From 8f2352a51d779ccb2b2f2da745a40623c3a3ad2c Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Mon, 29 Aug 2022 20:33:28 -0600
Subject: [PATCH 01/21] adding time fields for fr #8 (#9)

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>

the included change will append the following to the category field:

example value
---
```
cs_first_seen:02/14/22 09:52:05 MST
cs_last_seen:08/24/22 13:25:24 MDT
splunk_last_updated:08/26/22 18:54:42 MDT
```

date is defined as `%x` - The date in the format of the current locale. For example, 7/13/2019 for US English.
time is defined as `%T %Z`
reference: [Splunk Docs](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables)
---
 docs/reference/category.md                           | 8 +++++++-
 src/SA-CrowdstrikeDevices/default/savedsearches.conf | 5 +++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/reference/category.md b/docs/reference/category.md
index 86c3801..d556238 100644
--- a/docs/reference/category.md
+++ b/docs/reference/category.md
@@ -21,8 +21,11 @@ cs_sys_mf | `falcon_device.system_manufacturer` | hp
 cs_sys_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc
 cs_external_ip | `falcon_device.external_ip` | 0.0.0.0
 cs_tags | `falcon_device.tags{}` | n/a
+cs_first_seen | `falcon_device.first_seen` | 02/14/22 09:52:05 MST
+cs_last_seen | `falcon_device.first_seen` | 08/24/22 13:25:24 MDT
+splunk_last_update | n/a | 08/26/22 18:54:42 MDT
 
-Full example of category value
+### Full example of category value
 
 ```text
 cs_agent_version:6.40.15406.0
@@ -41,4 +44,7 @@ cs_os_platform:windows
 cs_sys_mf:hp
 cs_sys_name:hp_elitebook_850_g7_notebook_pc
 cs_uninstallprotection:enabled
+cs_first_seen:02/14/22 09:52:05 MST
+cs_last_seen:08/24/22 13:25:24 MDT
+splunk_last_updated:08/26/22 18:54:42 MDT
 ```
diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
index f3e4ac6..aeca2f7 100644
--- a/src/SA-CrowdstrikeDevices/default/savedsearches.conf
+++ b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -35,6 +35,11 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     "cs_tags:".lower(replace(mvjoin('falcon_device.tags{}', ","),"(?i)FalconGroupingTags/|sensorgroupingtags/", "")),\
     "gen:sa-crowdstrike"\
     ))), "|"), " |-", "_"), "(?:\|[^:]+:[_]+)(\|*)", "\1"),\
+    category=category."|".mvjoin(mvappend(\
+    "cs_first_seen:".strftime(strptime('falcon_device.first_seen',"%FT%T%Z"), "%x %T %Z"),\
+    "cs_last_seen:".strftime(strptime('falcon_device.last_seen',"%FT%T%Z"), "%x %T %Z"),\
+    "splunk_last_updated:".strftime(now(), "%x %T %Z")\
+    ), "|"),\
     nt_host=lower('falcon_device.hostname'),\
     dns=lower(nt_host.".".'falcon_device.machine_domain'),\
     mac=lower(replace('falcon_device.mac_address', "-", ":")),\

From 510f875fcc270272492e169cd464a96532e12d8c Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Mon, 29 Aug 2022 20:37:49 -0600
Subject: [PATCH 02/21] changing to transparent background

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 src/SA-CrowdstrikeDevices/static/appIcon.png  | Bin 1370 -> 1551 bytes
 .../static/appIcon_2x.png                     | Bin 3268 -> 3502 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/src/SA-CrowdstrikeDevices/static/appIcon.png b/src/SA-CrowdstrikeDevices/static/appIcon.png
index 2ebdc9d9f45328ddd4e6b2777b3fdd3561671d1d..d4526160e392bb622a644a1cfb27c94488a34cb0 100644
GIT binary patch
delta 1496
zcmV;}1t<F23Xcqs83+ad007|tn3$0vG=Bx8Nkl<ZSVzs6eN2-_9LK+XTCk-Il$QlJ
zVFUpuIPy#~Hi4<&fU#lr5|soOBZ5pc&TW5eOUQyta4{x(pUEQlg2pI`3md5+Tb&Gv
zZzGeDi7_mK%$KR4phBUv^!B^!fjXt7EiQiGde8mt`aIv~cXz+LD;_m8JQ<C~Qh$v`
z^PJQ4&={fA)ZgD<?JPbRO<-VPQF(cJRZ&q9dU|>=I5;S)CXeaUr^DahA8XdEfyrc=
zMWWhe)qQY5WsQxE6%9Ys!nS7{B6ZwpqKf_%dF=(v!9T?1C7T2D_t&ATs|&@&#d##?
zps08NV}cHU^d1U(x}=$-0aLW{+JAF24!gW^vSaZIL?tA;6*RsJbXtr=Jq7We<ZkD?
zde6|%ki2ruxPq8{1WITa{IYU^=on~Y<7LgmWn4jGBwfCUVWSaB+5*_)XF+)>$7fHu
z!}X}WdKJ(cVDI<~elMiMVGM+R%Qw(0%7H^aMK+pTTnge|QugnGmb>Npb$^N^4h%N^
zg1`?y!L*-Fz@Nlv-&h6*jj_qXwTB4Nbw>`v`rVh%kT9)Yk6V>rLu&{`P-ZTsm3@kk
zhTowrC>)*TKH*l-9ViT#YGJQ8!FI3~mXl4=P7`v90mkL4;Gmi5D-#x^P)u^9&4>1_
zLinr67}!z{3ym$toNi%?0)O42m%#!IqU<db7c^*ra_k6DUkB|I6rWO3F<|;0ea9Lw
z^!GXFi~-QR{SN%Tsshvb$!~d%2VEwi@IP{3FLVd?!`5^d0kfWgUqmFV7cWAoI{@3Z
zui>DG>@A)PlF;q|ex2uFq4m$&b5(fD+I#|<=95rbTVyNG@mdf^Lw|qvy*tpK{|fM{
z8ICi5I_)IZTgC)=J7c*hg>P9dUxH5Bd|^z`t;A>1&~HVvWmu#?25o2?ns_?%pK`N>
zC+EFPBRZ(*FUlvmhHpRKud1s0EI&UV9UUDLUX?u|C@2UsX3W6m&6`nCQIR<?Fwh{Y
z?t^b%gQ?GJ($dnNmw&c#vD@ua3B<(2i1MjZr=Zj6`b5DEHk*xa(9Bn^Tq!0&x1`xO
z$eY{R+S(X-l3loPfo<QuozV-uDyt_2k7ikDXlP_yTpS`JBM}l3B0NRjjg!^?F987o
zQws_T{-LE}jK01;M&qMKHklMA>>))_R^{a6M988bI5-$fmwzr@MqQaCO+MpR5Irn}
z(vNfI%=tJX;vPM?dGjXn^76Q_Mr!kgH2Z|xkV+5AqOSUxyd%mqjzm7nb-r;UHg4RA
z_V#wI)oSJE0<W2fpvNg&;Vij^!ouei$9xj>$RRvLUU<E%tgJjbI$9XVL#w5;+6X_Q
z1HHYyh>eZq-G7Am_;|N@O-+rJ(sDW^o)b41htWa(<idpu)r5oul^&?hojX^(efzeW
zk&z*C8b9i_YuD85>}-+e=H{w5Zro5)Qc_eJLuyu5mP#Q&<Q9uX<@chfpe7|HsdT1S
zqoShJ^z?MT5;#LVK>;<KUZ{lP+PmbCHw^~Eons6c)_)y8ew@|U*Rv%{mau*M_OX_h
z7Pf2GE|G8Aw27TRf1Z_;l(6C9VYYVdS`mj<uU^gQ1z2fmsmNEZT*<n-yM>+S8#ZhZ
z_v4X$=gyssPZ0jR)YR114jnqwOS6>G`o?JNvE93OcazAcN4spD*=+unf*)v|L3nt$
z_+en?%zv3Ud-g2IbNp8e-qa-|6qS{g{QM4DR!~@22ol0$6>4j1v3~vfZ0a&IwcERO
z>(&DKwK3++oA<#zTNrXJ$P)+)3llMhm-)2jEA{Nzvt_FXLxB?xhXaX;iDKiQoSY1L
zxX8KvZjK&3T3KCPz2GrIn$X$VdHM9|)8<hREk(}E%&g;)*IW2%?h0CrEv>Ds86@&I
yX@Xv_9}CPBF8Cgi-5rNC)WB_A@&)%X3iuc9yMZ5t4#-*n0000<MNUMnLSTYp9p{4p

