Version 1.0.2 (#10)

Closes #8 
Fixes #11 
Closes #13

.github/workflows/appinspect.yml

@@ -42,16 +42,15 @@ jobs:
       - name: Get report
         run: |
           validate.sh report
-          ls ~/build/reports
       - name: Collect report
         uses: actions/upload-artifact@v3
         with:
-          name: appinspect report
+          name: Appinspect-report
           path: ~/build/reports/
       - name: Collect app package
         uses: actions/upload-artifact@v3
         with:
-          name: App package
+          name: App-package
           path: ~/build/packages/
       - name: Check Appinspect for issues
         run: validate.sh get_errors

.github/workflows/release.yml

@@ -0,0 +1,26 @@
+name: release
+on:
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - "src/**"
+jobs:
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Install dependencies
+        run: sudo apt-get install -y jq
+      - name: Get version
+        id: version
+        run: echo "::set-output name=version::$(cat src/SA-CrowdstrikeDevices/app.manifest | jq -r .info.id.version)"
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          name: SA-CrowdstrikeDevices v${{ steps.version.outputs.version }}
+          tag_name: v${{ steps.version.outputs.version }}

README.md

@@ -1,47 +1,50 @@
-# SA-CrowdstrikeDevices for Splunk Enterprise Security
+[![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)](https://splunk-sa-crowdstrike.ztsplunker.com)
 
-[![GitHub](https://img.shields.io/github/license/ZachChristensen28/SA-CrowdstrikeDevices)]()
+![GitHub](https://img.shields.io/github/license/zachchristensen28/SA-CrowdstrikeDevices)
 [![Docs](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/docs.yml/badge.svg)](https://splunk-sa-crowdstrike.ztsplunker.com/)
 ![Appinspect](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/appinspect.yml/badge.svg)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/SA-CrowdstrikeDevices)
-[![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--CrowdstrikeDevices-blue)](https://splunkbase.splunk.com/app/4505/)
+[![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--CrowdstrikeDevices-blue)](https://splunkbase.splunk.com/app/6573)
 [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
 
 This supporting add-on comes with prebuilt content for CrowdStrike device data to be easily used with Splunk Enterprise Security's asset database.
 
-## Documentation
-
-Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com)
-
-```
-
+```markdown
 ** This supporting add-on is only intended to work with Splunk Enterprise Security deployments **
-
 ```
 
-![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)
+## Documentation
+
+Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com).
 
 ## Disclaimer
 
-> *This Splunk Supporting Add-on is __not__ affiliated with* [__Crowdstrike, Inc.__](https://www.crowdstrike.com) *and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with the Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
+> *This Splunk Supporting Add-on is __not__ affiliated with [__Crowdstrike, Inc.__](https://www.crowdstrike.com) and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
 
 ## About
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
-Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
-Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
+SA-CrowdstrikeDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
+Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.
 
-```TEXT
-Version 1.0.1
+```text
+Version 1.0.2
+
+New
+- added `first_seen`, `last_seen`, and `last_updated` to category field (#8).
+- added `site_name` to existing `bunit` field (#13).
+
+Updated
+- Changed app logo background to transparent.
 
-- Initial release
-- Hotfix for missing `_key` field in saved search.
+Fixed
+- Updated saved search to preserve hosts with multiple IP/MAC addresses (#11).
 ```
 
-## Issues or Feature Request
+## Issues or Feature Requests
 
-Please open an issue or feature request on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues)
+Please open an issue or feature request on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues).

