diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
index afb8a84..616e36e 100644
--- a/.github/workflows/appinspect.yml
+++ b/.github/workflows/appinspect.yml
@@ -10,7 +10,7 @@ on:
jobs:
call-packaging-workflow:
- uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@154fb6bd5201e90183c99b40661cb931d61781b4
+ uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@7ecada57ac2b19c674658e3dac9751f5b23dec13
secrets:
API_USER: ${{ secrets.API_USER }}
API_PASS: ${{ secrets.API_PASS }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 8a098bc..ac2b971 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -7,6 +7,7 @@ on:
paths:
- "docs/**"
- "mkdocs.yml"
+ - "overrides/**"
jobs:
call-docs-workflow:
diff --git a/README.md b/README.md
index a6f36b6..695f005 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
Info | Description
------|----------
-SA-CrowdstrikeDevices | 1.0.5 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.1.0 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
Add-on has a web UI | No, this add-on does not contain views.
diff --git a/docs/assets/sa-crowdstrike-example-dark.png b/docs/assets/sa-crowdstrike-example-dark.png
index 4b6d8e4..57080a2 100644
Binary files a/docs/assets/sa-crowdstrike-example-dark.png and b/docs/assets/sa-crowdstrike-example-dark.png differ
diff --git a/docs/assets/sa-crowdstrike-example-light.png b/docs/assets/sa-crowdstrike-example-light.png
index 6e7ddd7..5a29528 100644
Binary files a/docs/assets/sa-crowdstrike-example-light.png and b/docs/assets/sa-crowdstrike-example-light.png differ
diff --git a/docs/index.md b/docs/index.md
index 72885e1..512bf5e 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -5,8 +5,8 @@ hide:
---
# Home
-![Image title](./assets/sa-crowdstrike-logo.svg#only-light)
-![Image title](./assets/sa-crowdstrike-logo-dark.svg#only-dark)
+![Image title](./assets/sa-crowdstrike-logo.svg#only-light){ class="ignore-image" }
+![Image title](./assets/sa-crowdstrike-logo-dark.svg#only-dark){ class="ignore-image" }
The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use Crowdstrike device data with the Asset Database.
@@ -33,7 +33,7 @@ This documentation assumes the following:
Info | Description
------|----------
-SA-CrowdstrikeDevices | 1.0.5 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5)
+SA-CrowdstrikeDevices | 1.1.0 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.1.0)
Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
Add-on has a web UI | No, this add-on does not contain views.
diff --git a/docs/reference/category.md b/docs/reference/category.md
index de198a4..cbe2c3f 100644
--- a/docs/reference/category.md
+++ b/docs/reference/category.md
@@ -4,47 +4,53 @@
Mapped Field | Crowdstrike Event Field | Example value
------------ | ----------------------- | -------------
+bios | `falcon_device.bios_manufacturer` | Dell Inc
+bios_version | `falcon_device.bios_version` | 1.6.5
cs_agent_version | `falcon_device.agent_version` | 6.40.15406.0
-cs_bios_mf | `falcon_device.bios_manufacturer` | hp
-cs_bios_version | `falcon_device.bios_version` | s73_ver_01.08.00
cs_dv_control_applied | `falcon_device.device_policies.device_control.applied` | true
cs_dv_firewall_applied | `falcon_device.device_policies.firewall.applied` | true
cs_dv_globalconfig_applied | `falcon_device.device_policies.global_config.applied` | true
cs_dv_sensorupdate_applied | `falcon_device.device_policies.sensor_update.applied` | true