delta 1314
zcmV+-1>O3O4B85i83+OZ003@c56_VyG=Bu|Nkl<ZSVz5=3rrhz9LMi}|F+N-TOJLJ
zjBX(;V+o1D!7?LGAV3!uAJY*#CuobC1S8v+(QGq3hKY#E6h(=TDH|%wj0h&qIi5kp
zCgOzYn46Hupis&v<y!i<yWaUf?sOQhFED;``St(*-T(gI|Ks<66f|v$!Tv8ev44wB
zn%a^AfZ$pSEQ_(%uRf@d2>E{kDmFwrb^4cUYmG+Z#KeT)UKMJ!IzK<Zrl!XI{+k;m
zxZqs@C#HU(DncgHG`zG~2A6$+1<Q#bVY~oi(eD`PwN;-YY1;UFS&B?VOmNXNQ`_WH
zCB(T0$CXkjq=R@=5bz09gLU*5zJEedMD)?f(|4t@>*P#~8ue1}1&9CAqGA{rzASzE
z5DPF#!9ErjFS827D}p$54gZKg`UJVO1P?sJZb|0mWX<?!HAUg0R{`yjgoVMlcv<$Y
z@P-e-0}nHbbwYtv;d6+fWtRQuJuFO4&zQ)WDcUj<RZ$nyb6NgQv$W8#x_`0t_YI(F
z=G<Ab^$Z|vbms+f&H|xCvEyFl;S&+(zwxS6Lb;#`&_Gfqg%Ni!Bg52<YmT}~7VQw+
zIt0?#I2a)GL<k@zBPlj49PHYytbGe}Id3)9d*;j-MPfLVR=>(*YeNd0z(Wsj{sGRl
zILk{|2wAhqW1jKM&2qg<On(e3)PvMCp<ECIInMxhyMgh0rt2bbyWsi_j!R#Y$BvMt
zdTM%7C=vugiU~+a%5(e>(NKpG3lt6jNlGmi;aw1fCdOg2F`u5MK7Lo~cN-K%5VPar
zCy+0IjX*}o{DqrgN!;IYA!z8HI`GBxO=6Ni&wwP9{g>v}0~eJxWq<TReeuA+0Pp`d
z;MB&L&temsnwk^}h2UEQ48zpdy`t&45HAsFE_W@MrrBRfuiM9xnf9{V_Uz5h&X!0d
z-QC?++CEo9pZ!K}lBM`&sdy*^zVP(8yv1i)(UGswXiO$kZGKLUJd|^M1%ac{L^CNV
zDe39yadB};NlDW*BY(UIod9A>47({~C+ZWQRjE|#@6Mn?+M`zBPYfybQovAlSjaC^
ze*DB)`zq!9iG3NHnD9`+)YR1C;v(;%X?kpIY{&kh52G{$6SAVu0CBO{+fbR7Cce*(
zj*dP~n4^7%r6>WS(NE(;(^*Ck8;4<vwcRgx7OmD~vE|Ie&3_qM)Yv2Y%X*FGdvYp=
zug_-WR*l@4+<ss6mETdi;^*Jyc4~S1;!mT<mVY<o-o3Zv+kR%xW5~+(8T4OuN_F}t
zJ1!+1J9&-ty*5zK&<z}2(5+T$dwcuP&=5+Xd%xG~?d|PFwzISIZ_9hSy1J0<@9$q}
zJ32ZX4o7oy^MAAPQK(L|3s&E+tv^|vm6dh6{`G@*Zbi=9(Fh^5*=%T!h>VOho6YDb
zMp+!kQ5DF}&(EVuQQGZxyId}0Ef$O2ZeLhf;4K2hs!$h(-AdYe<dgG9E2~;sT8fW8
z_gcSk#N)j!=5#s-2M04VGfPWL^YZeL)oQgxMMbTxt$#Y5uC1-Du&@w)X)qXgo12?k
zRaJ$`H#Rn=rlyXMk0U*yE(~)J1lj>mA|W9GS%M&<A|tr~v3Ob2?t+q%lI3DSL6Rgz
zQ9@<~eSLkFrZ@P%FvA{3u2S;;7#t{<?3@^y&>!4h6eVj11>*K_DEASM0oK`n35NX%
Y$#^rwFAq^?WdHyG07*qoM6N<$g3Dotc>n+a