docs/configure/best-practice/clone-search.md

@@ -0,0 +1,23 @@
+# Clone default saved search
+
+In order to preserve the default behavior and to compare changes to new releases, it is recommended to clone the default search `Crowdstrike Devices Lookup - Gen` before making any changes.
+
+## Clone
+
+Perform the following to clone the default search:
+
+1. Navigate to Settings > Searches, reports, and alerts.
+1. Change "App" filter to `SA-CrowdstrikeDevices`.
+1. Change "Owner" to `All`.
+1. For the search named "Crowdstrike Devices Lookup - Gen" click "Edit" under Actions.
+1. From the dropdown menu click "Clone."
+1. <small>(optional)</small> Update the Title.
+1. Set "Permissions" to `clone`.
+1. Click "Clone Report" to finish.
+
+## Disable default search
+
+Disable the original search:
+
+1. For the search named "Crowdstrike Devices Lookup - Gen" click "Edit" under Actions.
+1. From the dropdown menu click "Disable" to disable the default search.

docs/configure/bunit.md

@@ -1,9 +1,5 @@
 # Business Unit Field (bunit)
 
-!!! info "To update the `bunit` field modify the `Crowdstrike Devices Lookup - Gen` saved search."
+!!! info "To update the `bunit` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
-The bunit field will most likely need to be updated. Every organization will have different values for this field. The current configuration is described in the following table.
-
-Mapped Field | Crowdstrike field
------------- | -----------------
-bunit | `falcon_device.ou{}`
+The bunit field will most likely need to be updated. Every organization will have different values for this field. See [Asset Mappings](/reference/asset-mapping) for description of the default fields used.

docs/configure/category.md

@@ -1,6 +1,6 @@
 # Category Field
 
-!!! info "To update the `category` field modify the `Crowdstrike Devices Lookup - Gen` saved search."
+!!! info "To update the `category` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
 The category field by default includes many important fields. Most will find that the default configuration for this field will work for their needs.
 

docs/configure/index.md

@@ -2,6 +2,9 @@
 
 Each field can be customized to fit your environment. The following fields should be examined and tailored to your data.
 
-- [Priorities](./priority)
-- [Categories](./category)
-- [Business Unit](./bunit)
+!!! info "It is recommended to clone the default search before making changes (see [Clone Saved Search](./best-practice/clone-search))."
+
+- [Update Priority](./priority)
+- [Update Category](./category)
+- [Update Business Unit](./bunit)
+- [Update Schedule](./schedule.md)

docs/configure/priority.md

@@ -1,6 +1,6 @@
 # Priority Field
 
-!!! info "To update the `priority` field modify the `Crowdstrike Devices Lookup - Gen` saved search."
+!!! info "To update the `priority` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
 The priority field is very generic by default and should be updated to suite your environment. The following table describes how this field is set.
 

docs/configure/schedule.md

@@ -0,0 +1,13 @@
+# Update Schedule
+
+!!! info "To update the schedule modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
+
+The default saved search runs on the 19th minute of every hour to update and continually build the Crowdstrike assets. Most users will find that this schedule works for their environment.
+
+To update the default schedule perform the following steps:
+
+1. Navigate to Settings > Searches, reports, and alerts.
+1. Set the "App" dropdown to `SA-CrowdstrikeDevices`.
+1. Set the "Owner" dropdown to `All`.
+1. Click "Edit" under actions for the search `Crowdstrike Devices Lookup - Gen` or the name of the cloned search (see [Clone Saved Search](../best-practice/clone-search)).
+1. Click "Edit Schedule" and update the schedule and necessary.

docs/index.md

@@ -15,7 +15,7 @@ The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use
 !!! quote ""
     __*Disclaimer*__
 
-    *This Splunk Supporting Add-on is __not__ affiliated with* [__Crowdstrike, Inc.__](https://www.crowdstrike.com) *and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with the Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
+    *This Splunk Supporting Add-on is __not__ affiliated with [__Crowdstrike, Inc.__](https://www.crowdstrike.com) and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
 
 ## Assumptions
 
@@ -29,7 +29,7 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.

docs/quickstart/quickstart.md

@@ -4,31 +4,46 @@ This add-on has a saved search and Asset configuration input enabled by default.
 
