Version 1.1.0 (#52)

## What's Changed - Updated docs versions. - New format for the "category" field. ### New ```yaml bios: Dell Inc bios_version: 1.6.5 cs_agent_version: 6.44.15806.0 cs_dv_control_applied: true cs_dv_firewall_applied: true cs_dv_globalconfig_applied: true cs_dv_sensorupdate_applied: true cs_first_seen: 10/15/20 00:31:59 UTC cs_last_seen: 09/14/22 15:06:50 UTC cs_uninstallprotection: ENABLED dvc_manufacturer: Dell Inc dvc_name: OptiPlex 5050 dvc_status: normal dvc_type: Workstation external_ip: 165.225.10.253 gen: sa-crowdstrike os_major_version: 10 os_name: Windows 10 os_platform: Windows os_version: 10.0.19044.1889 provision_status: Provisioned reduced_functionality_mode: no splunk_last_updated: 03/27/23 02:09:24 UTC ``` ### Old ```yaml cs_agent_version:6.44.15806.0 cs_bios_mf:dell_inc cs_bios_version:1.6.5 cs_dv_control_applied:true cs_dv_firewall_applied:true cs_dv_globalconfig_applied:true cs_dv_sensorupdate_applied:true cs_dv_status:normal cs_dv_type:workstation cs_external_ip:165.225.10.253 cs_os_major_version:10 cs_os_name:windows_10 cs_os_platform:windows cs_sys_mf:dell_inc cs_sys_name:optiplex_5050 cs_uninstallprotection:enabled gen:sa_crowdstrike cs_first_seen:10/15/20 00:31:59 UTC cs_last_seen:09/14/22 15:06:50 UTC splunk_last_updated:03/27/23 02:14:24 UTC ```
splunk · Mar 27, 2023 · 4ce4c96 · 4ce4c96
2 parents 4f542c9 + c88e80c
commit 4ce4c96
Show file tree

Hide file tree

Showing 16 changed files with 222 additions and 74 deletions.
diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
@@ -10,7 +10,7 @@ on:
 
 jobs:
   call-packaging-workflow:
-    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@154fb6bd5201e90183c99b40661cb931d61781b4
+    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@7ecada57ac2b19c674658e3dac9751f5b23dec13
     secrets:
       API_USER: ${{ secrets.API_USER }}
       API_PASS: ${{ secrets.API_PASS }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -7,6 +7,7 @@ on:
     paths:
       - "docs/**"
       - "mkdocs.yml"
+      - "overrides/**"
 
 jobs:
   call-docs-workflow:

diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.5 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.1.0 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
 Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.

diff --git a/docs/assets/sa-crowdstrike-example-dark.png b/docs/assets/sa-crowdstrike-example-dark.png
diff --git a/docs/assets/sa-crowdstrike-example-light.png b/docs/assets/sa-crowdstrike-example-light.png
diff --git a/docs/index.md b/docs/index.md
@@ -5,8 +5,8 @@ hide:
 ---
 # Home
 
-![Image title](./assets/sa-crowdstrike-logo.svg#only-light)
-![Image title](./assets/sa-crowdstrike-logo-dark.svg#only-dark)
+![Image title](./assets/sa-crowdstrike-logo.svg#only-light){ class="ignore-image" }
+![Image title](./assets/sa-crowdstrike-logo-dark.svg#only-dark){ class="ignore-image" }
 
 The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use Crowdstrike device data with the Asset Database.
 
@@ -33,7 +33,7 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.5 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5)
+SA-CrowdstrikeDevices | 1.1.0 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.1.0)
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.

diff --git a/docs/reference/category.md b/docs/reference/category.md
@@ -4,47 +4,53 @@
 