cs_uninstallprotection | `falcon_device.device_policies.sensor_update.uninstall_protection` | enabled
-cs_os_major_version | `falcon_device.major_version` | 10
-cs_os_platform | `falcon_device.platform_name` | windows
-cs_os_name | `falcon_device.os_version` | windows_10
-cs_dv_type | `falcon_device.product_type_desc` | workstation
-cs_dv_status | `falcon_device.status` | normal
-cs_sys_mf | `falcon_device.system_manufacturer` | hp
-cs_sys_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc
-cs_external_ip | `falcon_device.external_ip` | 0.0.0.0
cs_tags | `falcon_device.tags{}` | n/a
cs_first_seen | `falcon_device.first_seen` | 02/14/22 09:52:05 MST
cs_last_seen | `falcon_device.first_seen` | 08/24/22 13:25:24 MDT
+os_major_version | `falcon_device.major_version` | 10
+kernel_version | `falcon_device.kernel_version` | 10.0.19044.1889
+os_platform | `falcon_device.platform_name` | windows
+os_name | `falcon_device.os_version` | windows 10
+dvc_type | `falcon_device.product_type_desc` | workstation
+dvc_status | `falcon_device.status` | normal
+dvc_manufacturer | `falcon_device.system_manufacturer` | hp
+dvc_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc
+external_ip | `falcon_device.external_ip` | 0.0.0.0
+reduced_functionality_mode | `falcon_device.reduced_functionality_mode` | no
splunk_last_update | n/a | 08/26/22 18:54:42 MDT
### Full example of category value
-```text
-cs_agent_version:6.40.15406.0
-cs_bios_mf:hp
-cs_bios_version:s73_ver_01.08.00
-cs_dv_control_applied:true
-cs_dv_firewall_applied:true
-cs_dv_globalconfig_applied:true
-cs_dv_sensorupdate_applied:true
-cs_dv_status:normal
-cs_dv_type:workstation
-cs_external_ip:0.0.0.0
-cs_os_major_version:10
-cs_os_name:windows_10
-cs_os_platform:windows
-cs_sys_mf:hp
-cs_sys_name:hp_elitebook_850_g7_notebook_pc
-cs_uninstallprotection:enabled
-cs_first_seen:02/14/22 09:52:05 MST
-cs_last_seen:08/24/22 13:25:24 MDT
-splunk_last_updated:08/26/22 18:54:42 MDT
+```yaml
+bios: Dell Inc
+bios_version: 1.6.5
+cs_agent_version: 6.44.15806.0
+cs_dv_control_applied: true
+cs_dv_firewall_applied: true
+cs_dv_globalconfig_applied: true
+cs_dv_sensorupdate_applied: true
+cs_first_seen: 10/15/20 00:31:59 UTC
+cs_last_seen: 09/14/22 15:06:50 UTC
+cs_uninstallprotection: ENABLED
+dvc_manufacturer: Dell Inc
+dvc_name: OptiPlex 5050
+dvc_status: normal
+dvc_type: Workstation
+external_ip: 165.225.10.253
+gen: sa-crowdstrike
+os_major_version: 10
+os_name: Windows 10
+os_platform: Windows
+os_version: 10.0.19044.1889
+provision_status: Provisioned
+reduced_functionality_mode: no
+splunk_last_updated: 03/27/23 02:09:24 UTC
```
diff --git a/docs/releases/index.md b/docs/releases/index.md
index 79c1b22..b513edd 100644
--- a/docs/releases/index.md
+++ b/docs/releases/index.md
@@ -1,6 +1,6 @@
# Release notes
-## [v1.0.5 December 19, 2022](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5)
+## [v1.1.0 March 26, 2023](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.1.0)
### Compatibility
@@ -12,9 +12,64 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570
### What's Changed
-- Added macro and retention definition to ES General Settings in [#35](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/commit/8a1f138b2a244e6b6bbc7cd07d6a4db7a2f67ab5)
+- New format for `category` field:
+ - The `cs_` prefix has been removed from many fields.
+ - Spaces has been added for easier readability.
