splunk.es.splunk_response_plan module – Manage Splunk Enterprise Security response plans
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_response_plan.
New in splunk.es 5.1.0
Synopsis
This module allows for creation, update, and deletion of Splunk Enterprise Security response plans (response templates).
Response plan names are unique in Splunk ES, so
nameis used as the identifier.When
state=present, the module creates or updates the response plan.When
state=absent, the module deletes the response plan.Phases and tasks are matched by name for updates - existing IDs are preserved for items with matching names, and new IDs are generated for new items.
IMPORTANT - Declarative Approach: This module uses a declarative approach where the playbook defines the complete desired state. Whatever you define is exactly what will exist after the module runs. Any existing phases, tasks, or searches that are NOT included in your playbook will be REMOVED. This is not a merge operation - it is a full replacement of the response plan structure.
For example, if a response plan has phases A, B, C and you only define phase A in your playbook, phases B and C will be deleted. The same applies to tasks within phases and searches within tasks.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path for the response templates endpoint. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
The description of the response plan. |
|
The name of the response plan. This is the unique identifier and is always required. Used to look up existing response plans for update or delete operations. |
|
List of phases in the response plan. Required when Phases are matched by name for updates. Note: Only phases defined here will exist after update. Any existing phases not included in this list will be removed from the response plan. |
|
The name of the phase. Used as identifier for matching during updates. |
|
List of tasks in the phase. Tasks are matched by name within their parent phase for updates. Note: Only tasks defined here will exist in the phase after update. Any existing tasks not included in this list will be removed. |
|
The description of the task. |
|
Whether a note is required when completing the task. Choices:
|
|
The name of the task. Used as identifier for matching during updates. |
|
The owner of the task. Use Use Default: |
|
List of saved searches to attach to the task. Searches are replaced entirely on update (not merged). |
|
The description of the search. |
|
The name of the search. |
|
The SPL (Search Processing Language) query. |
|
The desired state of the response plan. Use Use Choices:
|
|
The status of the response plan template. Use Use Choices:
|
Examples
# Create a new response plan with phases and tasks
- name: Create incident response plan
splunk.es.splunk_response_plan:
name: "Incident Response Plan"
description: "Standard incident response procedure"
template_status: published
phases:
- name: "Investigation"
tasks:
- name: "Initial Triage"
description: "Perform initial assessment of the incident"
is_note_required: true
owner: admin
searches:
- name: "Access Over Time"
description: "Check access patterns"
spl: "| tstats count from datamodel=Authentication by _time span=10m"
- name: "Gather Evidence"
description: "Collect relevant logs and artifacts"
is_note_required: false
- name: "Containment"
tasks:
- name: "Isolate Affected Systems"
description: "Isolate compromised hosts from network"
is_note_required: true
# Create a draft response plan
- name: Create draft response plan
splunk.es.splunk_response_plan:
name: "New Response Workflow"
description: "Work in progress response plan"
template_status: draft
phases:
- name: "Phase 1"
tasks:
- name: "Task 1"
description: "First task"
# Update an existing response plan (adds new task, updates existing)
- name: Update response plan
splunk.es.splunk_response_plan:
name: "Incident Response Plan"
description: "Updated incident response procedure"
template_status: published
phases:
- name: "Investigation"
tasks:
- name: "Initial Triage"
description: "Updated: Perform thorough initial assessment"
is_note_required: true
- name: "New Analysis Task"
description: "This task will be created"
is_note_required: false
- name: "Containment"
tasks:
- name: "Isolate Affected Systems"
description: "Isolate compromised hosts from network"
# Delete a response plan by name
- name: Delete response plan
splunk.es.splunk_response_plan:
name: "Incident Response Plan"
state: absent
# Example: Declarative update - removes phases/tasks not defined
# If the response plan currently has phases "Investigation", "Containment", "Recovery"
# but this playbook only defines "Investigation" and "Containment", then the
# "Recovery" phase will be DELETED. Same applies to tasks within phases.
- name: Update response plan (removes Recovery phase if it existed)
splunk.es.splunk_response_plan:
name: "Incident Response Plan"
description: "Updated procedure - Recovery phase removed"
template_status: published
phases:
- name: "Investigation"
tasks:
- name: "Initial Triage"
description: "Perform initial assessment"
- name: "Containment"
tasks:
- name: "Isolate Systems"
description: "Isolate affected systems"
# Create response plan with custom API path (for non-standard environments)
- name: Create response plan with custom API path
splunk.es.splunk_response_plan:
name: "Custom Response Plan"
description: "Response plan with custom API configuration"
template_status: published
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('missioncontrol') }}"
phases:
- name: "Phase 1"
tasks:
- name: "Task 1"
description: "First task"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Whether any changes were made. Returned: always Sample: |
|
Message describing the result. Returned: always Sample: |
|
The response plan result containing before/after states. Returned: always Sample: |
|
The response plan state after module execution (null if deleted). Returned: always |
|
The response plan state before module execution (null if creating). Returned: when response plan existed |