 Mapped Field | Crowdstrike Event Field | Example value
 ------------ | ----------------------- | -------------
+bios | `falcon_device.bios_manufacturer` | Dell Inc
+bios_version | `falcon_device.bios_version` | 1.6.5
 cs_agent_version | `falcon_device.agent_version` | 6.40.15406.0
-cs_bios_mf | `falcon_device.bios_manufacturer` | hp
-cs_bios_version | `falcon_device.bios_version` | s73_ver_01.08.00
 cs_dv_control_applied | `falcon_device.device_policies.device_control.applied` | true
 cs_dv_firewall_applied | `falcon_device.device_policies.firewall.applied` | true
 cs_dv_globalconfig_applied | `falcon_device.device_policies.global_config.applied` | true
 cs_dv_sensorupdate_applied | `falcon_device.device_policies.sensor_update.applied` | true
 cs_uninstallprotection | `falcon_device.device_policies.sensor_update.uninstall_protection` | enabled
-cs_os_major_version | `falcon_device.major_version` | 10
-cs_os_platform | `falcon_device.platform_name` | windows
-cs_os_name | `falcon_device.os_version` | windows_10
-cs_dv_type | `falcon_device.product_type_desc` | workstation
-cs_dv_status | `falcon_device.status` | normal
-cs_sys_mf | `falcon_device.system_manufacturer` | hp
-cs_sys_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc
-cs_external_ip | `falcon_device.external_ip` | 0.0.0.0
 cs_tags | `falcon_device.tags{}` | n/a
 cs_first_seen | `falcon_device.first_seen` | 02/14/22 09:52:05 MST
 cs_last_seen | `falcon_device.first_seen` | 08/24/22 13:25:24 MDT
+os_major_version | `falcon_device.major_version` | 10
+kernel_version | `falcon_device.kernel_version` | 10.0.19044.1889
+os_platform | `falcon_device.platform_name` | windows
+os_name | `falcon_device.os_version` | windows 10
+dvc_type | `falcon_device.product_type_desc` | workstation
+dvc_status | `falcon_device.status` | normal
+dvc_manufacturer | `falcon_device.system_manufacturer` | hp
+dvc_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc
+external_ip | `falcon_device.external_ip` | 0.0.0.0
+reduced_functionality_mode | `falcon_device.reduced_functionality_mode` | no
 splunk_last_update | n/a | 08/26/22 18:54:42 MDT
 
 ### Full example of category value
 
-```text
-cs_agent_version:6.40.15406.0
-cs_bios_mf:hp
-cs_bios_version:s73_ver_01.08.00
-cs_dv_control_applied:true
-cs_dv_firewall_applied:true
-cs_dv_globalconfig_applied:true
-cs_dv_sensorupdate_applied:true
-cs_dv_status:normal
-cs_dv_type:workstation
-cs_external_ip:0.0.0.0
-cs_os_major_version:10
-cs_os_name:windows_10
-cs_os_platform:windows
-cs_sys_mf:hp
-cs_sys_name:hp_elitebook_850_g7_notebook_pc
-cs_uninstallprotection:enabled
-cs_first_seen:02/14/22 09:52:05 MST
-cs_last_seen:08/24/22 13:25:24 MDT
-splunk_last_updated:08/26/22 18:54:42 MDT
+```yaml
+bios: Dell Inc
+bios_version: 1.6.5
+cs_agent_version: 6.44.15806.0
+cs_dv_control_applied: true
+cs_dv_firewall_applied: true
+cs_dv_globalconfig_applied: true
+cs_dv_sensorupdate_applied: true
+cs_first_seen: 10/15/20 00:31:59 UTC
+cs_last_seen: 09/14/22 15:06:50 UTC
+cs_uninstallprotection: ENABLED
+dvc_manufacturer: Dell Inc
+dvc_name: OptiPlex 5050
+dvc_status: normal
+dvc_type: Workstation
+external_ip: 165.225.10.253
+gen: sa-crowdstrike
+os_major_version: 10
+os_name: Windows 10
+os_platform: Windows
+os_version: 10.0.19044.1889
+provision_status: Provisioned
+reduced_functionality_mode: no
+splunk_last_updated: 03/27/23 02:09:24 UTC
 ```
diff --git a/docs/releases/index.md b/docs/releases/index.md
@@ -1,6 +1,6 @@
 # Release notes
 
-## [v1.0.5 <small>December 19, 2022</small>](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5)
+## [v1.1.0 <small>March 26, 2023</small>](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.1.0)
 
 ### Compatibility
 
@@ -12,9 +12,64 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570
 
 ### What's Changed
 
-- Added macro and retention definition to ES General Settings in [#35](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/commit/8a1f138b2a244e6b6bbc7cd07d6a4db7a2f67ab5)
+- New format for `category` field:
+    - The `cs_` prefix has been removed from many fields.
+    - Spaces has been added for easier readability.
 
-**Full Changelog**: [v1.0.4...v1.0.5](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.4...v1.0.5)
+=== "New"
+
+    ``` yaml
+    bios: Dell Inc
+    bios_version: 1.6.5
+    cs_agent_version: 6.44.15806.0
+    cs_dv_control_applied: true
+    cs_dv_firewall_applied: true
+    cs_dv_globalconfig_applied: true
+    cs_dv_sensorupdate_applied: true
+    cs_first_seen: 10/15/20 00:31:59 UTC
+    cs_last_seen: 09/14/22 15:06:50 UTC
+    cs_uninstallprotection: ENABLED
+    dvc_manufacturer: Dell Inc
+    dvc_name: OptiPlex 5050
+    dvc_status: normal
+    dvc_type: Workstation
+    external_ip: 165.225.10.253
+    gen: sa-crowdstrike
+    os_major_version: 10
+    os_name: Windows 10
+    os_platform: Windows
+    os_version: 10.0.19044.1889
+    provision_status: Provisioned
+    reduced_functionality_mode: no
+    splunk_last_updated: 03/27/23 02:09:24 UTC
+    ```
+
+=== "Old"
+
+    ``` yaml
+    cs_agent_version:6.44.15806.0
+    cs_bios_mf:dell_inc
+    cs_bios_version:1.6.5
+    cs_dv_control_applied:true
+    cs_dv_firewall_applied:true
+    cs_dv_globalconfig_applied:true
+    cs_dv_sensorupdate_applied:true
+    cs_dv_status:normal
+    cs_dv_type:workstation
+    cs_external_ip:165.225.10.253
+    cs_os_major_version:10
+    cs_os_name:windows_10
+    cs_os_platform:windows
+    cs_sys_mf:dell_inc
+    cs_sys_name:optiplex_5050
+    cs_uninstallprotection:enabled
+    gen:sa_crowdstrike
+    cs_first_seen:10/15/20 00:31:59 UTC
+    cs_last_seen:09/14/22 15:06:50 UTC
+    splunk_last_updated:03/27/23 02:14:24 UTC
+    ```
+
+**Full Changelog**: [v1.0.5...v1.1.0](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.5...v1.1.0)
 
 ## Known issues
 

diff --git a/docs/releases/release-history.md b/docs/releases/release-history.md
@@ -1,5 +1,27 @@
 # Release history
 
+## [v1.0.5 <small>December 19, 2022</small>](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5)
+
+### Compatibility
+
+Product | Version
+--------- | -------
+Splunk platform versions | 9.x, 8.x
+Splunk Enterprise Security version | [7.x, 6.x](https://splunkbase.splunk.com/app/263)
+Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570)
+
+### What's Changed
+
+- Added macro and retention definition to ES General Settings in [#35](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/commit/8a1f138b2a244e6b6bbc7cd07d6a4db7a2f67ab5)
+
+**Full Changelog**: [v1.0.4...v1.0.5](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.4...v1.0.5)
+
+### Known issues
+