-**Full Changelog**: [v1.0.4...v1.0.5](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.4...v1.0.5)
+=== "New"
+
+ ``` yaml
+ bios: Dell Inc
+ bios_version: 1.6.5
+ cs_agent_version: 6.44.15806.0
+ cs_dv_control_applied: true
+ cs_dv_firewall_applied: true
+ cs_dv_globalconfig_applied: true
+ cs_dv_sensorupdate_applied: true
+ cs_first_seen: 10/15/20 00:31:59 UTC
+ cs_last_seen: 09/14/22 15:06:50 UTC
+ cs_uninstallprotection: ENABLED
+ dvc_manufacturer: Dell Inc
+ dvc_name: OptiPlex 5050
+ dvc_status: normal
+ dvc_type: Workstation
+ external_ip: 165.225.10.253
+ gen: sa-crowdstrike
+ os_major_version: 10
+ os_name: Windows 10
+ os_platform: Windows
+ os_version: 10.0.19044.1889
+ provision_status: Provisioned
+ reduced_functionality_mode: no
+ splunk_last_updated: 03/27/23 02:09:24 UTC
+ ```
+
+=== "Old"
+
+ ``` yaml
+ cs_agent_version:6.44.15806.0
+ cs_bios_mf:dell_inc
+ cs_bios_version:1.6.5
+ cs_dv_control_applied:true
+ cs_dv_firewall_applied:true
+ cs_dv_globalconfig_applied:true
+ cs_dv_sensorupdate_applied:true
+ cs_dv_status:normal
+ cs_dv_type:workstation
+ cs_external_ip:165.225.10.253
+ cs_os_major_version:10
+ cs_os_name:windows_10
+ cs_os_platform:windows
+ cs_sys_mf:dell_inc
+ cs_sys_name:optiplex_5050
+ cs_uninstallprotection:enabled
+ gen:sa_crowdstrike
+ cs_first_seen:10/15/20 00:31:59 UTC
+ cs_last_seen:09/14/22 15:06:50 UTC
+ splunk_last_updated:03/27/23 02:14:24 UTC
+ ```
+
+**Full Changelog**: [v1.0.5...v1.1.0](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.5...v1.1.0)
## Known issues
diff --git a/docs/releases/release-history.md b/docs/releases/release-history.md
index c58d8cf..c21347e 100644
--- a/docs/releases/release-history.md
+++ b/docs/releases/release-history.md
@@ -1,5 +1,27 @@
# Release history
+## [v1.0.5 December 19, 2022](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5)
+
+### Compatibility
+
+Product | Version
+--------- | -------
+Splunk platform versions | 9.x, 8.x
+Splunk Enterprise Security version | [7.x, 6.x](https://splunkbase.splunk.com/app/263)
+Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570)
+
+### What's Changed
+
+- Added macro and retention definition to ES General Settings in [#35](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/commit/8a1f138b2a244e6b6bbc7cd07d6a4db7a2f67ab5)
+
+**Full Changelog**: [v1.0.4...v1.0.5](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.4...v1.0.5)
+
+### Known issues
+
+Issue | Description | Solution | GitHub issue reference
+----- | ----------- | -------- | ----------------------
+Lookup file error | You may see the error `status="Lookup file error, unknown path or update time" name=crowdstrike_devices` | This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation. | Issue [#22](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/22)
+
## [v1.0.4 November 22, 2022](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.4)
### Compatibility
diff --git a/docs/requirements.txt b/docs/requirements.txt
index b6f6424..3f551b6 100644
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,5 +1,5 @@
mkdocs==1.4.2
-mkdocs-material==9.0.12
-mkdocs-git-revision-date-localized-plugin==1.1.0
-mkdocs-minify-plugin==0.6.2
-mkdocs-glightbox==0.3.1
+mkdocs-git-revision-date-localized-plugin==1.2.0
+mkdocs-material==9.1.4
+mkdocs-glightbox==0.3.2
+mkdocs-minify-plugin==0.6.4
diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css
new file mode 100644
index 0000000..aaf5c21
--- /dev/null