diff --git a/src/SA-CrowdstrikeDevices/static/appIcon_2x.png b/src/SA-CrowdstrikeDevices/static/appIcon_2x.png
index a3ee32bb62dc3d7ddb408700a7e87d1b4395c08c..b71a524ffe8251dc6d713f57fc0f9239ddf93101 100644
GIT binary patch
delta 3462
zcmV;14SDj!8Lk_U83+ad0033(vqzC3G=B|4Nkl<ZcwX&X3sh9c8UA+fzIZ7rY9&@s
zV`?NdQLExHwWjr`)ihSE#?z7-wWv)hTC3KW5EJn&5-~PDK%+5@iAv%FO~hA>iUv78
zqH>V>jExUOP+);&ckk{0&)y{v7Sb$>3&hVe-uunY-o5k9KmYtQcer?nho})W>VFX?
zlSxYmru3+qRi9zE*=%VgB_$S>yA2_bpPye-jYhMGPRCG^IIjVqNKurbX0tg(<!(U;
z<nQl4Uy`I(Vq;^`uU|iq6^Re)EAsR6v3BiRBqk=>Nu<ssQil4`4+aaQA%U)p8Z{~;
zAt6Cz%Cd|rSFRv4GZS{ZUF6ku1b+tyqiff$WsPgKTG63H2i(1TcWz-}VYJ9}0~+dH
z2I^k_jf;zG9vK-4x)>%+nuKrmB%`I>22GilDh~}5_3S~Ts$b5xE65BC!iQV7;;E;e
z5_!Xi4@XK$%1Wx!OCrM!R1%2H66w)1FtcR<0<<pGfuf;S;^YNrWSe?c8GmU-rI_0^
z6h~821^0wNm1>zv7a!2bSfx018QpvgFki^Py?gi6oSLJOKm`Q_&^vs0wNO-3_f}VP
z1&MB3BDdg4xYbW&c7#DKNE}(sX}ECDk;ryfy7hqEp`)-Q8cJdJ_lIoIJGfe`A;2wx
zH1yAK>=5*kFGJIz6WKM1Vt=#2_`*17eSD}y!;#2Mfhgq{pm=3Gd}9_tAKnMr;$jpY
zPlf64Ga>u<3ae@eaIcFISR|vh6om_3hi3Y0Xd=cypP2z`##tC%je*=ONQk5nI(aW{
zswvzSh^h{Rw1ZYBA%Dtv82dj9easSAP8^3hc^d+jCqVnVVX*48!hb7$|F~E;Q6meI
zzf6V9-K*o{D48`G_Wb+sd;49OS~Nr9j3{XOJOjVg9{~LZLH73(LOJ|X{jn#v1!8Ed
z6mzUz0d3pIAdQ`X($(=O`PUNojGhS7^w&_jb_Jvh=MnJcLii?r1l@!v*gJKqSHVGz
z1Y$GN+N{v7dJ8yp5`T?WybGIu0PaWr38mzV{ASHZ-uBHXUK0=FBcW(Cb`qMd+=ND(
zl3|-L2}*b`3Jna9>u~?8nFXmyqW|UOPf##(GE7hQfZrR7p`1N~qSzSty!clkmN|I~
zWOCY)k012yA49XTe?ybFL<D}40>iXu$lZHFmUN;U)};<uGk*&z2N4^6eGQg5Gf<qc
z0{S6;fa$s6D0wFinxBQiyloS#+24rO0ZA)CFG<iDj4-rpjlkzeBZz#L@0yL!_8$bL
z4y{Ld^iCA+awL@gtJAQ~ngYwN?eKju68dYGprcRB@2!K~CPS7h+lW@u!}Rm6X#7Sj
zY=4dv)>aonDSr<)m18)UDfr>|M{_zI*15A`H<|#w4)&eok1l)#yW+x4lWFP5vNSq9
zf}VeY=6cP9;NFI3Er{ePqDoqVnya2f3p-bG?`J6f<~lT`RunCM6DTr^@-9K*S-v_6
zB{xrq?QM8eAdZ)PXd;Uy6h)7Ufc25qu(oXj415koyMG;$EJI7tcFyv}uu>Gx-H1~~
z&{ZtOfDc(6eZ;orO}FjgF2=4}15;K8l)Zc4Gvbd3occNpqa)FH&4;k{=?h)kP{{js
zBWKw>So80Z!Bng~TcP1M&mth<BN(Fo358b-*lBx7BM%GYfQBxsy_*AD{34Vrd>z(3
zJ0a)XL4RQMLfC#g3?OH$EwUj0&FQ$kZW;2A?1v@mJe9c#?fo3+%=cmQ^@ZvA2pAVG
zNAa)w(^b8rP^}2W&XxU#aMWL42iC8FdD0l<NBkc0*;9}M1AyW}`2Qms0nZGArsYo{
z`}#rl3xFKZ7z&A_kW(+XlnF~-E}BF{!rms-aewg#j9L+>0%&yNMSh9I(q`X=bZ9?}
zpCv;+xCe#nRzhm^Q}{pH2|leuA({NCkPfoW2t9qrpZt_`^dM}fzl1UJCCFY_C$D{h
zTtG|CTC&+ueESycS2D%22s>+gaS@76rK523M&wWW3(ONnL*B3kw&k%X*zy5vJODgk
zcz;D8;ibqzjA^MT*`5SzQK6{3P12&^+-d02k3wrNCE;k)BPXt*WTfEJ;Dy`ul0Xh<
zNfgb_B;?1@h<5k@O0N6|jh}b|7P2mTuV2B|qJ>(L%DR4nS?lnsKpYalW`n$A3(Pa4
zV0mK(Z0Ak_Umk;P^LtRpXF1Aw4_+0>0e=l7x(%^xaxn|Gf4>LGpo5QHf!@WO?Lngs
z2;_t#$W&-pSBgr!Yc}OjNg$)qh*B?3qeZu?fxnUT2KCG{s3cI|zJ0N;u*Ms+yn-{u
zR_H?7qH*KKYEI2jX?F+js~I|UDE!inprc6#oeNv{lO&kDw7KCPIdyVRm5@y%-+x|>
z3G?4xfnmdFIz#a2_LrELnC4TaOi{Ce0|yQuH#b*hbsxSoJqZsFN7JTF)f`~JfC0Q)
z<sA~}Wi`t!@D8(6-Me>JEEWp|wG9Iq85v4&aIivko1oUyEr@<XRy2sLXjkXXokc4I
z1khx%9)tG>B_$>C@ib{Q*laf6P=7!A!6<ViBvM}z=~X)A{cAdrSu^l(;>!-Rb?ep`
zIB=jNm%y7WKmPb*-ap9HbGx0sMJ@^RDIFJ)IM*FnbqwSaT9bJzyLRnTcJACM%-)GJ
zXU>T392OSFU0|;Il{$%93lz0lZ7V*q^$Z#`2qY9PU%rfE$Bu!-fx%!vlYb^nxJYyU
z??(sfvM-P?Q*PY2q1uh2+_`f{p>CxzMHx4499vMD`jt9~TC*VXXFXcAYK7*_zcrAc
zpr8uFFz;(7Jnlmf8Fdh~A`tl>Jso=V>eUN6UDf_x7092uV@Huu2T@xV^f;xkAwz~Z
zSQX$6-+_UFd^%EO{8&JKC4at6n>Gr?A*#2j8nb52Vn38eK1+D)1`n#}FsiV5$&w|i
z1l5CLB85geg}%30y+p$VRq#nl6G)ugK7IQ9U)JNqrcImJia2ecYw$xb@63c<z#}(8
zl^RK-);h<jA4ZNGDPkOsqNh%s>L}y_7cXAK#*G`r`GyS}oRKvn!+&nKKUrK{?AdMe
zZone~QOn1WK(FoJzrVuYnn{vW_Ln!Vz<+ji>eMNfIk0>8ZY*BBm>&f-r)fftn(Z}s
zN}%~<Ew79pKc3IkT=$Tko(`Itus|(IplmhUYw(mnlj$(W!90Q@N@0bCg<fBf@|ZI;
znM|Ho0VqRBNr~6}&woQaM9op5i_s9>n?|F^u&^-CJr;PtxOC|fch77ZA)|_liahst
zhQyJ`*=Eg{F+&7zjN`|Ti^VSbF~QT)(gZIkC=i@(#wEXg{kq_Jd3l0gyLL_R?CfkM
zIXPLmaN&aB97WTxt{gmgP;kZ<Uwok)K73eZigM)05%C=-cz>;#ujyPrKYRA9;3S6N
z6hA4Up`jdfzNS{qGa!KsbkVEjrwD@w4_0V0sT@6eRPeE5$BKw|&z?Pk$HvAAzIyd)
z!MASRDtJ^>l;DRB9TGeuB0})<=g$k?qel->k(`_yg~9`+UAuM)wYn%16ci+;9?o?m
zj>>sm>GI{vf`5-5Jz89Yg=IuXM+=^ikRUjNVlU2{uU5@7a3zq{Y88uIG~5bqv)Pne
zw{DejuH^08x63$#dHHDu^W0osB6i@roLj#9A{s@{LO3V*H<|OjI5}IQ(}LK#nV0{~
z>I72jIi^vgM%$^}#b(W#<xvCWv~An=IOV@XpZ`)VT7MC)1X{IfmBL-lnOGbKTM%<z
zTQ1L2Q&R<Jv!6M0rm|zl4#BTpy()N0N{ZlInR)Z(DJxg56r8bi=~89Ef(2#WnK@t6
zDMVsoqTn}g-V{73DM@f=%FN6Z`HZRr^7Zv?M;3XKE#A4(*{xeQW%A_7;+*f3t)H~m
z?BnAj!he=(*Mr#M@dHF>%F4<T`TRx(=Hw3qCo2$~{6`tzw{IU#oH!vkuR-%Pgr8(M
zv3>h?QHI~_;QapHy?a3xB0eYohtEI%T&!a=__w$WHIm>|8Nr>28cXC?1+H*#aPYSE
z>(_VTh@V$G8PpJ%IB}vl4+#lDe0)6KfB*dvG=F7UDl(mLWkK~7t}KZ7FP1G^rk1E4
zY{lW>;n}Q7wHCxmKmGL6Wvw`U`gHW}-CMkTfWdERV9qVb;D>e0YnuA^?_c)Vn^y*y
zlOGbCx_~Id7RHz}XO7^`d#DOjZ+^_Kvg$#hPT5*|wbKLYuWVW3Wdn?!J$s5SKn_mu
z_J8f$gGMBdI|S#Ki7>Azctt?3=Vfh(2ae>^K+aq6?%lhKRRXdI!MOn`oDds9s{?iA
zv*dfSM~oQJ;`?@g@QT8@bLY0vWVy5~P-Jr=<+5hao*go6+B7w{exgg4F1*&XfJWC@
zYL)=iu>;j{A$7qnB(kFgz5~j?o1UKjDRXtRSo;3mN&-=fgiySr=013^)2`{RlDN1y
zP&hG<D(Es;<hO0np(^(xQ;#V7bEFDW4Kmxe=-@qdJO_TU(h%w*hgI%2DlK;y3<imO
oK)rrV7mq{~T3A*35VZ&3e`6z!oV^K1jsO4v07*qoM6N<$g0nD^-T(jq

