diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
index 3c9ab18..c95c0b8 100644
--- a/.github/workflows/appinspect.yml
+++ b/.github/workflows/appinspect.yml
@@ -1,13 +1,13 @@
name: Splunk Appinspect
on:
workflow_dispatch:
- # pull_request:
- # branches:
- # - main
- # - master
- # paths:
- # - "SA-SentinelOneDevices/**"
- # types: [opened, ready_for_review]
+ pull_request:
+ branches:
+ - main
+ - master
+ paths:
+ - "SA-SentinelOneDevices/**"
+ types: [opened, ready_for_review]
jobs:
call-packaging-workflow:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index cb2d42e..152c8f2 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -2,12 +2,12 @@ name: docs
on:
workflow_dispatch:
- # push:
- # branches:
- # - main
- # - master
- # paths:
- # - "docs/**"
+ push:
+ branches:
+ - main
+ - master
+ paths:
+ - "docs/**"
permissions:
contents: write
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index f3549e8..20b0955 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,13 +1,13 @@
name: fossa
on:
workflow_dispatch:
- # pull_request:
- # branches:
- # - main
- # - master
- # paths:
- # - "SA-SentinelOneDevices/**"
- # types: [opened, ready_for_review]
+ pull_request:
+ branches:
+ - main
+ - master
+ paths:
+ - "SA-SentinelOneDevices/**"
+ types: [opened, ready_for_review]
jobs:
fossa-scan:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7592b2c..cde1b91 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,12 +1,12 @@
name: release
on:
workflow_dispatch:
- # push:
- # branches:
- # - master
- # - main
- # paths:
- # - "SA-SentinelOneDevices/**"
+ push:
+ branches:
+ - master
+ - main
+ paths:
+ - "SA-SentinelOneDevices/**"
permissions:
contents: write
diff --git a/README.md b/README.md
index ef4c7bd..29413f5 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ This supporting add-on comes with prebuilt content for SentinelOne device data t
Info | Description
------|----------
-SA-SentinelOneDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6612)
+SA-SentinelOneDevices | 1.0.2 - [Splunkbase](https://splunkbase.splunk.com/app/6612)
Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
SentinelOne App For Splunk (Required) | [5.1.x](https://splunkbase.splunk.com/app/5433)
Add-on has a web UI | No, this add-on does not contain views.
diff --git a/SA-SentinelOneDevices/README.txt b/SA-SentinelOneDevices/README.txt
index 7067141..aa50735 100644
--- a/SA-SentinelOneDevices/README.txt
+++ b/SA-SentinelOneDevices/README.txt
@@ -1 +1 @@
-Documentation for the APP_NAME add-on can be found at https://splunk-sa-sentinelone.ztsplunker.com.
+Documentation for the SA-SentinelOneDevices add-on can be found at https://splunk.github.io/SA-SentinelOneDevices/.
diff --git a/SA-SentinelOneDevices/app.manifest b/SA-SentinelOneDevices/app.manifest
index 59cea91..89048d8 100644
--- a/SA-SentinelOneDevices/app.manifest
+++ b/SA-SentinelOneDevices/app.manifest
@@ -5,7 +5,7 @@
"id": {
"group": null,
"name": "SA-SentinelOneDevices",
- "version": "1.0.1"
+ "version": "1.0.2"
},
"author": [
{
@@ -27,9 +27,9 @@
},
"commonInformationModels": null,
"license": {
- "name": "MIT License",
+ "name": "SPLUNK GENERAL TERMS",
"text": null,
- "uri": "https://opensource.org/licenses/MIT"
+ "uri": "https://www.splunk.com/en_us/legal/splunk-general-terms.html"
},
"privacyPolicy": {
"name": "Splunk Privacy Policy",
@@ -38,7 +38,7 @@
},
"releaseNotes": {
"name": "README",
- "uri": "https://splunk-sa-sentinelone.ztsplunker.com"
+ "uri": "https://splunk.github.io/SA-SentinelOneDevices/releases/"
}
},
"dependencies": {
@@ -48,7 +48,7 @@
},
"SplunkEnterpriseSecuritySuite": {
"version": ">=6.0.0",
- "optional": false
+ "optional": true
}
},
"tasks": [
diff --git a/SA-SentinelOneDevices/default/app.conf b/SA-SentinelOneDevices/default/app.conf
index 990cad6..a977d48 100644
--- a/SA-SentinelOneDevices/default/app.conf
+++ b/SA-SentinelOneDevices/default/app.conf
@@ -3,16 +3,23 @@
# To make changes, copy the section/stanza you want to change from ./default
# into ../local and edit there.
+[author=ZachTheSplunker]
+email = zchristensen@splunk.com
+
+[id]
+name = SA-SentinelOneDevices
+version = 1.0.2
+
[install]
state_change_requires_restart = false
is_configured = false
state = enabled
-build = 5
+build = 6
[launcher]
author = ZachTheSplunker
description = The SA-SentinelOneDevices add-on allows Splunk Enterprise Security admins to use SentinelOne device data with the Asset Database.