+++ b/docs/stylesheets/extra.css
@@ -0,0 +1,38 @@
+.md-banner .mastodon {
+ color: #6364FF;
+}
+
+.md-banner {
+ color: var(--md-footer-fg-color--lighter);
+}
+
+.md-banner .twemoji {
+ border-radius: 100%;
+ box-shadow: inset 0 0 0 .05rem currentColor;
+ display: inline-block;
+ height: 1.2rem;
+ padding: .25rem;
+ transition: all .25s;
+ vertical-align: bottom;
+ width: 1.2rem;
+}
+
+.md-banner .twemoji svg {
+ display: block;
+ max-height: none;
+}
+
+.md-banner a:focus .twemoji,
+.md-banner a:hover .twemoji {
+ background-color: var(--md-footer-fg-color);
+ box-shadow: none;
+}
+
+.md-banner a,
+.md-banner strong {
+ color: var(--md-footer-fg-color);
+}
+
+.md-banner strong {
+ white-space: nowrap;
+}
diff --git a/mkdocs.yml b/mkdocs.yml
index 6c5e6bf..a60d602 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -18,8 +18,8 @@ plugins:
height: auto
zoomable: true
draggable: true
- # skip_classes:
- # - custom-skip-class-name
+ skip_classes:
+ - ignore-image
auto_caption: true
caption_position: bottom
- search
@@ -60,6 +60,7 @@ markdown_extensions:
theme:
name: material
+ custom_dir: overrides
# logo:
# favicon:
icon:
@@ -67,6 +68,7 @@ theme:
logo: assets/sa-crowdstrike-logo-small.svg
favicon: assets/sa-crowdstrike-logo-small.svg
features:
+ # - announce.dismiss
# - header.autohide
- navigation.indexes
- navigation.instant
@@ -82,6 +84,7 @@ theme:
- search.highlight
- search.share
- content.action.edit
+ - content.tabs.link
palette:
- media: "(prefers-color-scheme: light)"
scheme: default
@@ -98,14 +101,17 @@ theme:
icon: material/weather-night
name: Switch to light mode
+extra_css:
+ - stylesheets/extra.css
+
extra:
social:
- icon: fontawesome/brands/linkedin
link: https://www.linkedin.com/in/zachthesplunker/
- icon: fontawesome/brands/github
link: https://github.com/ZachChristensen28
- - icon: fontawesome/brands/twitter
- link: https://twitter.com/ZachTheSplunker
+ - icon: fontawesome/brands/mastodon
+ link: https://fosstodon.org/@ZachTheSplunker
copyright: Copyright © 2023 ZachTheSplunker
diff --git a/overrides/main.html b/overrides/main.html
new file mode 100644
index 0000000..b18d702
--- /dev/null
+++ b/overrides/main.html
@@ -0,0 +1,11 @@
+{% extends "base.html" %}
+
+{% block announce %}
+For updates follow @ZachTheSplunker on
+
+
+ {% include ".icons/fontawesome/brands/mastodon.svg" %}
+
+ Fosstodon
+
+{% endblock %}
diff --git a/src/SA-CrowdstrikeDevices/app.manifest b/src/SA-CrowdstrikeDevices/app.manifest
index f8e002f..806cc6c 100644
--- a/src/SA-CrowdstrikeDevices/app.manifest
+++ b/src/SA-CrowdstrikeDevices/app.manifest
@@ -5,7 +5,7 @@
"id": {
"group": null,
"name": "SA-CrowdstrikeDevices",
- "version": "1.0.5"
+ "version": "1.1.0"
},
"author": [
{
diff --git a/src/SA-CrowdstrikeDevices/default/app.conf b/src/SA-CrowdstrikeDevices/default/app.conf
index e87bdfa..a2f2533 100644
--- a/src/SA-CrowdstrikeDevices/default/app.conf
+++ b/src/SA-CrowdstrikeDevices/default/app.conf
@@ -3,16 +3,23 @@
# To make changes, copy the section/stanza you want to change from ./default
# into ../local and edit there.
+[author=ZachTheSplunker]
+email = zach@zachthesplunker.com
+
+[id]
+name = SA-CrowdstrikeDevices
+version = 1.1.0
+
[install]
state_change_requires_restart = false
is_configured = false
state = enabled
-build = 4
+build = 7
[launcher]
author = ZachTheSplunker
description = This supporting add-on allows device information pulled from Crowdstrike to be used with Splunk Enterprise Security's Asset Database.