delta 3227
zcmV;M3}o}J8^jrq83+OZ007#LBoL7yG=B_PNkl<ZXhYpv33L=i8t(4txiZPjkb@`)
zatMY?@NqxF5e<lftWSv$TtPxW5S5#-+=nk@mrE29HY@}eP(WD_K?LC?%PA0WIW>fk
za3p~oGr1;n^ilgwx);cSo0%}l=$C$zud1ti`m6u1zy7KoI^o#>>W>IU{{M%AY=1GH
zP``5GIlEvdQoXl8O;b%2bhwsP&~i;JAq)GLh5wmS_V3?6FfdR$;U%!!?R)m@38KWQ
z29-<NoWkz#;^)QO^0>IklPAm7-h|A|%-+3w52ozBGzz(@7H|qXZW9g*Y+72HzrTM`
zQBh)I;?bi=&1SRQq#+O#6x6R@zkisR7^ygT@L)dmr{TV=RICkTVabd(D=SN-Qbk2Y
zH9Gw52%}a-S1~+IXir5NnurutX>eOavb)G?`_qW{_;?f}BO~wqcyNT<!b~R9kdE!X
zeMYZks=G5y7#BRjCD5W!MHqm1)-%&|;bs>6$PHnYj9|0bf+?{kRSf`^rhnSAbV*5x
zTy_z)_AZ*Dl`NqMI@Zf(gql%nVT7_7jC@EZ8m!_^a1KK6)mU3$P@puM*g=DYZaoMs
zQZz&N4yF8jy;fOmg~2*BFYrl;?7QRDVS@-Il8kia<Qa^QjsS8iFG8(d5yEJiv6S-h
zs}+-H(2-+EL7s5(n0j$6r+@MBLZ5U&7{KWLmBGP9AB|Inzvi<r&VKolb^l(URSBe5
zA5k80uHDdca8a1q%o~jAzG0SG9|{VEPr??$(B*Lpv?Ir;7cLjtwG)Zxj4Vzxunk=k
zMi3MC@3XTiZS*ADnpp0uB%hCCw9y|}*TxB!GGqK!)r!wapZ>gBMSne1*f4O}a~MLD
z+c)u-FKU*p<jjTE=@ThI)Gl4+IDEjdd7Y+bXuztCjdmTRr_Q1Jh6x6}2zd=5&}Cs5
zN(!1`4(_wBS*{rxp&I`ozk5gdx|OQ2?^|-S?c4q#h=TIzX2wzD^(zt@?Kq%Z{8#eo
z5TS8nr^1T)y?)^CSbrxJdp*tmmyc~JM^w}1XnOT^to%gTs%`m+WZT7auo0u6RV>Q}
zK4l#8R^YNv1HSrBJ$nIZ)dtR7KX6wVK+_6QWDbANO@7aM`Mm0*+2Svk6iu61{=Sx2
zZ7>azFa}dZ1z1CX?yYx>UwlK4nTRv>V7EF5bGoJTp(zK)9)JB&m_J<+7{odpO!~Ew
z!v}altTJ!23Z+7$(?@;4ckSx!!Z2*gR7wy6d62SaxAk@=FVc=pp9!V{sZC{wSfMah
zEA9EQRwrS&SmA3F2EQumjl4$9x9`B_+*R7Firn1d*!d#oz~fg|K-0yAOvVk^+SAJF
zBn%I#G3C+c&VP_MB6PFniD3hE>$i~pFEIuKxp3y*(iqNR69oPdpQHt2Ap6NG>Xp|;
zKfOnD%sL8lZWz!7CT80v+n#THjR9=HQ^uvM+4rZCHX#aYxp_)-@xi_Py*pxQF|m|V
zWhE>{bUi{1i~pud`kIW06g(!auEHt;2*n^gUb*Cmoqu2Y=V1loNAZRERKEcN&FDUy
z!Q1VoV@FIUQ@El$qF}I&E4h_koOYEbf-3A)(!PUypC^qv3wso>Ub#h`c2(RQ&m^o>
zUQ8{IU*jA0N<hSW0j~^Wo3x}fK18E4wC!kU^&FjfgDJP@KAuI?Do>d0i3)SBshtO`
z$npYJSbu1_m1#NjopZ0oIW5ql#lq#?EB+#}Wb|9&vU#?-(@J)2xBKcmF=;<hVU@u!
z3SDlFaQ=+wuycaw5V^b~2g{~UAlo;QteZ?}DQ&kalMgFR9@)V3pfJFhbEF(8S+PjC
zmFc*1C*Y-l+Q@gsh<AkUy`5*B2d(f-{P3`_ihqOuZcpj^Bg>~m*)E*1tz9W5ZLnRt
zB+2oF6H4%`FbN7Ijb;;*eb*Mdknz(g1yN@y^PD6J^&w2MoYU*fCUQ61>3<$Hm5fTl
zFeH#B$OR9eLJ_{PwyHQn7{<-6uXLHgV94^(+dZG5)&^FQSQ`cU`T5CZ7g6<X%i6VT
zcYiOLALXypSKh%_(u`i|!aD(%P{Q+^D9VKjm<94>QF-5wrY~N+7{xlhZOO>U&}y})
zI(6z)a&ofGW|LYp2(b7bFknFc{{5xm$dM!OANj#$Vb>huKg-3vd-vjAa<w-hKR-V_
zJp7rQTd(U}6o!8*iX6qPYVO>*En2jYPJeg_^78UFZrpe${rXI!s><m2ZOFpRBH3r*
ze|3nwRP8Qae)(mELViDZ;>3ya@^Xp04cMqDOTXsBwo<wl9%W$?ctUY9bq(>wj-Eq@
z#m2@$Nk~WtY6L;Jc=6)u)vJF#urFG#lA5^(6^$w0WmM`0mZr3B9Rfu)YSgHC^MB?D
zJh{2K_wV0_xw>@e(y3FYVzFvtR}c4I5W6}3Jqp;lP$17g|2%k9R8&q*4(#^gi!Wks
zg;dOnXi)!n0>bVK&X@i#yzqil?Ao<!%a$$mdOdji_U&zi%J<v`z~k`*gx%mo1PsYy
zRRCc~9ne57*CXmG45KTJ6GKBogMWjA<*G-ZR4Ti7?|$BnR`rd#3d`e37B9Z}=9_Z4
z8YWDbkS&nxdLL(X5(W?3Y2jKt*9Iw%TvZMI`t`$*``W_Qvotq_SqYWNi95@<GM#?O
zk|jPqKJtlbz!=-LYZok*RLW&=V!i!rP%+f_*k^hi5abd|97n7|u0VS9=zn1}8c&}-
z-K|@<2RX+B6c!dHCMI6Lew`3<;bvB<UA$ly`)CzUAY}bNRLVSRi5#A+DRxYoHtj+7
zjTI^;F3izV@lm9tq#z5CxY=wTJ9g}NKV@5$$ECS1Z20iuojZ4yt7->K+{>3QALpkG
z@lIhDk;D}_<bvyn)+?W7y?;^|;QW1|yJ5i9U-!BPH+v43;rZM<>IWWoiH5>MS46h@
zZ!7OG_y+}f%MZB=3JWcTg~N0#7B8;ip|Fc~@f%)o<;oRgeVBhRHMMKku666yWo2c@
zj~_>l+p1M7o6Uys-KI?&)H@uG<m6<7!O*K$FI;};&>^f-1`Zquj(=5IX=&-8L4z<2
zoH=tQKR<uSkRjk_&z{9nf9TMmXp@?ndhg!7u&^+lPIvR>&1=`LAxFWQAU!=jEiJ8Y
z-@dprnqg7bBs&Y*z+J*aSL7&yoK>2O&Ye3K85y~B=~D39w{O4w_S>^&%>qZfj);gr
z`X`Da$8l&gdh}?h1%ID3X%ZG=7K;VVKyV5dg3p^b4{fmS1V^k#J-P{e%a$z<_|~mk
z!FTT53BGUNKJX12Hh=?xfq}?!+`vPNrP_t>X?b@MMU%;dOhW25aD4jv`{T2ys0e9<
zq#tJCd0yfm#l^(|0nWRDqZv4?gf774633~6f&!RG+UJ8M!GEQ63|ynpNZX^}cn0aK
z!^6Xc|D;ygcq=C)%^{|1{M1dJIe+=`vn^U^Ifp9$epfZq@_$<+H3tuLHhMZHCT8Nq
ziJLcXh9sC`>eQ+6@$pEYtX3<|E?l?}&!JYU7cE+ZQ!LBk>Eq(!X3m@m4e050>(=3N
z7#V#1`t{%?C4VL0`}gk$N1hcF6m;y^F>tsyIGh$7Sg>FLTt<GBYPiFTDNnb4ZNru?
zPoF(_@>Ec>=5LG`dF+?8Pg73N?@riLCT~a8?7Qf1DZvA8+_*75!LMGuD(#}8zcC~v
z!vYx@8L$-ufMa-|zhNa<8zblL-MbLu>+6eT>c)*5w|{Qk>eQ)Ic6K&yj=|QpZCemP
zN;0J{t+*wH;U|&mIR8|OFTejmavvZmDG93wkd7TYqFc9wgdCkSt&c|WSXcBCRB^>D
zPV}ELXZGybQn5PF^<iB)kFgcj?20E(p6t+}!}RIX!4cxXr%agwju8TmL>2~wiICc(
z=n{}#B7gAWRx@VIKoMUAzHHet@a@~TgC`^;fIkQxRp8u5s~De;0|u(zM+;A@*%g~L
zYc_7&IB8cHUjr_g9s?{oIvSrCMKJ8BQKR5>6<4?bDJmf7H*MM!Uj#m2zyL%McqTX|
z4~$_<EzYLZ5UgN!totl9G!%;ox#|&MX4<xGn}5&UEZT?tow*`VCX$~x${Y|(s=YeX
zQpA{-(^IWb(T{}t^LAk`&mt23#&WpsK!lK4?Es%_Q(h8L(|eX0r?&?w%0pq82X~Zl
zg$=O>_#05t)a$Nq+yf7VN$@UN6>x7oP_-v;7jHY<gUcrVeSo6=3moCXwV>i;M*si-
N00>D%PDHLkV1l}jK1Kil


From 8a11bc091864dd47958688376f8b96311ac9ec38 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Mon, 29 Aug 2022 20:41:46 -0600
Subject: [PATCH 03/21] updated release notes and version increase

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 src/SA-CrowdstrikeDevices/app.manifest     | 2 +-
 src/SA-CrowdstrikeDevices/default/app.conf | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/SA-CrowdstrikeDevices/app.manifest b/src/SA-CrowdstrikeDevices/app.manifest
index b04ec6e..4248ed9 100644
--- a/src/SA-CrowdstrikeDevices/app.manifest
+++ b/src/SA-CrowdstrikeDevices/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "SA-CrowdstrikeDevices",
-      "version": "1.0.1"
+      "version": "1.0.2"
     },
     "author": [
       {
diff --git a/src/SA-CrowdstrikeDevices/default/app.conf b/src/SA-CrowdstrikeDevices/default/app.conf
index 4cad7ba..2dd23a9 100644
--- a/src/SA-CrowdstrikeDevices/default/app.conf
+++ b/src/SA-CrowdstrikeDevices/default/app.conf
@@ -7,12 +7,12 @@
 state_change_requires_restart = true
 is_configured = false
 state = enabled
-build = 1
+build = 2
 
