diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index afb8a84..616e36e 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -10,7 +10,7 @@ on: jobs: call-packaging-workflow: - uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@154fb6bd5201e90183c99b40661cb931d61781b4 + uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@7ecada57ac2b19c674658e3dac9751f5b23dec13 secrets: API_USER: ${{ secrets.API_USER }} API_PASS: ${{ secrets.API_PASS }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8a098bc..ac2b971 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,6 +7,7 @@ on: paths: - "docs/**" - "mkdocs.yml" + - "overrides/**" jobs: call-docs-workflow: diff --git a/README.md b/README.md index a6f36b6..695f005 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com Info | Description ------|---------- -SA-CrowdstrikeDevices | 1.0.5 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices) +SA-CrowdstrikeDevices | 1.1.0 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices) Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263) Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570) Add-on has a web UI | No, this add-on does not contain views. diff --git a/docs/assets/sa-crowdstrike-example-dark.png b/docs/assets/sa-crowdstrike-example-dark.png index 4b6d8e4..57080a2 100644 Binary files a/docs/assets/sa-crowdstrike-example-dark.png and b/docs/assets/sa-crowdstrike-example-dark.png differ diff --git a/docs/assets/sa-crowdstrike-example-light.png b/docs/assets/sa-crowdstrike-example-light.png index 6e7ddd7..5a29528 100644 Binary files a/docs/assets/sa-crowdstrike-example-light.png and b/docs/assets/sa-crowdstrike-example-light.png differ diff --git a/docs/index.md b/docs/index.md index 72885e1..512bf5e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -5,8 +5,8 @@ hide: --- # Home -![Image title](./assets/sa-crowdstrike-logo.svg#only-light) -![Image title](./assets/sa-crowdstrike-logo-dark.svg#only-dark) +![Image title](./assets/sa-crowdstrike-logo.svg#only-light){ class="ignore-image" } +![Image title](./assets/sa-crowdstrike-logo-dark.svg#only-dark){ class="ignore-image" } The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use Crowdstrike device data with the Asset Database. @@ -33,7 +33,7 @@ This documentation assumes the following: Info | Description ------|---------- -SA-CrowdstrikeDevices | 1.0.5 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5) +SA-CrowdstrikeDevices | 1.1.0 - [Splunkbase](https://splunkbase.splunk.com/app/6573) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.1.0) Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263) Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570) Add-on has a web UI | No, this add-on does not contain views. diff --git a/docs/reference/category.md b/docs/reference/category.md index de198a4..cbe2c3f 100644 --- a/docs/reference/category.md +++ b/docs/reference/category.md @@ -4,47 +4,53 @@ Mapped Field | Crowdstrike Event Field | Example value ------------ | ----------------------- | ------------- +bios | `falcon_device.bios_manufacturer` | Dell Inc +bios_version | `falcon_device.bios_version` | 1.6.5 cs_agent_version | `falcon_device.agent_version` | 6.40.15406.0 -cs_bios_mf | `falcon_device.bios_manufacturer` | hp -cs_bios_version | `falcon_device.bios_version` | s73_ver_01.08.00 cs_dv_control_applied | `falcon_device.device_policies.device_control.applied` | true cs_dv_firewall_applied | `falcon_device.device_policies.firewall.applied` | true cs_dv_globalconfig_applied | `falcon_device.device_policies.global_config.applied` | true cs_dv_sensorupdate_applied | `falcon_device.device_policies.sensor_update.applied` | true