diff --git a/client/models/saved_searches.go b/client/models/saved_searches.go index ab32c661..10f326e1 100644 --- a/client/models/saved_searches.go +++ b/client/models/saved_searches.go @@ -118,6 +118,16 @@ type SavedSearchObject struct { ActionJiraServiceDeskParamJiraPriority string `json:"action.jira_service_desk.param.jira_priority,omitempty" url:"action.jira_service_desk.param.jira_priority"` ActionJiraServiceDeskParamJiraDescription string `json:"action.jira_service_desk.param.jira_description,omitempty" url:"action.jira_service_desk.param.jira_description"` ActionJiraServiceDeskParamJiraCustomfields string `json:"action.jira_service_desk.param.jira_customfields,omitempty" url:"action.jira_service_desk.param.jira_customfields"` + ActionSendToPhantom string `json:"action.sendtophantom,omitempty" url:"action.sendtophantom"` + ActionSendToPhantomParamPhantomServer string `json:"action.sendtophantom.param.phantom_server,omitempty" url:"action.sendtophantom.param.phantom_server"` + ActionSendToPhantomParamServerPlaybookName string `json:"action.sendtophantom.param.server_playbook_name,omitempty" url:"action.sendtophantom.param.server_playbook_name"` + ActionSendToPhantomParamSeverity string `json:"action.sendtophantom.param.severity,omitempty" url:"action.sendtophantom.param.severity"` + ActionSendToPhantomParamSensitivity string `json:"action.sendtophantom.param.sensitivity,omitempty" url:"action.sendtophantom.param.sensitivity"` + ActionSendToPhantomParamLabel string `json:"action.sendtophantom.param.label,omitempty" url:"action.sendtophantom.param.label"` + ActionSendToPhantomParamGrouping string `json:"action.sendtophantom.param.grouping,omitempty" url:"action.sendtophantom.param.grouping"` + ActionSendToPhantomParamRelayAccount string `json:"action.sendtophantom.param.relay_account,omitempty" url:"action.sendtophantom.param.relay_account"` + ActionSendToPhantomParamContainerName string `json:"action.sendtophantom.param.container_name,omitempty" url:"action.sendtophantom.param.container_name"` + ActionSendToPhantomParam_CamWorkers string `json:"action.sendtophantom.param._cam_workers,omitempty" url:"action.sendtophantom.param._cam_workers"` ActionWebhookParamUrl string `json:"action.webhook.param.url,omitempty" url:"action.webhook.param.url"` AlertDigestMode bool `json:"alert.digest_mode" url:"alert.digest_mode"` AlertExpires string `json:"alert.expires,omitempty" url:"alert.expires,omitempty"` diff --git a/splunk/resource_splunk_configs_conf_test.go b/splunk/resource_splunk_configs_conf_test.go index 50dff922..abfe504f 100644 --- a/splunk/resource_splunk_configs_conf_test.go +++ b/splunk/resource_splunk_configs_conf_test.go @@ -112,7 +112,6 @@ func TestAccCreateSplunkConfigsConfSpecialChars(t *testing.T) { }) } - func testAccSplunkConfigsConfDestroyResources(s *terraform.State) error { client, err := newTestClient() if err != nil { diff --git a/splunk/resource_splunk_saved_searches.go b/splunk/resource_splunk_saved_searches.go index 921b7cb1..5afe3d0f 100644 --- a/splunk/resource_splunk_saved_searches.go +++ b/splunk/resource_splunk_saved_searches.go @@ -695,6 +695,56 @@ func savedSearches() *schema.Resource { Description: "URL to send the HTTP POST request to. Must be accessible from the Splunk server.", ValidateFunc: validation.StringMatch(regexp.MustCompile(`^https?://[^\s]+$`), "Webhook URL is invalid"), }, + "action_sendtophantom": { + Type: schema.TypeString, + Optional: true, + Description: "Enable the send to phantom action (https://docs.splunk.com/Documentation/SOARExport/4.3.13/UserGuide/Adaptiveresponseactions#Send_to_SOAR_request).", + }, + "action_sendtophantom_param_phantom_server": { + Type: schema.TypeString, + Optional: true, + Description: "The phantom server.", + }, + "action_sendtophantom_param_server_playbook_name": { + Type: schema.TypeString, + Optional: true, + Description: "server_playbook_name", + }, + "action_sendtophantom_param_severity": { + Type: schema.TypeString, + Optional: true, + Description: "Alert severity.", + }, + "action_sendtophantom_param_sensitivity": { + Type: schema.TypeString, + Optional: true, + Description: "Alert sensitivity.", + }, + "action_sendtophantom_param_label": { + Type: schema.TypeString, + Optional: true, + Description: "Alert label.", + }, + "action_sendtophantom_param_grouping": { + Type: schema.TypeString, + Optional: true, + Description: "Alert grouping.", + }, + "action_sendtophantom_param_relay_account": { + Type: schema.TypeString, + Optional: true, + Description: "relay_account (the Alert Action Account).", + }, + "action_sendtophantom_param_container_name": { + Type: schema.TypeString, + Optional: true, + Description: "search_name (default) or source.", + }, + "action_sendtophantom_param_cam_workers": { + Type: schema.TypeString, + Optional: true, + Description: "Adaptive response relay worker, use [\"local\"] if running locally.", + }, "alert_digest_mode": { Type: schema.TypeBool, Optional: true, @@ -1495,6 +1545,36 @@ func savedSearchesRead(d *schema.ResourceData, meta interface{}) error { if err = d.Set("action_jira_service_desk_param_jira_customfields", entry.Content.ActionJiraServiceDeskParamJiraCustomfields); err != nil { return err } + if err = d.Set("action_sendtophantom", entry.Content.ActionSendToPhantom); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_phantom_server", entry.Content.ActionSendToPhantomParamPhantomServer); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_server_playbook_name", entry.Content.ActionSendToPhantomParamServerPlaybookName); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_severity", entry.Content.ActionSendToPhantomParamSeverity); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_sensitivity", entry.Content.ActionSendToPhantomParamSensitivity); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_label", entry.Content.ActionSendToPhantomParamLabel); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_grouping", entry.Content.ActionSendToPhantomParamGrouping); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_relay_account", entry.Content.ActionSendToPhantomParamRelayAccount); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_container_name", entry.Content.ActionSendToPhantomParamContainerName); err != nil { + return err + } + if err = d.Set("action_sendtophantom_param_cam_workers", entry.Content.ActionSendToPhantomParam_CamWorkers); err != nil { + return err + } if err = d.Set("action_webhook_param_url", entry.Content.ActionWebhookParamUrl); err != nil { return err } @@ -1837,6 +1917,16 @@ func getSavedSearchesConfig(d *schema.ResourceData) (savedSearchesObj *models.Sa ActionJiraServiceDeskParamJiraPriority: d.Get("action_jira_service_desk_param_jira_priority").(string), ActionJiraServiceDeskParamJiraDescription: d.Get("action_jira_service_desk_param_jira_description").(string), ActionJiraServiceDeskParamJiraCustomfields: d.Get("action_jira_service_desk_param_jira_customfields").(string), + ActionSendToPhantom: d.Get("action_sendtophantom").(string), + ActionSendToPhantomParamPhantomServer: d.Get("action_sendtophantom_param_phantom_server").(string), + ActionSendToPhantomParamServerPlaybookName: d.Get("action_sendtophantom_param_server_playbook_name").(string), + ActionSendToPhantomParamSeverity: d.Get("action_sendtophantom_param_severity").(string), + ActionSendToPhantomParamSensitivity: d.Get("action_sendtophantom_param_sensitivity").(string), + ActionSendToPhantomParamLabel: d.Get("action_sendtophantom_param_label").(string), + ActionSendToPhantomParamGrouping: d.Get("action_sendtophantom_param_grouping").(string), + ActionSendToPhantomParamRelayAccount: d.Get("action_sendtophantom_param_relay_account").