 [launcher]
 author  = ZachTheSplunker
 description = This supporting add-on allows device information pulled from Crowdstrike to be used with Splunk Enterprise Security's Asset Database.
-version = 1.0.1
+version = 1.0.2
 
 [ui]
 is_visible = 0

From 7c89e72b45f3e1791a726b481058f4b05a76e5a5 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Mon, 29 Aug 2022 20:43:32 -0600
Subject: [PATCH 04/21] updated release notes and version increase

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md     | 11 +++++++----
 docs/index.md |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 15dee47..95b2530 100644
--- a/README.md
+++ b/README.md
@@ -30,16 +30,19 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.
 
 ```TEXT
-Version 1.0.1
+Version 1.0.2
 
-- Initial release
-- Hotfix for missing `_key` field in saved search.
+New
+- added `first_seen`, `last_seen`, and `last_updated` to category field (#8).
+
+Updated
+- Changed app logo background to transparent.
 ```
 
 ## Issues or Feature Request
diff --git a/docs/index.md b/docs/index.md
index f8d8d47..65ea6a6 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -29,7 +29,7 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.

From 8709f362357754c79f2948f4555fb0a1c611884d Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Mon, 29 Aug 2022 20:47:44 -0600
Subject: [PATCH 05/21] added release notes

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 docs/releases/index.md           | 11 ++++++++---
 docs/releases/release-history.md |  4 ++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/docs/releases/index.md b/docs/releases/index.md
index d7d076f..de0788b 100644
--- a/docs/releases/index.md
+++ b/docs/releases/index.md
@@ -1,6 +1,6 @@
 # Release notes
 
-## v1.0.1 <small>August 25, 2022</small>
+## v1.0.2 <small>placeholder</small>
 
 ### Compatibility
 
@@ -10,8 +10,13 @@ Splunk platform versions | 9.x, 8.x
 Splunk Enterprise Security version | [7.x, 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570)
 
-- Initial Release
-- Hotfix for missing `_key` field in saved search.
+### New
+
+- added `first_seen`, `last_seen`, and `last_updated` to category field ([#8](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/8)).
+
+### Updated
+
+- Changed app logo background to transparent.
 
 ## Known issues
 
diff --git a/docs/releases/release-history.md b/docs/releases/release-history.md
index d77038d..5b8d9fd 100644
--- a/docs/releases/release-history.md
+++ b/docs/releases/release-history.md
@@ -1,5 +1,9 @@
 # Release history
 
+## v1.0.1 <small>August 25, 2022</small>
+
+- Hotfix for missing `_key` field in saved search.
+
 ## v1.0.0 <small>August 25, 2022</small>
 
 - Initial Release

From 2f1f2d48cd274f8c191aab32360a0f0232613e35 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Mon, 29 Aug 2022 21:19:33 -0600
Subject: [PATCH 06/21] updated label

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 src/SA-CrowdstrikeDevices/default/app.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/SA-CrowdstrikeDevices/default/app.conf b/src/SA-CrowdstrikeDevices/default/app.conf
index 2dd23a9..56af872 100644
--- a/src/SA-CrowdstrikeDevices/default/app.conf
+++ b/src/SA-CrowdstrikeDevices/default/app.conf
@@ -16,7 +16,7 @@ version = 1.0.2
 
 [ui]
 is_visible = 0
-label      = SA-CrowdstrikeDevices
+label      = SA-CrowdstrikeDevices for Enterprise Security
 
 [package]
 id = SA-CrowdstrikeDevices

From 8b0ff02a8d59937ce47b530693d445b3b8a11d15 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 31 Aug 2022 22:36:11 -0600
Subject: [PATCH 07/21] testing wfa

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 .github/workflows/appinspect.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
index c06a89f..c70c30a 100644
--- a/.github/workflows/appinspect.yml
+++ b/.github/workflows/appinspect.yml
@@ -6,7 +6,7 @@ on:
       - master
     paths:
       - "src/**"
-    types: [opened, ready_for_review]
+    types: [opened, ready_for_review, synchronize]
 jobs:
   validate:
     runs-on: ubuntu-latest
@@ -34,24 +34,28 @@ jobs:
         run: |
           API_USER='${{ secrets.API_USER }}' API_PASS='${{ secrets.API_PASS }}' validate.sh -v
       - name: Submit App for vetting
+        id: app
         run: |
           cd ~/build/packages
           validate.sh submit $(ls)
+          echo "::set-output name=app::$(realpath $(ls))"
       - name: Check Status
         run: validate.sh status
       - name: Get report
+        id: report
         run: |
           validate.sh report
-          ls ~/build/reports
+          cd ~/build/reports
+          echo "::set-output name=report::$(realpath $(ls))"
       - name: Collect report
         uses: actions/upload-artifact@v3
         with:
           name: appinspect report
-          path: ~/build/reports/
+          path: ${{ steps.report.outputs.report }}
       - name: Collect app package
         uses: actions/upload-artifact@v3
         with:
           name: App package
-          path: ~/build/packages/
+          path: ${{ steps.app.outputs.app }}
       - name: Check Appinspect for issues
         run: validate.sh get_errors

From 4509d48d4270099acf2db4c4e90e0bcb10655b8f Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 31 Aug 2022 22:38:37 -0600
Subject: [PATCH 08/21] Revert "testing wfa"

This reverts commit 8b0ff02a8d59937ce47b530693d445b3b8a11d15.
---
 .github/workflows/appinspect.yml | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
index c70c30a..c06a89f 100644
--- a/.github/workflows/appinspect.yml
+++ b/.github/workflows/appinspect.yml
@@ -6,7 +6,7 @@ on:
       - master
     paths:
       - "src/**"
-    types: [opened, ready_for_review, synchronize]
+    types: [opened, ready_for_review]
 jobs:
   validate:
     runs-on: ubuntu-latest
@@ -34,28 +34,24 @@ jobs:
         run: |
           API_USER='${{ secrets.API_USER }}' API_PASS='${{ secrets.API_PASS }}' validate.sh -v
       - name: Submit App for vetting
-        id: app
         run: |
           cd ~/build/packages
           validate.sh submit $(ls)
-          echo "::set-output name=app::$(realpath $(ls))"
       - name: Check Status
         run: validate.sh status
       - name: Get report
-        id: report
         run: |
           validate.sh report
-          cd ~/build/reports
-          echo "::set-output name=report::$(realpath $(ls))"
+          ls ~/build/reports
       - name: Collect report
         uses: actions/upload-artifact@v3
         with:
           name: appinspect report
-          path: ${{ steps.report.outputs.report }}
+          path: ~/build/reports/
       - name: Collect app package
         uses: actions/upload-artifact@v3
         with:
           name: App package
-          path: ${{ steps.app.outputs.app }}
+          path: ~/build/packages/
       - name: Check Appinspect for issues
         run: validate.sh get_errors

From 00df48a0893156dc5d8fb15f3a9184c230eb2538 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 31 Aug 2022 23:47:21 -0600
Subject: [PATCH 09/21] wfa updates

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 .github/workflows/appinspect.yml |  5 ++---
 .github/workflows/release.yml    | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
index c06a89f..725b9af 100644
--- a/.github/workflows/appinspect.yml
+++ b/.github/workflows/appinspect.yml
@@ -42,16 +42,15 @@ jobs:
       - name: Get report
         run: |
           validate.sh report
-          ls ~/build/reports
       - name: Collect report
         uses: actions/upload-artifact@v3
         with:
-          name: appinspect report
+          name: Appinspect-report
           path: ~/build/reports/
       - name: Collect app package
         uses: actions/upload-artifact@v3
         with:
-          name: App package
+          name: App-package
           path: ~/build/packages/
       - name: Check Appinspect for issues
         run: validate.sh get_errors
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..273a2d5
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,26 @@
+name: release
+on:
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - "src/**"
+jobs:
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Install dependencies
+        run: sudo apt-get install -y jq
+      - name: Get version
+        id: version
+        run: echo "::set-output name=version::$(cat src/SA-CrowdstrikeDevices/app.manifest | jq -r .info.id.version)"
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          name: SA-CrowdstrikeDevices v${{ steps.version.outputs.version }}
+          tag_name: v${{ steps.version.outputs.version }}

From 8cb3f190131ab1e7d6b1dce1b340bea507c8484c Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 15:36:07 -0600
Subject: [PATCH 10/21] fixed typos