cs_uninstallprotection | `falcon_device.device_policies.sensor_update.uninstall_protection` | enabled -cs_os_major_version | `falcon_device.major_version` | 10 -cs_os_platform | `falcon_device.platform_name` | windows -cs_os_name | `falcon_device.os_version` | windows_10 -cs_dv_type | `falcon_device.product_type_desc` | workstation -cs_dv_status | `falcon_device.status` | normal -cs_sys_mf | `falcon_device.system_manufacturer` | hp -cs_sys_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc -cs_external_ip | `falcon_device.external_ip` | 0.0.0.0 cs_tags | `falcon_device.tags{}` | n/a cs_first_seen | `falcon_device.first_seen` | 02/14/22 09:52:05 MST cs_last_seen | `falcon_device.first_seen` | 08/24/22 13:25:24 MDT +os_major_version | `falcon_device.major_version` | 10 +kernel_version | `falcon_device.kernel_version` | 10.0.19044.1889 +os_platform | `falcon_device.platform_name` | windows +os_name | `falcon_device.os_version` | windows 10 +dvc_type | `falcon_device.product_type_desc` | workstation +dvc_status | `falcon_device.status` | normal +dvc_manufacturer | `falcon_device.system_manufacturer` | hp +dvc_name | `falcon_device.system_product_name` | hp_elitebook_850_g7_notebook_pc +external_ip | `falcon_device.external_ip` | 0.0.0.0 +reduced_functionality_mode | `falcon_device.reduced_functionality_mode` | no splunk_last_update | n/a | 08/26/22 18:54:42 MDT ### Full example of category value -```text -cs_agent_version:6.40.15406.0 -cs_bios_mf:hp -cs_bios_version:s73_ver_01.08.00 -cs_dv_control_applied:true -cs_dv_firewall_applied:true -cs_dv_globalconfig_applied:true -cs_dv_sensorupdate_applied:true -cs_dv_status:normal -cs_dv_type:workstation -cs_external_ip:0.0.0.0 -cs_os_major_version:10 -cs_os_name:windows_10 -cs_os_platform:windows -cs_sys_mf:hp -cs_sys_name:hp_elitebook_850_g7_notebook_pc -cs_uninstallprotection:enabled -cs_first_seen:02/14/22 09:52:05 MST -cs_last_seen:08/24/22 13:25:24 MDT -splunk_last_updated:08/26/22 18:54:42 MDT +```yaml +bios: Dell Inc +bios_version: 1.6.5 +cs_agent_version: 6.44.15806.0 +cs_dv_control_applied: true +cs_dv_firewall_applied: true +cs_dv_globalconfig_applied: true +cs_dv_sensorupdate_applied: true +cs_first_seen: 10/15/20 00:31:59 UTC +cs_last_seen: 09/14/22 15:06:50 UTC +cs_uninstallprotection: ENABLED +dvc_manufacturer: Dell Inc +dvc_name: OptiPlex 5050 +dvc_status: normal +dvc_type: Workstation +external_ip: 165.225.10.253 +gen: sa-crowdstrike +os_major_version: 10 +os_name: Windows 10 +os_platform: Windows +os_version: 10.0.19044.1889 +provision_status: Provisioned +reduced_functionality_mode: no +splunk_last_updated: 03/27/23 02:09:24 UTC ``` diff --git a/docs/releases/index.md b/docs/releases/index.md index 79c1b22..b513edd 100644 --- a/docs/releases/index.md +++ b/docs/releases/index.md @@ -1,6 +1,6 @@ # Release notes -## [v1.0.5 December 19, 2022](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5) +## [v1.1.0 March 26, 2023](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.1.0) ### Compatibility @@ -12,9 +12,64 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570 ### What's Changed -- Added macro and retention definition to ES General Settings in [#35](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/commit/8a1f138b2a244e6b6bbc7cd07d6a4db7a2f67ab5) +- New format for `category` field: + - The `cs_` prefix has been removed from many fields. + - Spaces has been added for easier readability. -**Full Changelog**: [v1.0.4...v1.0.5](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.4...v1.0.5) +=== "New" + + ``` yaml + bios: Dell Inc + bios_version: 1.6.5 + cs_agent_version: 6.44.15806.0 + cs_dv_control_applied: true + cs_dv_firewall_applied: true + cs_dv_globalconfig_applied: true + cs_dv_sensorupdate_applied: true + cs_first_seen: 10/15/20 00:31:59 UTC + cs_last_seen: 09/14/22 15:06:50 UTC + cs_uninstallprotection: ENABLED + dvc_manufacturer: Dell Inc + dvc_name: OptiPlex 5050 + dvc_status: normal + dvc_type: Workstation + external_ip: 165.225.10.253 + gen: sa-crowdstrike + os_major_version: 10 + os_name: Windows 10 + os_platform: Windows + os_version: 10.0.19044.1889 + provision_status: Provisioned + reduced_functionality_mode: no + splunk_last_updated: 03/27/23 02:09:24 UTC + ``` + +=== "Old" + + ``` yaml + cs_agent_version:6.44.15806.0 + cs_bios_mf:dell_inc + cs_bios_version:1.6.5 + cs_dv_control_applied:true + cs_dv_firewall_applied:true + cs_dv_globalconfig_applied:true + cs_dv_sensorupdate_applied:true + cs_dv_status:normal + cs_dv_type:workstation + cs_external_ip:165.225.10.253 + cs_os_major_version:10 + cs_os_name:windows_10 + cs_os_platform:windows + cs_sys_mf:dell_inc + cs_sys_name:optiplex_5050 + cs_uninstallprotection:enabled + gen:sa_crowdstrike + cs_first_seen:10/15/20 00:31:59 UTC + cs_last_seen:09/14/22 15:06:50 UTC + splunk_last_updated:03/27/23 02:14:24 UTC + ``` + +**Full Changelog**: [v1.0.5...v1.1.0](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.5...v1.1.0) ## Known issues diff --git a/docs/releases/release-history.md b/docs/releases/release-history.md index c58d8cf..c21347e 100644 --- a/docs/releases/release-history.md +++ b/docs/releases/release-history.md @@ -1,5 +1,27 @@ # Release history +## [v1.0.5 December 19, 2022](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.5) + +### Compatibility + +Product | Version +--------- | ------- +Splunk platform versions | 9.x, 8.x +Splunk Enterprise Security version | [7.x, 6.x](https://splunkbase.splunk.com/app/263) +Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570) + +### What's Changed + +- Added macro and retention definition to ES General Settings in [#35](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/commit/8a1f138b2a244e6b6bbc7cd07d6a4db7a2f67ab5) + +**Full Changelog**: [v1.0.4...v1.0.5](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/compare/v1.0.4...v1.0.5) + +### Known issues + +Issue | Description | Solution | GitHub issue reference +----- | ----------- | -------- | ---------------------- +Lookup file error | You may see the error `status="Lookup file error, unknown path or update time" name=crowdstrike_devices` | This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation. | Issue [#22](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/22) + ## [v1.0.4 November 22, 2022](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/releases/tag/v1.0.4) ### Compatibility diff --git a/docs/requirements.txt b/docs/requirements.txt index b6f6424..3f551b6 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,5 +1,5 @@ mkdocs==1.4.2 -mkdocs-material==9.0.12 -mkdocs-git-revision-date-localized-plugin==1.1.0 -mkdocs-minify-plugin==0.6.2 -mkdocs-glightbox==0.3.1 +mkdocs-git-revision-date-localized-plugin==1.2.0 +mkdocs-material==9.1.4 +mkdocs-glightbox==0.3.2 +mkdocs-minify-plugin==0.6.4 diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css new file mode 100644 index 0000000..aaf5c21 --- /dev/null +++ b/docs/stylesheets/extra.css @@ -0,0 +1,38 @@ +.md-banner .mastodon { + color: #6364FF; +} + +.md-banner { + color: var(--md-footer-fg-color--lighter); +} + +.md-banner .twemoji { + border-radius: 100%; + box-shadow: inset 0 0 0 .05rem currentColor; + display: inline-block; + height: 1.2rem; + padding: .25rem; + transition: all .25s; + vertical-align: bottom; + width: 1.2rem; +} + +.md-banner .twemoji svg { + display: block; + max-height: none; +} + +.md-banner a:focus .twemoji, +.md-banner a:hover .twemoji { + background-color: var(--md-footer-fg-color); + box-shadow: none; +} + +.md-banner a, +.md-banner strong { + color: var(--md-footer-fg-color); +} + +.md-banner strong { + white-space: nowrap; +} diff --git a/mkdocs.yml b/mkdocs.yml index 6c5e6bf..a60d602 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -18,8 +18,8 @@ plugins: height: auto zoomable: true draggable: true - # skip_classes: - # - custom-skip-class-name + skip_classes: + - ignore-image auto_caption: true caption_position: bottom - search @@ -60,6 +60,7 @@ markdown_extensions: theme: name: material + custom_dir: overrides # logo: # favicon: icon: @@ -67,6 +68,7 @@ theme: logo: assets/sa-crowdstrike-logo-small.svg favicon: assets/sa-crowdstrike-logo-small.svg features: + # - announce.dismiss # - header.autohide - navigation.indexes - navigation.instant @@ -82,6 +84,7 @@ theme: - search.highlight - search.share - content.action.edit + - content.tabs.link palette: - media: "(prefers-color-scheme: light)" scheme: default @@ -98,14 +101,17 @@ theme: icon: material/weather-night name: Switch to light mode +extra_css: + - stylesheets/extra.css + extra: social: - icon: fontawesome/brands/linkedin link: https://www.linkedin.com/in/zachthesplunker/ - icon: fontawesome/brands/github link: https://github.com/ZachChristensen28 - - icon: fontawesome/brands/twitter - link: https://twitter.com/ZachTheSplunker + - icon: fontawesome/brands/mastodon + link: https://fosstodon.org/@ZachTheSplunker copyright: Copyright © 2023 ZachTheSplunker diff --git a/overrides/main.html b/overrides/main.html new file mode 100644 index 0000000..b18d702 --- /dev/null +++ b/overrides/main.html @@ -0,0 +1,11 @@ +{% extends "base.html" %} + +{% block announce %} +For updates follow @ZachTheSplunker on + + + {% include ".icons/fontawesome/brands/mastodon.svg" %} + + Fosstodon + +{% endblock %} diff --git a/src/SA-CrowdstrikeDevices/app.manifest b/src/SA-CrowdstrikeDevices/app.manifest index f8e002f..806cc6c 100644 --- a/src/SA-CrowdstrikeDevices/app.manifest +++ b/src/SA-CrowdstrikeDevices/app.manifest @@ -5,7 +5,7 @@ "id": { "group": null, "name": "SA-CrowdstrikeDevices", - "version": "1.0.5" + "version": "1.1.0" }, "author": [ { diff --git a/src/SA-CrowdstrikeDevices/default/app.conf b/src/SA-CrowdstrikeDevices/default/app.conf index e87bdfa..a2f2533 100644 --- a/src/SA-CrowdstrikeDevices/default/app.conf +++ b/src/SA-CrowdstrikeDevices/default/app.conf @@ -3,16 +3,23 @@ # To make changes, copy the section/stanza you want to change from ./default # into ../local and edit there. +[author=ZachTheSplunker] +email = zach@zachthesplunker.com + +[id] +name = SA-CrowdstrikeDevices +version = 1.1.0 + [install] state_change_requires_restart = false is_configured = false state = enabled -build = 4 +build = 7 [launcher] author = ZachTheSplunker description = This supporting add-on allows device information pulled from Crowdstrike to be used with Splunk Enterprise Security's Asset Database. -version = 1.0.5 +version = 1.1.0 [ui] is_visible = 0 diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf index d63442c..8996c5f 100644 --- a/src/SA-CrowdstrikeDevices/default/savedsearches.conf +++ b/src/SA-CrowdstrikeDevices/default/savedsearches.conf @@ -15,31 +15,33 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \ | dedup falcon_device.device_id falcon_device.mac_address \ | rename falcon_device.local_ip as ip \ | eval \ - category=replace(replace(mvjoin(mvsort(lower(mvappend(\ - "cs_agent_version:".'falcon_device.agent_version', \ - "cs_bios_mf:".replace('falcon_device.bios_manufacturer', "[,.]", ""), \ - "cs_bios_version:".rtrim(replace(replace('falcon_device.bios_version', "(?i)(?