(string), + ActionSendToPhantomParamContainerName: d.Get("action_sendtophantom_param_container_name").(string), + ActionSendToPhantomParam_CamWorkers: d.Get("action_sendtophantom_param_cam_workers").(string), ActionWebhookParamUrl: d.Get("action_webhook_param_url").(string), AlertComparator: d.Get("alert_comparator").(string), AlertCondition: d.Get("alert_condition").(string), diff --git a/splunk/resource_splunk_saved_searches_test.go b/splunk/resource_splunk_saved_searches_test.go index 18f104ca..1a7a18f3 100644 --- a/splunk/resource_splunk_saved_searches_test.go +++ b/splunk/resource_splunk_saved_searches_test.go @@ -284,6 +284,34 @@ resource "splunk_saved_searches" "test" { } ` +const newSavedSearchesSendToPhantom = ` +resource "splunk_saved_searches" "test" { + name = "Test Phantom Alert" + actions = "sendtophantom" + action_sendtophantom = "1" + action_sendtophantom_param_phantom_server = "test_phantom_server" + action_sendtophantom_param_server_playbook_name = "test_playbook" + action_sendtophantom_param_severity = "high" + action_sendtophantom_param_sensitivity = "amber" + action_sendtophantom_param_label = "test" + action_sendtophantom_param_grouping = "1" + action_sendtophantom_param_relay_account = "test_relay_account" + action_sendtophantom_param_container_name = "default" + action_sendtophantom_param_cam_workers = "[\"local\"]" + alert_comparator = "greater than" + alert_digest_mode = true + alert_expires = "30d" + alert_threshold = "0" + alert_type = "number of events" + cron_schedule = "*/1 * * * *" + disabled = false + is_scheduled = true + is_visible = true + realtime_schedule = true + search = "index=main level=error" +} +` + func TestAccSplunkSavedSearches(t *testing.T) { resourceName := "splunk_saved_searches.test" resource.Test(t, resource.TestCase{ @@ -423,6 +451,34 @@ func TestAccSplunkSavedSearches(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "search", "index=main level=error"), ), }, + { + Config: newSavedSearchesSendToPhantom, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "name", "Test Phantom Alert"), + resource.TestCheckResourceAttr(resourceName, "actions", "sendtophantom"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom", "1"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_phantom_server", "test_phantom_server"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_server_playbook_name", "test_playbook"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_severity", "high"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_sensitivity", "amber"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_label", "test"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_grouping", "1"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_relay_account", "test_relay_account"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_container_name", "default"), + resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_cam_workers", "[\"local\"]"), + resource.TestCheckResourceAttr(resourceName, "alert_comparator", "greater than"), + resource.TestCheckResourceAttr(resourceName, "alert_digest_mode", "true"), + resource.TestCheckResourceAttr(resourceName, "alert_expires", "30d"), + resource.TestCheckResourceAttr(resourceName, "alert_threshold", "0"), + resource.TestCheckResourceAttr(resourceName, "alert_type", "number of events"), + resource.TestCheckResourceAttr(resourceName, "cron_schedule", "*/1 * * * *"), + resource.TestCheckResourceAttr(resourceName, "disabled", "false"), + resource.TestCheckResourceAttr(resourceName, "is_scheduled", "true"), + resource.TestCheckResourceAttr(resourceName, "is_visible", "true"), + resource.TestCheckResourceAttr(resourceName, "realtime_schedule", "true"), + resource.TestCheckResourceAttr(resourceName, "search", "index=main level=error"), + ), + }, { Config: newSavedSearchesSlack, Check: resource.ComposeTestCheckFunc(