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 95b2530..2f33b4e 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 [![Docs](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/docs.yml/badge.svg)](https://splunk-sa-crowdstrike.ztsplunker.com/)
 ![Appinspect](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/appinspect.yml/badge.svg)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/SA-CrowdstrikeDevices)
-[![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--CrowdstrikeDevices-blue)](https://splunkbase.splunk.com/app/4505/)
+[![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--CrowdstrikeDevices-blue)](https://splunkbase.splunk.com/app/6573)
 [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
 
@@ -24,7 +24,7 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
 
 ## Disclaimer
 
-> *This Splunk Supporting Add-on is __not__ affiliated with* [__Crowdstrike, Inc.__](https://www.crowdstrike.com) *and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with the Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
+> *This Splunk Supporting Add-on is __not__ affiliated with [__Crowdstrike, Inc.__](https://www.crowdstrike.com) and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
 
 ## About
 

From 947bc06b8990865d4d5c8be50aa95bf21eded949 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 15:42:49 -0600
Subject: [PATCH 11/21] fixed typos

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index 65ea6a6..f9726e5 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -15,7 +15,7 @@ The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use
 !!! quote ""
     __*Disclaimer*__
 
-    *This Splunk Supporting Add-on is __not__ affiliated with* [__Crowdstrike, Inc.__](https://www.crowdstrike.com) *and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with the Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
+    *This Splunk Supporting Add-on is __not__ affiliated with [__Crowdstrike, Inc.__](https://www.crowdstrike.com) and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*
 
 ## Assumptions
 

From 9b759a98c95e123ad6211a6203174873a7b2f338 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 16:51:56 -0600
Subject: [PATCH 12/21] fix typos

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 2f33b4e..b0861ee 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # SA-CrowdstrikeDevices for Splunk Enterprise Security
 
-[![GitHub](https://img.shields.io/github/license/ZachChristensen28/SA-CrowdstrikeDevices)]()
+![GitHub](https://img.shields.io/github/license/zachchristensen28/SA-CrowdstrikeDevices)
 [![Docs](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/docs.yml/badge.svg)](https://splunk-sa-crowdstrike.ztsplunker.com/)
 ![Appinspect](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/appinspect.yml/badge.svg)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/SA-CrowdstrikeDevices)
@@ -14,7 +14,7 @@ This supporting add-on comes with prebuilt content for CrowdStrike device data t
 
 Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com)
 
-```
+```markdown
 
 ** This supporting add-on is only intended to work with Splunk Enterprise Security deployments **
 
@@ -47,4 +47,4 @@ Updated
 
 ## Issues or Feature Request
 
-Please open an issue or feature request on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues)
+Please open an issue or feature request on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues).

From fbf545865c8a7a508859cf90072655ef7beb1a3e Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 16:53:28 -0600
Subject: [PATCH 13/21] added period

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b0861ee..f3783b8 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ This supporting add-on comes with prebuilt content for CrowdStrike device data t
 
 ## Documentation
 
-Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com)
+Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com).
 
 ```markdown
 

From 16df441609997af5998776f0940e331607d65e26 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 16:54:21 -0600
Subject: [PATCH 14/21] adjusted image location

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index f3783b8..d7b5153 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,8 @@
 [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
 
+![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)
+
 This supporting add-on comes with prebuilt content for CrowdStrike device data to be easily used with Splunk Enterprise Security's asset database.
 
 ## Documentation
@@ -20,8 +22,6 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
 
 ```
 
-![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)
-
 ## Disclaimer
 
 > *This Splunk Supporting Add-on is __not__ affiliated with [__Crowdstrike, Inc.__](https://www.crowdstrike.com) and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*

From 67a38f2912f2f09d2922fb7ce188309a2b329111 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 16:59:20 -0600
Subject: [PATCH 15/21] added hyperlink

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index d7b5153..7fd19a7 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
 
-![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)
+[![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)](https://splunk-sa-crowdstrike.ztsplunker.com)
 
 This supporting add-on comes with prebuilt content for CrowdStrike device data to be easily used with Splunk Enterprise Security's asset database.
 
@@ -31,11 +31,11 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
 Info | Description
 ------|----------
 SA-CrowdstrikeDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
-Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
-Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
+Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
+Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.
 
