IBM QRadar Ansible Collection

This is the Ansible Collection provided by the Ansible Security Automation Team for automating actions in IBM QRadar SIEM.

This Collection is meant for distribution through Ansible Galaxy as is available for all Ansible users to utilize, contribute to, and provide feedback about.

Communication

Join the Ansible forum:
- Get Help: get help or help others.
- Social Spaces: gather and interact with fellow enthusiasts.
- News & Announcements: track project-wide announcements including social events.
The Ansible Bullhorn newsletter: used to announce releases and important changes.

For more information about communication, see the Ansible communication guide.

Support

As a Red Hat Ansible Certified Content, this collection is entitled to support through Ansible Automation Platform (AAP).

If a support case cannot be opened with Red Hat and the collection has been obtained either from Galaxy or GitHub, there is community support available at no charge.

You can join us on #network:ansible.com room or the Ansible Forum Network Working Group.

Ansible version compatibility

This collection has been tested against following Ansible versions: >=2.15.0.

For collections that support Ansible 2.9, please ensure you update your network_os to use the fully qualified collection name (for example, cisco.ios.ios). Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. PEP440 is the schema used to describe the versions of Ansible.

Collection Content

Httpapi plugins

Name	Description
ibm.qradar.qradar	HttpApi Plugin for IBM QRadar

Modules

Name	Description
ibm.qradar.deploy	Trigger a qradar configuration deployment
ibm.qradar.log_source_management	Manage Log Sources in QRadar
ibm.qradar.offense_action	Take action on a QRadar Offense
ibm.qradar.offense_info	Obtain information about one or many QRadar Offenses, with filter options
ibm.qradar.offense_note	Create or update a QRadar Offense Note
ibm.qradar.qradar_analytics_rules	Qradar Analytics Rules Management resource module
ibm.qradar.qradar_log_sources_management	Qradar Log Sources Management resource module
ibm.qradar.rule	Manage state of QRadar Rules, with filter options
ibm.qradar.rule_info	Obtain information about one or many QRadar Rules, with filter options

Installing this collection

You can install the IBM qradar collection with the Ansible Galaxy CLI:

ansible-galaxy collection install ibm.qradar

You can also include it in a requirements.yml file and install it with ansible-galaxy collection install -r requirements.yml, using the format:

---
collections:
  - name: ibm.qradar

Using the IBM QRadar Ansible Collection

An example for using this collection to manage a log source with IBM QRadar is as follows.

inventory.ini (Note the password should be managed by a Vault for a production environment.

[qradar]
qradar.example.com

[qradar:vars]
ansible_network_os=ibm.qradar.qradar
ansible_user=admin
ansible_httpapi_pass=SuperSekretPassword
ansible_httpapi_use_ssl=true
ansible_httpapi_validate_certs=true
ansible_connection=httpapi

NOTE: For Ansible 2.9, you may not see deprecation warnings when you run your playbooks with this collection. Use this documentation to track when a module is deprecated.

Using the modules with Fully Qualified Collection Name (FQCN)

With Ansible Collections there are various ways to utilize them either by calling specific Content from the Collection, such as a module, by its Fully Qualified Collection Name (FQCN) as we'll show in this example or by defining a Collection Search Path as the examples below will display.

I should be noted that the FQCN method is the recommended method but the shorthand options listed below exist for convenience.

qradar_with_collections_example.yml

---
- name: Testing URI manipulation of QRadar with FQCN
  hosts: qradar
  gather_facts: false
  tasks:
    - name: create log source
      ibm.qradar.log_source_management:
        name: "Ansible Collections Example Log Source"
        type_name: "Linux OS"
        state: present
        description: "Ansible Collections Example Log Source Description"

Define your collection search path at the Play level

Below we specify our collection at the Play level which allows us to use the log_source_management module without the need for the FQCN for each task.

qradar_with_collections_example.yml

---
- name: Testing URI manipulation of QRadar
  hosts: qradar
  gather_facts: false
  collections:
    - ibm.qradar
  tasks:
    - name: create log source
      log_source_management:
        name: "Ansible Collections Example Log Source"
        type_name: "Linux OS"
        state: present
        description: "Ansible Collections Example Log Source Description"

Define your collection search path at the Block level

Another option for Collection use is below. Here we use the block level keyword instead of Play level as with the previous example. In this scenario we are able to use the log_source_management module without the need for the FQCN for each task but with an optionally more specific scope of Collection Search Path than specifying at the Play level.

qradar_with_collections_block_example.yml

---
- name: Testing URI manipulation of QRadar
  hosts: qradar
  gather_facts: false
  tasks:
    - name: collection namespace block
      block:
        - name: create log source
          log_source_management:
            name: "Ansible Collections Example Log Source"
            type_name: "Linux OS"
            state: present
            description: "Ansible Collections Example Log Source Description"
      collections:
        - ibm.qradar

Directory Structure

docs/: local documentation for the collection
license.txt: optional copy of license(s) for this collection
galaxy.yml: source data for the MANIFEST.json that will be part of the collection package
playbooks/: playbooks reside here
- tasks/: this holds 'task list files' for include_tasks/import_tasks usage
plugins/: all ansible plugins and modules go here, each in its own subdir
- modules/: ansible modules
- lookups/: lookup plugins
- filters/: Jinja2 filter plugins
- ... rest of plugins
README.md: information file (this file)
roles/: directory for ansible roles
tests/: tests for the collection's content

Contributing to this collection

We welcome community contributions to this collection. If you find problems, please open an issue or create a PR against the IBM QRadar collection repository. See Contributing to Ansible-maintained collections for complete details.

Code of Conduct

This collection follows the Ansible project's Code of Conduct. Please read and familiarize yourself with this document.

Release notes

Release notes are available here.

More information

Licensing

GNU General Public License v3.0 or later.

See LICENSE to see the full text.

ansible-collections / ibm.qradar

readme