splunk.es.splunk_investigation_type module – Manage Splunk Enterprise Security investigation types
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_investigation_type.
New in splunk.es 5.1.0
Synopsis
This module allows for creation and update of Splunk Enterprise Security investigation types.
Investigation type names are unique in Splunk ES, so
nameis used as the identifier.The module creates the investigation type if it does not exist, or updates it if it does.
Response plans can be associated with investigation types via
response_plan_ids.Note: Investigation types cannot be deleted via the Splunk API, so this module only supports create and update operations.
IMPORTANT - Declarative Approach: The
response_plan_idsparameter is declarative. Whatever response plan IDs you define will be exactly what is associated with the investigation type after the module runs. Any existing associations NOT included in your playbook will be REMOVED.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path for the incident types endpoint. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
The description of the investigation type. |
|
The name of the investigation type. This is the unique identifier and is always required. The name cannot be changed after creation. |
|
List of response plan tempalte UUIDs to associate with this investigation type. Use the If not specified or empty, no response plans will be associated. Note: This is declarative - only the IDs listed here will be associated. Any existing associations not in this list will be removed. |
Examples
# Create a new investigation type
- name: Create investigation type
splunk.es.splunk_investigation_type:
name: "Insider Threat"
description: "Investigation type for insider threat incidents"
# Create investigation type with response plan associations
- name: Create investigation type with response plans
splunk.es.splunk_investigation_type:
name: "Malware Incident"
description: "Investigation type for malware-related incidents"
response_plan_ids:
- "3415de6d-cdfb-4bdb-a21d-693cde38f1e8"
- "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
# Update investigation type description
- name: Update investigation type description
splunk.es.splunk_investigation_type:
name: "Insider Threat"
description: "Updated description for insider threat investigations"
# Update response plan associations (replaces existing associations)
- name: Update investigation type response plans
splunk.es.splunk_investigation_type:
name: "Malware Incident"
description: "Investigation type for malware-related incidents"
response_plan_ids:
- "new-uuid-1234-5678-abcd-ef1234567890"
# Remove all response plan associations
- name: Remove all response plans from investigation type
splunk.es.splunk_investigation_type:
name: "Malware Incident"
description: "Investigation type for malware-related incidents"
response_plan_ids: []
# Create investigation type with custom API path
- name: Create investigation type with custom API path
splunk.es.splunk_investigation_type:
name: "Custom Investigation Type"
description: "Investigation type with custom API configuration"
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('missioncontrol') }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Whether any changes were made. Returned: always Sample: |
|
The investigation type result containing before/after states. Returned: always Sample: |
|
The investigation type state after module execution. Returned: always |
|
The investigation type state before module execution (null if creating). Returned: when investigation type existed |
|
Message describing the result. Returned: always Sample: |