-```TEXT
+```text
 Version 1.0.2
 
 New
@@ -45,6 +45,6 @@ Updated
 - Changed app logo background to transparent.
 ```
 
-## Issues or Feature Request
+## Issues or Feature Requests
 
 Please open an issue or feature request on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues).

From 661f1a66c69de448378f87c5ed7937c554b6494b Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 17:07:12 -0600
Subject: [PATCH 16/21] readme updates

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 7fd19a7..9a90b4d 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# SA-CrowdstrikeDevices for Splunk Enterprise Security
+[![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)](https://splunk-sa-crowdstrike.ztsplunker.com)
 
 ![GitHub](https://img.shields.io/github/license/zachchristensen28/SA-CrowdstrikeDevices)
 [![Docs](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/actions/workflows/docs.yml/badge.svg)](https://splunk-sa-crowdstrike.ztsplunker.com/)
@@ -8,20 +8,16 @@
 [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
 
-[![SA-CrowdstrikeDevices](./docs/assets/sa-crowdstrike-logo-dark.svg)](https://splunk-sa-crowdstrike.ztsplunker.com)
-
 This supporting add-on comes with prebuilt content for CrowdStrike device data to be easily used with Splunk Enterprise Security's asset database.
 
-## Documentation
-
-Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com).
-
 ```markdown
-
 ** This supporting add-on is only intended to work with Splunk Enterprise Security deployments **
-
 ```
 
+## Documentation
+
+Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com](https://splunk-sa-crowdstrike.ztsplunker.com).
+
 ## Disclaimer
 
 > *This Splunk Supporting Add-on is __not__ affiliated with [__Crowdstrike, Inc.__](https://www.crowdstrike.com) and is not sponsored or sanctioned by the Crowdstrike team. As such, the included documentation does not contain information on how to get started with Crowdstrike. Rather, this documentation serves as a guide to use Crowdstrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com](https://www.crowdstrike.com) for more information about Crowdstrike.*

From 90cef6dab3657e311270de8fde3fa3ad07ef60df Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Tue, 6 Sep 2022 23:00:01 -0600
Subject: [PATCH 17/21] added configuration information

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 docs/configure/best-practice/clone-search.md | 23 ++++++++++++++++++++
 docs/configure/bunit.md                      |  2 +-
 docs/configure/category.md                   |  2 +-
 docs/configure/index.md                      |  3 +++
 docs/configure/priority.md                   |  2 +-
 docs/configure/schedule.md                   | 13 +++++++++++
 docs/quickstart/quickstart.md                | 17 ++++++++++++++-
 docs/troubleshooting/index.md                |  1 +
 mkdocs.yml                                   |  3 +++
 9 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 docs/configure/best-practice/clone-search.md
 create mode 100644 docs/configure/schedule.md

diff --git a/docs/configure/best-practice/clone-search.md b/docs/configure/best-practice/clone-search.md
new file mode 100644
index 0000000..1a1d70f
--- /dev/null
+++ b/docs/configure/best-practice/clone-search.md
@@ -0,0 +1,23 @@
+# Clone default saved search
+
+In order to preserve the default behavior and to compare changes to new releases, it is recommended to clone the default search `Crowdstrike Devices Lookup - Gen` before making any changes.
+
+## Clone
+
+Perform the following to clone the default search:
+
+1. Navigate to Settings > Searches, reports, and alerts.
+1. Change "App" filter to `SA-CrowdstrikeDevices`.
+1. Change "Owner" to `All`.
+1. For the search named "Crowdstrike Devices Lookup - Gen" click "Edit" under Actions.
+1. From the dropdown menu click "Clone."
+1. <small>(optional)</small> Update the Title.
+1. Set "Permissions" to `clone`.
+1. Click "Clone Report" to finish.
+
+## Disable default search
+
+Disable the original search:
+
+1. For the search named "Crowdstrike Devices Lookup - Gen" click "Edit" under Actions.
+1. From the dropdown menu click "Disable" to disable the default search.
diff --git a/docs/configure/bunit.md b/docs/configure/bunit.md
index c36c36d..3095960 100644
--- a/docs/configure/bunit.md
+++ b/docs/configure/bunit.md
@@ -1,6 +1,6 @@
 # Business Unit Field (bunit)
 
-!!! info "To update the `bunit` field modify the `Crowdstrike Devices Lookup - Gen` saved search."
+!!! info "To update the `bunit` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
 The bunit field will most likely need to be updated. Every organization will have different values for this field. The current configuration is described in the following table.
 
diff --git a/docs/configure/category.md b/docs/configure/category.md
index 88a86c2..d114ab9 100644
--- a/docs/configure/category.md
+++ b/docs/configure/category.md
@@ -1,6 +1,6 @@
 # Category Field
 
-!!! info "To update the `category` field modify the `Crowdstrike Devices Lookup - Gen` saved search."
+!!! info "To update the `category` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
 The category field by default includes many important fields. Most will find that the default configuration for this field will work for their needs.
 
diff --git a/docs/configure/index.md b/docs/configure/index.md
index 456ff2d..bf22bd1 100644
--- a/docs/configure/index.md
+++ b/docs/configure/index.md
@@ -2,6 +2,9 @@
 
 Each field can be customized to fit your environment. The following fields should be examined and tailored to your data.
 
+!!! info "It is recommended to clone the default search before making changes (see [Clone Saved Search](./best-practice/clone-search))."
+
 - [Priorities](./priority)
 - [Categories](./category)
 - [Business Unit](./bunit)
+- [Update Schedule](./schedule.md)
diff --git a/docs/configure/priority.md b/docs/configure/priority.md
index fefc11c..272f847 100644
--- a/docs/configure/priority.md
+++ b/docs/configure/priority.md
@@ -1,6 +1,6 @@
 # Priority Field
 
-!!! info "To update the `priority` field modify the `Crowdstrike Devices Lookup - Gen` saved search."
+!!! info "To update the `priority` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
 The priority field is very generic by default and should be updated to suite your environment. The following table describes how this field is set.
 
diff --git a/docs/configure/schedule.md b/docs/configure/schedule.md
new file mode 100644
index 0000000..cd8e4e2
--- /dev/null
+++ b/docs/configure/schedule.md
@@ -0,0 +1,13 @@
+# Update Schedule
+
+!!! info "To update the schedule modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
+
+The default saved search runs on the 19th minute of every hour to update and continually build the Crowdstrike assets. Most users will find that this schedule works for their environment.
+
+To update the default schedule perform the following steps:
+
+1. Navigate to Settings > Searches, reports, and alerts.
+1. Set the "App" dropdown to `SA-CrowdstrikeDevices`.
+1. Set the "Owner" dropdown to `All`.
+1. Click "Edit" under actions for the search `Crowdstrike Devices Lookup - Gen` or the name of the cloned search (see [Clone Saved Search](../best-practice/clone-search)).
+1. Click "Edit Schedule" and update the schedule and necessary.
diff --git a/docs/quickstart/quickstart.md b/docs/quickstart/quickstart.md
index 1dbdeb2..13aa719 100644
--- a/docs/quickstart/quickstart.md
+++ b/docs/quickstart/quickstart.md
@@ -4,7 +4,8 @@ This add-on has a saved search and Asset configuration input enabled by default.
 
 ## Overview
 
-1. [Updated default macro](#update-default-macro)
+1. [Updated default macro](#update-default-macro).
+1. [Force Initial Build](#force-initial-build).
 1. [Enable asset correlation](#enable-asset-correlation).
 1. <small>(optional)</small> [Update default saved search schedule](#update-default-saved-search-schedule).
 1. <small>(optional)</small> [Disable existing asset sources](#disable-existing-asset-sources).
@@ -29,6 +30,20 @@ Macro | Default | Description
 
 ---
 
+## Force Initial Build
+
+The initial build of the Crowdstrike assets will not occur until the first scheduled runtime (see [Update default saved search schedule](#update-default-saved-search-schedule)). To force the initial build perform the following:
+
+1. Navigate to Settings > Searches, reports, and alerts.
+1. Set the "App" dropdown to `SA-CrowdstrikeDevices`.
+1. Set the "Owner" dropdown to `All`.
+1. Click "Run" under actions for the search `Crowdstrike Devices Lookup - Gen`.
+
+!!! note
+    The search will run in a new tab over the default time period of 60 minutes. Expand the timeframe to a larger window if the number of hosts in the last 60 minutes does not seem accurate. The default search is configured to run hourly to continually append new devices reported from Crowdstrike.
+
+---
+
 ## Enable asset correlation
 
 Confirm asset correlation has been setup in Enterprise Security.
diff --git a/docs/troubleshooting/index.md b/docs/troubleshooting/index.md
index 780d5df..2cb50a7 100644
--- a/docs/troubleshooting/index.md
+++ b/docs/troubleshooting/index.md
@@ -5,3 +5,4 @@ There can be many issues when setting up a new app/add-on in Splunk. Below highl
 Issue | Description | Solution
 ----- | ----------- | --------
 Multiple asset merge | It is possible that some of your devices share a common mac address or another key field which will cause merging by default. | If Crowdstrike is your only asset source you can disable asset merge under global settings. See [Asset Merge Solution](./solution-guides/asset-merge) for more information.
+Asset Database not populating with Crowdstrike Data | The asset database may show no Crowdstrike data if the initial search has not run to build the asset database or the default macro has not been updated. | Verify the default macro has the correct index definition (see [Update Default Macro](/quickstart/quickstart/#update-default-macro)). Also see [Force build](/quickstart/quickstart/#force-initial-build) to build the Crowdstrike assets lookup before the first scheduled run.
diff --git a/mkdocs.yml b/mkdocs.yml
index 19b86aa..c581982 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -78,6 +78,9 @@ nav:
       - Update Priority: configure/priority.md
       - Update Category: configure/category.md
       - Update Business Unit: configure/bunit.md
+      - Update Schedule: configure/schedule.md
+      - Best Practice:
+          - Clone Saved Search: configure/best-practice/clone-search.md
   - Reference:
       - All Configurations: reference/all-configurations.md
       - Asset Database mapping: reference/asset-mapping.md

From 30f61e26bed234c72c69a637a538d6beb110078b Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 7 Sep 2022 00:08:07 -0600
Subject: [PATCH 18/21] Fix for Issue #11 (#12)

fixes issue #11

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md                                            | 3 +++
 docs/releases/index.md                               | 4 ++++
 src/SA-CrowdstrikeDevices/default/savedsearches.conf | 8 +++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9a90b4d..e28096f 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,9 @@ New
 
 Updated
 - Changed app logo background to transparent.
+
+Fixed
+- Updated saved search to preserve hosts with multiple IP/MAC addresses (#11).
 ```
 
 ## Issues or Feature Requests
diff --git a/docs/releases/index.md b/docs/releases/index.md
index de0788b..5f1bf2a 100644
--- a/docs/releases/index.md
+++ b/docs/releases/index.md
@@ -18,6 +18,10 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570
 
 - Changed app logo background to transparent.
 
+### Fixed
+
+- Updated saved search to preserve hosts with multiple IP/MAC addresses ([#11](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/11)).
+
 ## Known issues
 
 This version of the SA-CrowdstrikeDevices add-on for Splunk has the following known issues. If no issues appear here, no issues have been reported. Issues can be reported on the [SA-CrowdstrikeDevices's Github page](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues).
diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
index aeca2f7..8aea616 100644
--- a/src/SA-CrowdstrikeDevices/default/savedsearches.conf
+++ b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -12,7 +12,7 @@ dispatch.latest_time = -1m@m
 enableSched = 1
 schedule_window = auto
 search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
-| dedup falcon_device.device_id \
+| dedup falcon_device.device_id mac \
 | rename falcon_device.local_ip as ip \
 | eval \
     category=replace(replace(mvjoin(mvsort(lower(mvappend(\
@@ -49,6 +49,12 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     _key=md5(nt_host)\
 | iplocation falcon_device.external_ip \
 | rename lon as long, City as city, Country as country \
+| eventstats values(mac) as mac, values(ip) as ip, values(dns) as dns by falcon_device.device_id \
+| dedup _key \
+| eval \
+    mac=mvjoin(mac, "|"),\
+    ip=mvjoin(ip, "|"),\
+    dns=mvjoin(dns, "|")\
 | table _key,ip,mac,nt_host,dns,bunit,priority,lat,long,city,country,category,is_expected \
 | outputlookup key_field=_key crowdstrike_devices \
 | stats count

From d371db075c68567e58f3fe1f27aa04e97accc761 Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 7 Sep 2022 08:44:06 -0600
Subject: [PATCH 19/21] Feature 13 (#14)

changes for #13

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 README.md                                            | 1 +
 docs/configure/bunit.md                              | 4 ++--
 docs/releases/index.md                               | 1 +
 src/SA-CrowdstrikeDevices/default/savedsearches.conf | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e28096f..4c0b8fd 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ Version 1.0.2
 
 New
 - added `first_seen`, `last_seen`, and `last_updated` to category field (#8).
+- added `site_name` to existing `bunit` field (#13).
 
 Updated
 - Changed app logo background to transparent.
diff --git a/docs/configure/bunit.md b/docs/configure/bunit.md
index 3095960..83c9b0c 100644
--- a/docs/configure/bunit.md
+++ b/docs/configure/bunit.md
@@ -4,6 +4,6 @@
 
 The bunit field will most likely need to be updated. Every organization will have different values for this field. The current configuration is described in the following table.
 