 ## Overview
 
-1. [Updated default macro](#update-default-macro)
+1. [Updated default macro](#update-default-macro).
+1. [Force Initial Build](#force-initial-build).
 1. [Enable asset correlation](#enable-asset-correlation).
 1. <small>(optional)</small> [Update default saved search schedule](#update-default-saved-search-schedule).
 1. <small>(optional)</small> [Disable existing asset sources](#disable-existing-asset-sources).
 
 ## Update default macro
 
 !!! danger "[Danger, Will Robinson](https://cultural-phenomenons.fandom.com/wiki/Danger,_Will_Robinson)"
-    Failure to update the macro to the correct setting will cause the no devices to be available in Splunk Enterprise Security.
+    Failure to update the macro to the correct setting will cause no devices to be available in Splunk Enterprise Security.
 
 Macro | Default | Description
 ----- | ------- | -----------
 `sa_crowdstrike_index` | index=crowdstrike | Index definition for Crowdstrike devices index.
 
-> \*update the index definition to the correct index that contains the `crowdstrike:device:json` sourcetype.
-
 ### Update Macro Procedure
 
+!!! note "Update the index definition to the correct index that contains the `crowdstrike:device:json` sourcetype."
+
 1. Navigate to Settings > Advanced Search > Search Macros.
 1. From the "App" dropdown choose `SA-CrowdstrikeDevices`.
 1. Set the "Owner" dropdown to `any`.
 1. Click the macro named `sa_crowdstrike_index` to update the index definition.
 
 ---
 
+## Force Initial Build
+
+The initial build of the Crowdstrike assets will not occur until the first scheduled runtime (see [Update default saved search schedule](#update-default-saved-search-schedule)). To force the initial build perform the following:
+
+1. Navigate to Settings > Searches, reports, and alerts.
+1. Set the "App" dropdown to `SA-CrowdstrikeDevices`.
+1. Set the "Owner" dropdown to `All`.
+1. Click "Run" under actions for the search `Crowdstrike Devices Lookup - Gen`.
+
+!!! note
+    The search will run in a new tab over the default time period of 60 minutes. Expand the timeframe to a larger window if the number of hosts in the last 60 minutes does not seem accurate. The default search is configured to run hourly to continually append new devices reported from Crowdstrike.
+
+---
+
 ## Enable asset correlation
 
 Confirm asset correlation has been setup in Enterprise Security.

docs/reference/asset-mapping.md

@@ -1,26 +1,31 @@
+---
+hide:
+    - toc
+---
+
 # Asset Database Mapping
 
 The following table describes how this add-on maps to the Asset Database.
 
 > reference [Format an asset or identity in Splunk ES](https://docs.splunk.com/Documentation/ES/latest/Admin/Formatassetoridentitylist#Asset_lookup_header)
 
-ES Asset lookup field | SA-CrowdstrikeDevices example value
---------------------- | -----------------------------------
-ip | 10.15.23.8
-mac | 61:se:e3:1s:7r:38
-nt_host | dev-server01
-dns | dev-server01.example.com
-owner | `not mapped`
-priority | medium
-lat | 40.76073
-long | -111.89096
-city | Salt Lake City
-country | United States
-bunit | computer,finance
-category | see [Category Field reference](../category)
-pci_domain | `not mapped`
-is_expected | `not mapped`
-should_timesync | `not mapped`
-should_update | `not mapped`
-requires_av | `not mapped`
-cim_entity_zone | `not mapped`
+ES Asset lookup field | [Crowdstrike Device TA Fields](https://splunkbase.splunk.com/app/5570) | Example value | Multi-value allowed
+--- | --- | --- | ---
+ip | `falcon_device.local_ip` | 10.15.23.8 | true
+mac | `mac` | 61:se:e3:1s:7r:38 | true
+nt_host | `falcon_device.hostname` | dev-server01 | false
+dns | `nt_host` + `falcon_device.machine_domain` | dev-server01.example.com | true
+owner | n/a | `not mapped` | n/a
+priority | see [Configure Priority](/configure/priority) | medium | false
+lat | from `iplocation` of `falcon_device.external_ip` | 40.76073 | false
+long | from `iplocation` of `falcon_device.external_ip` | -111.89096 | false
+city | from `iplocation` of `falcon_device.external_ip` | Salt Lake City | false
+country | from `iplocation` of `falcon_device.external_ip` | United States | false
+bunit | `falcon_device.ou{}` + `falcon_device.site_name` | computer,finance | true
+category | see [Category field reference](../category) | see [Category field reference](../category) | true
+pci_domain | n/a | `not mapped` | n/a
+is_expected | n/a | `not mapped` | n/a
+should_timesync | n/a | `not mapped` | n/a
+should_update | n/a | `not mapped` | n/a
+requires_av | n/a | `not mapped` | n/a
+cim_entity_zone | n/a | `not mapped` | n/a