-version = 1.0.5
+version = 1.1.0
[ui]
is_visible = 0
diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
index d63442c..8996c5f 100644
--- a/src/SA-CrowdstrikeDevices/default/savedsearches.conf
+++ b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -15,31 +15,33 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
| dedup falcon_device.device_id falcon_device.mac_address \
| rename falcon_device.local_ip as ip \
| eval \
- category=replace(replace(mvjoin(mvsort(lower(mvappend(\
- "cs_agent_version:".'falcon_device.agent_version', \
- "cs_bios_mf:".replace('falcon_device.bios_manufacturer', "[,.]", ""), \
- "cs_bios_version:".rtrim(replace(replace('falcon_device.bios_version', "(?i)(?<=ver)(\.)", ""), "[\(\)]", ""), " "), \
- "cs_dv_control_applied:".'falcon_device.device_policies.device_control.applied',\
- "cs_dv_firewall_applied:".'falcon_device.device_policies.firewall.applied',\
- "cs_dv_globalconfig_applied:".'falcon_device.device_policies.global_config.applied',\
- "cs_dv_sensorupdate_applied:".'falcon_device.device_policies.sensor_update.applied',\
- "cs_uninstallprotection:".'falcon_device.device_policies.sensor_update.uninstall_protection',\
- "cs_os_major_version:".'falcon_device.major_version',\
- "cs_os_platform:".'falcon_device.platform_name',\
- "cs_os_name:".'falcon_device.os_version',\
- "cs_dv_type:".'falcon_device.product_type_desc',\
- "cs_dv_status:".'falcon_device.status',\
- "cs_sys_mf:".replace('falcon_device.system_manufacturer', "[,.]", ""),\
- "cs_sys_name:".replace('falcon_device.system_product_name', "[\(\)]", ""),\
- "cs_external_ip:".'falcon_device.external_ip',\
- "cs_tags:".lower(replace(mvjoin('falcon_device.tags{}', ","),"(?i)FalconGroupingTags/|sensorgroupingtags/", "")),\
- "gen:sa-crowdstrike"\
- ))), "|"), " |-", "_"), "(?:\|[^:]+:[_]+)(\|*)", "\1"),\
- category=category."|".mvjoin(mvappend(\
- "cs_first_seen:".strftime(strptime('falcon_device.first_seen',"%FT%T%Z"), "%x %T %Z"),\
- "cs_last_seen:".strftime(strptime('falcon_device.last_seen',"%FT%T%Z"), "%x %T %Z"),\
- "splunk_last_updated:".strftime(now(), "%x %T %Z")\
- ), "|"),\
+ category=mvjoin(mvsort(mvappend(\
+ "cs_agent_version: ".'falcon_device.agent_version',\
+ "bios: ".replace('falcon_device.bios_manufacturer', "[,.]", ""),\
+ "bios_version: ".rtrim(replace(replace('falcon_device.bios_version', "(?i)(?<=ver)(\.)", ""), "[\(\)]", ""), " "),\
+ "cs_dv_control_applied: ".'falcon_device.device_policies.device_control.applied',\
+ "cs_dv_firewall_applied: ".'falcon_device.device_policies.firewall.applied',\
+ "cs_dv_globalconfig_applied: ".'falcon_device.device_policies.global_config.applied',\
+ "cs_dv_sensorupdate_applied: ".'falcon_device.device_policies.sensor_update.applied',\
+ "cs_uninstallprotection: ".'falcon_device.device_policies.sensor_update.uninstall_protection',\
+ case('falcon_device.platform_name'=="Linux",mvappend("kernel_version: ".'falcon_device.kernel_version', "kernel_major_version: ".'falcon_device.major_version')),\
+ case('falcon_device.platform_name'!="Linux",mvappend("os_version: ".'falcon_device.kernel_version', "os_major_version: ".'falcon_device.major_version')),\
+ "os_platform: ".'falcon_device.platform_name',\
+ "os_name: ".'falcon_device.os_version',\
+ "dvc_type: ".'falcon_device.product_type_desc',\
+ "dvc_status: ".'falcon_device.status',\
+ "provision_status: ".'falcon_device.provision_status',\
+ "reduced_functionality_mode: ".'falcon_device.reduced_functionality_mode',\
+ "zone_group: ".'falcon_device.zone_group',\
+ "dvc_manufacturer: ".replace('falcon_device.system_manufacturer', "[,.]", ""),\
+ "dvc_name: ".replace('falcon_device.system_product_name', "[\(\)]", ""),\
+ "external_ip: ".'falcon_device.external_ip',\
+ "cs_tags: ".lower(replace(mvjoin('falcon_device.tags{}', ","),"(?i)FalconGroupingTags/|sensorgroupingtags/", "")),\
+ "gen: sa-crowdstrike",\
+ "cs_first_seen: ".strftime(strptime('falcon_device.first_seen',"%FT%T%Z"), "%x %T %Z"),\
+ "cs_last_seen: ".strftime(strptime('falcon_device.last_seen',"%FT%T%Z"), "%x %T %Z"),\
+ "splunk_last_updated: ".strftime(now(), "%x %T %Z")\
+ )), "|"),\
nt_host=lower('falcon_device.hostname'),\
dns=lower(nt_host.".".'falcon_device.machine_domain'),\
mac=lower(replace('falcon_device.mac_address', "-", ":")),\