-Mapped Field | Crowdstrike field
+Mapped Field | Crowdstrike fields
 ------------ | -----------------
-bunit | `falcon_device.ou{}`
+bunit | `falcon_device.ou{}`, `falcon_device.site_name`
diff --git a/docs/releases/index.md b/docs/releases/index.md
index 5f1bf2a..ee953e7 100644
--- a/docs/releases/index.md
+++ b/docs/releases/index.md
@@ -13,6 +13,7 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570
 ### New
 
 - added `first_seen`, `last_seen`, and `last_updated` to category field ([#8](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/8)).
+- added `site_name` to existing `bunit` field ([#13](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/13)).
 
 ### Updated
 
diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
index 8aea616..707e8ab 100644
--- a/src/SA-CrowdstrikeDevices/default/savedsearches.conf
+++ b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -43,7 +43,7 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     nt_host=lower('falcon_device.hostname'),\
     dns=lower(nt_host.".".'falcon_device.machine_domain'),\
     mac=lower(replace('falcon_device.mac_address', "-", ":")),\
-    bunit=lower(replace(mvjoin('falcon_device.ou{}', ","), " ", "_")),\
+    bunit=lower(replace(mvjoin(mvappend('falcon_device.ou{}', 'falcon_device.site_name'), ","), " ", "_")),\
     priority=case(match(category, "domain_controller"), "critical", match(category, "server|ubuntu|rhel|linux"), "high", true(), "medium"),\
     is_expected=if(priority=="critical", "true", "false"),\
     _key=md5(nt_host)\

From 598929b9c3db752db956df08bc521a0404683ebb Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 7 Sep 2022 08:46:07 -0600
Subject: [PATCH 20/21] updated label

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 src/SA-CrowdstrikeDevices/default/app.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/SA-CrowdstrikeDevices/default/app.conf b/src/SA-CrowdstrikeDevices/default/app.conf
index 56af872..2dd23a9 100644
--- a/src/SA-CrowdstrikeDevices/default/app.conf
+++ b/src/SA-CrowdstrikeDevices/default/app.conf
@@ -16,7 +16,7 @@ version = 1.0.2
 
 [ui]
 is_visible = 0
-label      = SA-CrowdstrikeDevices for Enterprise Security
+label      = SA-CrowdstrikeDevices
 
 [package]
 id = SA-CrowdstrikeDevices

From 0a92baf885f4ca010ed9e302ff32d8a604f4a28a Mon Sep 17 00:00:00 2001
From: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
Date: Wed, 7 Sep 2022 09:28:16 -0600
Subject: [PATCH 21/21] clarified docs

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
---
 docs/configure/bunit.md         |  6 +----
 docs/configure/index.md         |  6 ++---
 docs/quickstart/quickstart.md   |  6 ++---
 docs/reference/asset-mapping.md | 45 ++++++++++++++++++---------------
 docs/reference/category.md      |  2 +-
 mkdocs.yml                      |  4 +--
 6 files changed, 35 insertions(+), 34 deletions(-)

diff --git a/docs/configure/bunit.md b/docs/configure/bunit.md
index 83c9b0c..1bdf6aa 100644
--- a/docs/configure/bunit.md
+++ b/docs/configure/bunit.md
@@ -2,8 +2,4 @@
 
 !!! info "To update the `bunit` field modify the `Crowdstrike Devices Lookup - Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](../best-practice/clone-search))."
 
-The bunit field will most likely need to be updated. Every organization will have different values for this field. The current configuration is described in the following table.
-
-Mapped Field | Crowdstrike fields
------------- | -----------------
-bunit | `falcon_device.ou{}`, `falcon_device.site_name`
+The bunit field will most likely need to be updated. Every organization will have different values for this field. See [Asset Mappings](/reference/asset-mapping) for description of the default fields used.
diff --git a/docs/configure/index.md b/docs/configure/index.md
index bf22bd1..9c8477f 100644
--- a/docs/configure/index.md
+++ b/docs/configure/index.md
@@ -4,7 +4,7 @@ Each field can be customized to fit your environment. The following fields shoul
 
 !!! info "It is recommended to clone the default search before making changes (see [Clone Saved Search](./best-practice/clone-search))."
 
-- [Priorities](./priority)
-- [Categories](./category)
-- [Business Unit](./bunit)
+- [Update Priority](./priority)
+- [Update Category](./category)
+- [Update Business Unit](./bunit)
 - [Update Schedule](./schedule.md)
diff --git a/docs/quickstart/quickstart.md b/docs/quickstart/quickstart.md
index 13aa719..d8c7825 100644
--- a/docs/quickstart/quickstart.md
+++ b/docs/quickstart/quickstart.md
@@ -13,16 +13,16 @@ This add-on has a saved search and Asset configuration input enabled by default.
 ## Update default macro
 
 !!! danger "[Danger, Will Robinson](https://cultural-phenomenons.fandom.com/wiki/Danger,_Will_Robinson)"
-    Failure to update the macro to the correct setting will cause the no devices to be available in Splunk Enterprise Security.
+    Failure to update the macro to the correct setting will cause no devices to be available in Splunk Enterprise Security.
 
 Macro | Default | Description
 ----- | ------- | -----------
 `sa_crowdstrike_index` | index=crowdstrike | Index definition for Crowdstrike devices index.
 
-> \*update the index definition to the correct index that contains the `crowdstrike:device:json` sourcetype.
-
 ### Update Macro Procedure
 
+!!! note "Update the index definition to the correct index that contains the `crowdstrike:device:json` sourcetype."
+
 1. Navigate to Settings > Advanced Search > Search Macros.
 1. From the "App" dropdown choose `SA-CrowdstrikeDevices`.
 1. Set the "Owner" dropdown to `any`.
diff --git a/docs/reference/asset-mapping.md b/docs/reference/asset-mapping.md
index f465f93..7fff842 100644
--- a/docs/reference/asset-mapping.md
+++ b/docs/reference/asset-mapping.md
@@ -1,26 +1,31 @@
+---
+hide:
+    - toc
+---
+
 # Asset Database Mapping
 
 The following table describes how this add-on maps to the Asset Database.
 
 > reference [Format an asset or identity in Splunk ES](https://docs.splunk.com/Documentation/ES/latest/Admin/Formatassetoridentitylist#Asset_lookup_header)
 
-ES Asset lookup field | SA-CrowdstrikeDevices example value
---------------------- | -----------------------------------
-ip | 10.15.23.8
-mac | 61:se:e3:1s:7r:38
-nt_host | dev-server01
-dns | dev-server01.example.com
-owner | `not mapped`
-priority | medium
-lat | 40.76073
-long | -111.89096
-city | Salt Lake City
-country | United States
-bunit | computer,finance
-category | see [Category Field reference](../category)
-pci_domain | `not mapped`
-is_expected | `not mapped`
-should_timesync | `not mapped`
-should_update | `not mapped`
-requires_av | `not mapped`
-cim_entity_zone | `not mapped`
+ES Asset lookup field | [Crowdstrike Device TA Fields](https://splunkbase.splunk.com/app/5570) | Example value | Multi-value allowed
+--- | --- | --- | ---
+ip | `falcon_device.local_ip` | 10.15.23.8 | true
+mac | `mac` | 61:se:e3:1s:7r:38 | true
+nt_host | `falcon_device.hostname` | dev-server01 | false
+dns | `nt_host` + `falcon_device.machine_domain` | dev-server01.example.com | true
+owner | n/a | `not mapped` | n/a
+priority | see [Configure Priority](/configure/priority) | medium | false
+lat | from `iplocation` of `falcon_device.external_ip` | 40.76073 | false
+long | from `iplocation` of `falcon_device.external_ip` | -111.89096 | false
+city | from `iplocation` of `falcon_device.external_ip` | Salt Lake City | false
+country | from `iplocation` of `falcon_device.external_ip` | United States | false
+bunit | `falcon_device.ou{}` + `falcon_device.site_name` | computer,finance | true
+category | see [Category field reference](../category) | see [Category field reference](../category) | true
+pci_domain | n/a | `not mapped` | n/a
+is_expected | n/a | `not mapped` | n/a
+should_timesync | n/a | `not mapped` | n/a
+should_update | n/a | `not mapped` | n/a
+requires_av | n/a | `not mapped` | n/a
+cim_entity_zone | n/a | `not mapped` | n/a
diff --git a/docs/reference/category.md b/docs/reference/category.md
index d556238..de198a4 100644
--- a/docs/reference/category.md
+++ b/docs/reference/category.md
@@ -1,4 +1,4 @@
-# Categories
+# Category
 
 ## Default category field mapping
 
diff --git a/mkdocs.yml b/mkdocs.yml
index c581982..88c313f 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -84,8 +84,8 @@ nav:
   - Reference:
       - All Configurations: reference/all-configurations.md
       - Asset Database mapping: reference/asset-mapping.md
-      - Crowdstrike Fields:
-          - Categories: reference/category.md
+      - Field reference:
+          - Category: reference/category.md
   - Troubleshooting:
       - troubleshooting/index.md
       - Solutions Guide: