Merge pull request #38 from splunk/dev-v1.0.2

Version 1.0.2

.github/workflows/appinspect.yml

@@ -1,13 +1,13 @@
 name: Splunk Appinspect
 on:
   workflow_dispatch:
-  # pull_request:
-  #   branches:
-  #     - main
-  #     - master
-  #   paths:
-  #     - "SA-SentinelOneDevices/**"
-  #   types: [opened, ready_for_review]
+  pull_request:
+    branches:
+      - main
+      - master
+    paths:
+      - "SA-SentinelOneDevices/**"
+    types: [opened, ready_for_review]
 
 jobs:
   call-packaging-workflow:

.github/workflows/docs.yml

@@ -2,12 +2,12 @@ name: docs
 
 on:
   workflow_dispatch:
-  # push:
-  #   branches:
-  #     - main
-  #     - master
-  #   paths:
-  #     - "docs/**"
+  push:
+    branches:
+      - main
+      - master
+    paths:
+      - "docs/**"
 
 permissions:
   contents: write

.github/workflows/fossa.yml

@@ -1,13 +1,13 @@
 name: fossa
 on:
   workflow_dispatch:
-  # pull_request:
-  #   branches:
-  #     - main
-  #     - master
-  #   paths:
-  #     - "SA-SentinelOneDevices/**"
-  #   types: [opened, ready_for_review]
+  pull_request:
+    branches:
+      - main
+      - master
+    paths:
+      - "SA-SentinelOneDevices/**"
+    types: [opened, ready_for_review]
 
 jobs:
   fossa-scan:

.github/workflows/release.yml

@@ -1,12 +1,12 @@
 name: release
 on:
   workflow_dispatch:
-  # push:
-  #   branches:
-  #     - master
-  #     - main
-  #   paths:
-  #     - "SA-SentinelOneDevices/**"
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - "SA-SentinelOneDevices/**"
 
 permissions:
   contents: write

README.md

@@ -35,7 +35,7 @@ This supporting add-on comes with prebuilt content for SentinelOne device data t
 
 Info | Description
 ------|----------
-SA-SentinelOneDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6612)
+SA-SentinelOneDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6612)
 Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 SentinelOne App For Splunk (Required) | [5.1.x](https://splunkbase.splunk.com/app/5433)
 Add-on has a web UI | No, this add-on does not contain views.

SA-SentinelOneDevices/README.txt

@@ -1 +1 @@
-Documentation for the APP_NAME add-on can be found at https://splunk-sa-sentinelone.ztsplunker.com.
+Documentation for the SA-SentinelOneDevices add-on can be found at https://splunk.github.io/SA-SentinelOneDevices/.

SA-SentinelOneDevices/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "SA-SentinelOneDevices",
-      "version": "1.0.1"
+      "version": "1.0.2"
     },
     "author": [
       {
@@ -27,9 +27,9 @@
     },
     "commonInformationModels": null,
     "license": {
-      "name": "MIT License",
+      "name": "SPLUNK GENERAL TERMS",
       "text": null,
-      "uri": "https://opensource.org/licenses/MIT"
+      "uri": "https://www.splunk.com/en_us/legal/splunk-general-terms.html"
     },
     "privacyPolicy": {
       "name": "Splunk Privacy Policy",
@@ -38,7 +38,7 @@
     },
     "releaseNotes": {
       "name": "README",
-      "uri": "https://splunk-sa-sentinelone.ztsplunker.com"
+      "uri": "https://splunk.github.io/SA-SentinelOneDevices/releases/"
     }
   },
   "dependencies": {
@@ -48,7 +48,7 @@
     },
     "SplunkEnterpriseSecuritySuite": {
       "version": ">=6.0.0",
-      "optional": false
+      "optional": true
     }
   },
   "tasks": [

SA-SentinelOneDevices/default/app.conf

@@ -3,16 +3,23 @@
 # To make changes, copy the section/stanza you want to change from ./default
 # into ../local and edit there.
 