docs/reference/category.md

@@ -1,4 +1,4 @@
-# Categories
+# Category
 
 ## Default category field mapping
 
@@ -21,8 +21,11 @@ cs_sys_mf | `falcon_device.system_manufacturer` | hp
 cs_sys_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc
 cs_external_ip | `falcon_device.external_ip` | 0.0.0.0
 cs_tags | `falcon_device.tags{}` | n/a
+cs_first_seen | `falcon_device.first_seen` | 02/14/22 09:52:05 MST
+cs_last_seen | `falcon_device.first_seen` | 08/24/22 13:25:24 MDT
+splunk_last_update | n/a | 08/26/22 18:54:42 MDT
 
-Full example of category value
+### Full example of category value
 
 ```text
 cs_agent_version:6.40.15406.0
@@ -41,4 +44,7 @@ cs_os_platform:windows
 cs_sys_mf:hp
 cs_sys_name:hp_elitebook_850_g7_notebook_pc
 cs_uninstallprotection:enabled
+cs_first_seen:02/14/22 09:52:05 MST
+cs_last_seen:08/24/22 13:25:24 MDT
+splunk_last_updated:08/26/22 18:54:42 MDT
 ```

docs/releases/index.md

@@ -1,6 +1,6 @@
 # Release notes
 
-## v1.0.1 <small>August 25, 2022</small>
+## v1.0.2 <small>placeholder</small>
 
 ### Compatibility
 
@@ -10,8 +10,18 @@ Splunk platform versions | 9.x, 8.x
 Splunk Enterprise Security version | [7.x, 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570)
 
-- Initial Release
-- Hotfix for missing `_key` field in saved search.
+### New
+
+- added `first_seen`, `last_seen`, and `last_updated` to category field ([#8](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/8)).
+- added `site_name` to existing `bunit` field ([#13](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/13)).
+
+### Updated
+
+- Changed app logo background to transparent.
+
+### Fixed
+
+- Updated saved search to preserve hosts with multiple IP/MAC addresses ([#11](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/11)).
 
 ## Known issues
 

docs/releases/release-history.md

@@ -1,5 +1,9 @@
 # Release history
 
+## v1.0.1 <small>August 25, 2022</small>
+
+- Hotfix for missing `_key` field in saved search.
+
 ## v1.0.0 <small>August 25, 2022</small>
 
 - Initial Release

docs/troubleshooting/index.md

@@ -5,3 +5,4 @@ There can be many issues when setting up a new app/add-on in Splunk. Below highl
 Issue | Description | Solution
 ----- | ----------- | --------
 Multiple asset merge | It is possible that some of your devices share a common mac address or another key field which will cause merging by default. | If Crowdstrike is your only asset source you can disable asset merge under global settings. See [Asset Merge Solution](./solution-guides/asset-merge) for more information.
+Asset Database not populating with Crowdstrike Data | The asset database may show no Crowdstrike data if the initial search has not run to build the asset database or the default macro has not been updated. | Verify the default macro has the correct index definition (see [Update Default Macro](/quickstart/quickstart/#update-default-macro)). Also see [Force build](/quickstart/quickstart/#force-initial-build) to build the Crowdstrike assets lookup before the first scheduled run.