest_data_keys=["state", "id"], ) # if module.params['name']: # # FIXME - QUERY HERE BY NAME # found_offense = qradar_request.get_by_path('api/siem/offenses?filter={0}'.format(module.params['name'])) # FIXME - once this is sorted, add it to module_utils found_notes = qradar_request.get_by_path( "api/siem/offenses/{0}/notes?filter={1}".format( module.params["id"], quote('note_text="{0}"'.format(module.params["note_text"])), )) # if module.params['state'] == 'present': if found_notes: # The note we want exists either by ID or by text name, verify note = found_notes[0] if note["note_text"] == module.params["note_text"]: module.exit_json(msg="No changes necessary. Nothing to do.", changed=False) else: if module.check_mode: module.exit_json( msg= "A change would have occured but did not because Check Mode", changed=True, ) qradar_return_data = qradar_request.post_by_path( "api/siem/offenses/{0}/notes?note_text={1}".format( module.params["id"], quote("{0}".format(module.params["note_text"]))), data=False, ) module.exit_json( msg="Successfully created Offense Note ID: {0}".format( qradar_return_data["id"]), qradar_return_data=qradar_offense_note, changed=False, ) else: if module.check_mode: module.exit_json( msg= "A change would have occured but did not because Check Mode", changed=True, ) qradar_return_data = qradar_request.post_by_path( "api/siem/offenses/{0}/notes?note_text={1}".format( module.params["id"], quote("{0}".format(module.params["note_text"]))), data=False, ) module.exit_json( msg="Successfully created Offense Note ID: {0}".format( qradar_return_data["id"]), qradar_return_data=qradar_return_data, changed=True, ) module.exit_json(msg="No changes necessary. Nothing to do.", changed=False)