+[author=ZachTheSplunker]
+email = zchristensen@splunk.com
+
+[id]
+name = SA-SentinelOneDevices
+version = 1.0.2
+
 [install]
 state_change_requires_restart = false
 is_configured = false
 state = enabled
-build = 5
+build = 6
 
 [launcher]
 author  = ZachTheSplunker
 description = The SA-SentinelOneDevices add-on allows Splunk Enterprise Security admins to use SentinelOne device data with the Asset Database.
-version = 1.0.1
+version = 1.0.2
 
 [ui]
 is_visible = 0

SA-SentinelOneDevices/default/inputs.conf

@@ -4,7 +4,6 @@
 # into ../local and edit there.
 
 [identity_manager://sentinelone_devices]
-blacklist   = true
 category    = sentinelone_devices
 description = Device information from SA-SentinelOneDevices.
 target      = asset

SA-SentinelOneDevices/default/macros.conf

@@ -7,6 +7,7 @@
 definition = index=sentinelone
 iseval = false
 
+# Deprecated
 [sa_sentinelone_retention]
 definition = "-2d"
 iseval = false

SA-SentinelOneDevices/default/managed_configurations.conf

@@ -7,9 +7,15 @@
 description = Device information generated from SA-SentinelOne Devices.
 editable = true
 endpoint = /services/data/transforms/lookups/sentinelone_devices
-label = SentinelOne Devices Lookup - Gen
+label = SA-SentinelOneDevices
 lookup_type = search
 savedsearch = SentinelOne Devices Lookup - Gen
+retention = {\
+    "disabled": 0,\
+    "earliestTime": "-2d",\
+    "timeField": "_last_seen",\
+    "timeFormat": "%s"\
+}\
 
 [setting:sa_sentinelone_index]
 endpoint = /services/admin/macros/sa_sentinelone_index
@@ -18,11 +24,3 @@ description = Configure SA-SentinelOneDevices index definition for the Asset Dat
 attribute = definition
 attribute_type = string
 link = [/manager/$@namespace$/data/macros/sa_sentinelone_index?action=edit|Edit in manager]
-
-[setting:sa_sentinelone_retention]
-endpoint = /services/admin/macros/sa_sentinelone_retention
-label = SA-SentinelOneDevices Retention
-description = Amount of time before a device is removed from the Asset Database.
-attribute = definition
-attribute_type = string
-link = [/manager/$@namespace$/data/macros/sa_sentinelone_retention?action=edit|Edit in manager]

SA-SentinelOneDevices/default/savedsearches.conf

@@ -67,8 +67,9 @@ search = `sa_sentinelone_index` sourcetype="sentinelone:channel:agents" \
 | outputlookup key_field=_key sentinelone_devices \
 | stats count
 
+# Deprecated
 [SentinelOne Devices Lookup - Cleanup]
-disabled = false
+disabled = true
 cron_schedule = 39 * * * *
 description = removes old entries from kvstore lookup: sentinelone_devices
 dispatch.earliest_time = -1s

docs/index.md

@@ -29,7 +29,7 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-SA-SentinelOneDevices | 1.0.1 - [Splunkbase <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/6612/){ target="blank" } 
+SA-SentinelOneDevices | 1.0.2 - [Splunkbase <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/6612/){ target="blank" } 
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/263){ target="blank" }
 SentinelOne App For Splunk <small>(Required)</small> | [5.1.x <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/5433){ target="blank" }
 Add-on has a web UI | No, this add-on does not contain views.

docs/releases/index.md

@@ -10,7 +10,7 @@ Latest release can be found on [Splunkbase <small>:icon-link-external:</small>](
 
 ## v1.0.2 [!badge text="LATEST" variant="info" icon="package"]
 
-Released: [December 16, 2023 <small>:icon-link-external:</small>](https://github.com/splunk/SA-SentinelOneDevices/releases/tag/v1.0.2){ target="blank" }
+Released: [December 19, 2023 <small>:icon-link-external:</small>](https://github.com/splunk/SA-SentinelOneDevices/releases/tag/v1.0.2){ target="blank" }
 
 +++ Improved :icon-thumbsup:
 - [x] Added managed configurations for Splunk Enterprise Security to control retention of lookup file --> [Schedule Search](/start/scheduled-search.md){ target="blank" }

docs/retype.yml

@@ -4,7 +4,7 @@ url: splunk.github.io/SA-SentinelOneDevices/
 
 branding:
   title: SA-SentinelOneDevices
-  label: v1.0.1
+  label: v1.0.2
 
 links:
 - text: Splunkbase