splunk.es.splunk_response_plan_execution module – Apply response plans to investigations and manage tasks
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_response_plan_execution.
New in splunk.es 5.1.0
Synopsis
This module applies or removes response plans from Splunk Enterprise Security investigations.
It also manages task lifecycle within applied response plans (start, end, change owner).
The
response_planparameter accepts either a UUID or a name.When
state=present, the response plan is applied to the investigation.When
state=absent, the response plan is removed from the investigation.Use the
tasksparameter to manage individual task statuses and owners within the applied plan.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
The investigation UUID to apply or manage response plans. This is the unique identifier of the investigation in Splunk ES. |
|
The response plan template to apply or remove. Accepts either a UUID (e.g., “2dc5530d-8bb0-4a4f-9b53-74745bf4ea6a”) or a name (e.g., “Incident Response Plan”). If UUID format is detected, it is used directly as the template ID. If not a UUID, the module performs an API lookup to resolve the name to an ID. |
|
The desired state of the response plan on the investigation. Use Use Choices:
|
|
List of tasks to manage within the applied response plan. Each task is identified by phase name and task name. You can set the task status (started/ended) and/or change the owner. Tasks are only managed when |
|
The owner/assignee of the task. Use Use |
|
The name of the phase containing the task. Used to look up the phase ID within the applied response plan. |
|
The desired status of the task. Use Use Use Choices:
|
|
The name of the task to manage. Used to look up the task ID within the phase. |
Examples
# Apply a response plan to an investigation by name
- name: Apply response plan to investigation
splunk.es.splunk_response_plan_execution:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
response_plan: "Incident Response Plan"
state: present
# Apply a response plan by UUID (no lookup needed)
- name: Apply response plan by ID
splunk.es.splunk_response_plan_execution:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
response_plan: "2dc5530d-8bb0-4a4f-9b53-74745bf4ea6a"
state: present
# Apply response plan and start a task
- name: Apply response plan and start initial triage
splunk.es.splunk_response_plan_execution:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
response_plan: "Incident Response Plan"
state: present
tasks:
- phase_name: "Investigation Phase"
task_name: "Initial Triage"
status: started
owner: admin
# Manage multiple tasks in an applied response plan
- name: Update multiple task statuses
splunk.es.splunk_response_plan_execution:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
response_plan: "Incident Response Plan"
state: present
tasks:
- phase_name: "Investigation Phase"
task_name: "Initial Triage"
status: ended
owner: admin
- phase_name: "Investigation Phase"
task_name: "Gather Evidence"
status: started
owner: analyst1
- phase_name: "Containment Phase"
task_name: "Isolate Systems"
owner: unassigned
# Remove a response plan from an investigation
- name: Remove response plan from investigation
splunk.es.splunk_response_plan_execution:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
response_plan: "Incident Response Plan"
state: absent
# Apply response plan with custom API configuration
- name: Apply response plan with custom API path
splunk.es.splunk_response_plan_execution:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
response_plan: "Custom Response Plan"
state: present
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('missioncontrol') }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Whether any changes were made. Returned: always Sample: |
|
Message describing the result. Returned: always Sample: |
|
The response plan execution result containing before/after states. Returned: always Sample: |
|
The state after module execution. Returned: always |
|
Whether the response plan is applied after execution. Returned: success |
|
The ID of the applied response plan instance (if applied). Returned: success |
|
The response plan template ID. Returned: success |
|
The state before module execution. Returned: always |
|
Whether the response plan was applied before execution. Returned: success |
|
The ID of the applied response plan instance (if applied). Returned: success |
|
The response plan template ID. Returned: success |
|
List of tasks that were updated (when tasks parameter is used). Returned: when tasks parameter is provided |
|
Whether this specific task was changed. Returned: success |
|
The task owner after update. Returned: success |
|
The phase name containing the task. Returned: success |
|
The task status after update. Returned: success |
|
The task name. Returned: success |