<=ver)(\.)", ""), "[\(\)]", ""), " "), \ - "cs_dv_control_applied:".'falcon_device.device_policies.device_control.applied',\ - "cs_dv_firewall_applied:".'falcon_device.device_policies.firewall.applied',\ - "cs_dv_globalconfig_applied:".'falcon_device.device_policies.global_config.applied',\ - "cs_dv_sensorupdate_applied:".'falcon_device.device_policies.sensor_update.applied',\ - "cs_uninstallprotection:".'falcon_device.device_policies.sensor_update.uninstall_protection',\ - "cs_os_major_version:".'falcon_device.major_version',\ - "cs_os_platform:".'falcon_device.platform_name',\ - "cs_os_name:".'falcon_device.os_version',\ - "cs_dv_type:".'falcon_device.product_type_desc',\ - "cs_dv_status:".'falcon_device.status',\ - "cs_sys_mf:".replace('falcon_device.system_manufacturer', "[,.]", ""),\ - "cs_sys_name:".replace('falcon_device.system_product_name', "[\(\)]", ""),\ - "cs_external_ip:".'falcon_device.external_ip',\ - "cs_tags:".lower(replace(mvjoin('falcon_device.tags{}', ","),"(?i)FalconGroupingTags/|sensorgroupingtags/", "")),\ - "gen:sa-crowdstrike"\ - ))), "|"), " |-", "_"), "(?:\|[^:]+:[_]+)(\|*)", "\1"),\ - category=category."|".mvjoin(mvappend(\ - "cs_first_seen:".strftime(strptime('falcon_device.first_seen',"%FT%T%Z"), "%x %T %Z"),\ - "cs_last_seen:".strftime(strptime('falcon_device.last_seen',"%FT%T%Z"), "%x %T %Z"),\ - "splunk_last_updated:".strftime(now(), "%x %T %Z")\ - ), "|"),\ + category=mvjoin(mvsort(mvappend(\ + "cs_agent_version: ".'falcon_device.agent_version',\ + "bios: ".replace('falcon_device.bios_manufacturer', "[,.]", ""),\ + "bios_version: ".rtrim(replace(replace('falcon_device.bios_version', "(?i)(?<=ver)(\.)", ""), "[\(\)]", ""), " "),\ + "cs_dv_control_applied: ".'falcon_device.device_policies.device_control.applied',\ + "cs_dv_firewall_applied: ".'falcon_device.device_policies.firewall.applied',\ + "cs_dv_globalconfig_applied: ".'falcon_device.device_policies.global_config.applied',\ + "cs_dv_sensorupdate_applied: ".'falcon_device.device_policies.sensor_update.applied',\ + "cs_uninstallprotection: ".'falcon_device.device_policies.sensor_update.uninstall_protection',\ + case('falcon_device.platform_name'=="Linux",mvappend("kernel_version: ".'falcon_device.kernel_version', "kernel_major_version: ".'falcon_device.major_version')),\ + case('falcon_device.platform_name'!="Linux",mvappend("os_version: ".'falcon_device.kernel_version', "os_major_version: ".'falcon_device.major_version')),\ + "os_platform: ".'falcon_device.platform_name',\ + "os_name: ".'falcon_device.os_version',\ + "dvc_type: ".'falcon_device.product_type_desc',\ + "dvc_status: ".'falcon_device.status',\ + "provision_status: ".'falcon_device.provision_status',\ + "reduced_functionality_mode: ".'falcon_device.reduced_functionality_mode',\ + "zone_group: ".'falcon_device.zone_group',\ + "dvc_manufacturer: ".replace('falcon_device.system_manufacturer', "[,.]", ""),\ + "dvc_name: ".replace('falcon_device.system_product_name', "[\(\)]", ""),\ + "external_ip: ".'falcon_device.external_ip',\ + "cs_tags: ".lower(replace(mvjoin('falcon_device.tags{}', ","),"(?i)FalconGroupingTags/|sensorgroupingtags/", "")),\ + "gen: sa-crowdstrike",\ + "cs_first_seen: ".strftime(strptime('falcon_device.first_seen',"%FT%T%Z"), "%x %T %Z"),\ + "cs_last_seen: ".strftime(strptime('falcon_device.last_seen',"%FT%T%Z"), "%x %T %Z"),\ + "splunk_last_updated: ".strftime(now(), "%x %T %Z")\ + )), "|"),\ nt_host=lower('falcon_device.hostname'),\ dns=lower(nt_host.".".'falcon_device.machine_domain'),\ mac=lower(replace('falcon_device.mac_address', "-", ":")),\