+Issue | Description | Solution | GitHub issue reference
+----- | ----------- | -------- | ----------------------
+Lookup file error | You may see the error `status="Lookup file error, unknown path or update time" name=crowdstrike_devices` | This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation. | Issue [#22](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/22)
+
 ## [v1.0.4 <small>November 22, 2022</small>](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.4)
 
 ### Compatibility

diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,5 +1,5 @@
 mkdocs==1.4.2
-mkdocs-material==9.0.12
-mkdocs-git-revision-date-localized-plugin==1.1.0
-mkdocs-minify-plugin==0.6.2
-mkdocs-glightbox==0.3.1
+mkdocs-git-revision-date-localized-plugin==1.2.0
+mkdocs-material==9.1.4
+mkdocs-glightbox==0.3.2
+mkdocs-minify-plugin==0.6.4
diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css
@@ -0,0 +1,38 @@
+.md-banner .mastodon {
+    color: #6364FF;
+}
+
+.md-banner {
+    color: var(--md-footer-fg-color--lighter);
+}
+
+.md-banner .twemoji {
+    border-radius: 100%;
+    box-shadow: inset 0 0 0 .05rem currentColor;
+    display: inline-block;
+    height: 1.2rem;
+    padding: .25rem;
+    transition: all .25s;
+    vertical-align: bottom;
+    width: 1.2rem;
+}
+
+.md-banner .twemoji svg {
+    display: block;
+    max-height: none;
+}
+
+.md-banner a:focus .twemoji,
+.md-banner a:hover .twemoji {
+    background-color: var(--md-footer-fg-color);
+    box-shadow: none;
+}
+
+.md-banner a,
+.md-banner strong {
+    color: var(--md-footer-fg-color);
+}
+
+.md-banner strong {
+    white-space: nowrap;
+}
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -18,8 +18,8 @@ plugins:
       height: auto
       zoomable: true
       draggable: true
-      # skip_classes:
-      #   - custom-skip-class-name
+      skip_classes:
+        - ignore-image
       auto_caption: true
       caption_position: bottom
   - search
@@ -60,13 +60,15 @@ markdown_extensions:
 
 theme:
   name: material
+  custom_dir: overrides
   #   logo:
   #   favicon:
   icon:
     repo: fontawesome/brands/github
   logo: assets/sa-crowdstrike-logo-small.svg
   favicon: assets/sa-crowdstrike-logo-small.svg
   features:
+    # - announce.dismiss
     # - header.autohide
     - navigation.indexes
     - navigation.instant
@@ -82,6 +84,7 @@ theme:
     - search.highlight
     - search.share
     - content.action.edit
+    - content.tabs.link
   palette:
     - media: "(prefers-color-scheme: light)"
       scheme: default
@@ -98,14 +101,17 @@ theme:
         icon: material/weather-night
         name: Switch to light mode
 
+extra_css:
+  - stylesheets/extra.css
+
 extra:
   social:
     - icon: fontawesome/brands/linkedin
       link: https://www.linkedin.com/in/zachthesplunker/
     - icon: fontawesome/brands/github
       link: https://github.com/ZachChristensen28
-    - icon: fontawesome/brands/twitter
-      link: https://twitter.com/ZachTheSplunker
+    - icon: fontawesome/brands/mastodon
+      link: https://fosstodon.org/@ZachTheSplunker
 
 copyright: Copyright &copy; 2023 ZachTheSplunker
 

diff --git a/overrides/main.html b/overrides/main.html
@@ -0,0 +1,11 @@
+{% extends "base.html" %}
+
+{% block announce %}
+For updates follow <strong>@ZachTheSplunker</strong> on
+<a rel="me" href="https://fosstodon.org/@ZachTheSplunker" target="_blank">
+    <span class="twemoji mastodon">
+        {% include ".icons/fontawesome/brands/mastodon.svg" %}
+    </span>
+    <strong>Fosstodon</strong>
+</a>
+{% endblock %}
diff --git a/src/SA-CrowdstrikeDevices/app.manifest b/src/SA-CrowdstrikeDevices/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "SA-CrowdstrikeDevices",
-      "version": "1.0.5"
+      "version": "1.1.0"
     },
     "author": [
       {

diff --git a/src/SA-CrowdstrikeDevices/default/app.conf b/src/SA-CrowdstrikeDevices/default/app.conf
@@ -3,16 +3,23 @@
 # To make changes, copy the section/stanza you want to change from ./default
 # into ../local and edit there.
 
+[author=ZachTheSplunker]
+email = zach@zachthesplunker.com
+
+[id]
+name = SA-CrowdstrikeDevices
+version = 1.1.0
+
 [install]
 state_change_requires_restart = false
 is_configured = false
 state = enabled
-build = 4
+build = 7
 
 [launcher]
 author  = ZachTheSplunker
 description = This supporting add-on allows device information pulled from Crowdstrike to be used with Splunk Enterprise Security's Asset Database.
-version = 1.0.5
+version = 1.1.0
 
 [ui]
 is_visible = 0