-version = 1.0.1
+version = 1.0.2
[ui]
is_visible = 0
diff --git a/SA-SentinelOneDevices/default/inputs.conf b/SA-SentinelOneDevices/default/inputs.conf
index 5ba6471..b124560 100644
--- a/SA-SentinelOneDevices/default/inputs.conf
+++ b/SA-SentinelOneDevices/default/inputs.conf
@@ -4,7 +4,6 @@
# into ../local and edit there.
[identity_manager://sentinelone_devices]
-blacklist = true
category = sentinelone_devices
description = Device information from SA-SentinelOneDevices.
target = asset
diff --git a/SA-SentinelOneDevices/default/macros.conf b/SA-SentinelOneDevices/default/macros.conf
index f902240..09affba 100644
--- a/SA-SentinelOneDevices/default/macros.conf
+++ b/SA-SentinelOneDevices/default/macros.conf
@@ -7,6 +7,7 @@
definition = index=sentinelone
iseval = false
+# Deprecated
[sa_sentinelone_retention]
definition = "-2d"
iseval = false
diff --git a/SA-SentinelOneDevices/default/managed_configurations.conf b/SA-SentinelOneDevices/default/managed_configurations.conf
index 73ee4e4..9e7d690 100644
--- a/SA-SentinelOneDevices/default/managed_configurations.conf
+++ b/SA-SentinelOneDevices/default/managed_configurations.conf
@@ -7,9 +7,15 @@
description = Device information generated from SA-SentinelOne Devices.
editable = true
endpoint = /services/data/transforms/lookups/sentinelone_devices
-label = SentinelOne Devices Lookup - Gen
+label = SA-SentinelOneDevices
lookup_type = search
savedsearch = SentinelOne Devices Lookup - Gen
+retention = {\
+ "disabled": 0,\
+ "earliestTime": "-2d",\
+ "timeField": "_last_seen",\
+ "timeFormat": "%s"\
+}\
[setting:sa_sentinelone_index]
endpoint = /services/admin/macros/sa_sentinelone_index
@@ -18,11 +24,3 @@ description = Configure SA-SentinelOneDevices index definition for the Asset Dat
attribute = definition
attribute_type = string
link = [/manager/$@namespace$/data/macros/sa_sentinelone_index?action=edit|Edit in manager]
-
-[setting:sa_sentinelone_retention]
-endpoint = /services/admin/macros/sa_sentinelone_retention
-label = SA-SentinelOneDevices Retention
-description = Amount of time before a device is removed from the Asset Database.
-attribute = definition
-attribute_type = string
-link = [/manager/$@namespace$/data/macros/sa_sentinelone_retention?action=edit|Edit in manager]
diff --git a/SA-SentinelOneDevices/default/savedsearches.conf b/SA-SentinelOneDevices/default/savedsearches.conf
index c010cda..7f87730 100644
--- a/SA-SentinelOneDevices/default/savedsearches.conf
+++ b/SA-SentinelOneDevices/default/savedsearches.conf
@@ -67,8 +67,9 @@ search = `sa_sentinelone_index` sourcetype="sentinelone:channel:agents" \
| outputlookup key_field=_key sentinelone_devices \
| stats count
+# Deprecated
[SentinelOne Devices Lookup - Cleanup]
-disabled = false
+disabled = true
cron_schedule = 39 * * * *
description = removes old entries from kvstore lookup: sentinelone_devices
dispatch.earliest_time = -1s
diff --git a/SA-SentinelOneDevices/static/appIcon.png b/SA-SentinelOneDevices/static/appIcon.png
index c27f930..7307e4f 100644
Binary files a/SA-SentinelOneDevices/static/appIcon.png and b/SA-SentinelOneDevices/static/appIcon.png differ
diff --git a/SA-SentinelOneDevices/static/appIconAlt.png b/SA-SentinelOneDevices/static/appIconAlt.png
index c27f930..7307e4f 100644
Binary files a/SA-SentinelOneDevices/static/appIconAlt.png and b/SA-SentinelOneDevices/static/appIconAlt.png differ
diff --git a/SA-SentinelOneDevices/static/appIconAlt_2x.png b/SA-SentinelOneDevices/static/appIconAlt_2x.png
index ad7aebb..048e608 100644
Binary files a/SA-SentinelOneDevices/static/appIconAlt_2x.png and b/SA-SentinelOneDevices/static/appIconAlt_2x.png differ
diff --git a/SA-SentinelOneDevices/static/appIcon_2x.png b/SA-SentinelOneDevices/static/appIcon_2x.png
index ad7aebb..048e608 100644
Binary files a/SA-SentinelOneDevices/static/appIcon_2x.png and b/SA-SentinelOneDevices/static/appIcon_2x.png differ
diff --git a/SA-SentinelOneDevices/static/appLogo.png b/SA-SentinelOneDevices/static/appLogo.png
deleted file mode 100644
index 25106a6..0000000
Binary files a/SA-SentinelOneDevices/static/appLogo.png and /dev/null differ
diff --git a/SA-SentinelOneDevices/static/appLogo_2x.png b/SA-SentinelOneDevices/static/appLogo_2x.png
deleted file mode 100644
index 07b7fb6..0000000
Binary files a/SA-SentinelOneDevices/static/appLogo_2x.png and /dev/null differ
diff --git a/docs/index.md b/docs/index.md
index c275ab8..572ebd7 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -29,7 +29,7 @@ This documentation assumes the following:
Info | Description
------|----------
-SA-SentinelOneDevices | 1.0.1 - [Splunkbase :icon-link-external:](https://splunkbase.splunk.com/app/6612/){ target="blank" }
+SA-SentinelOneDevices | 1.0.2 - [Splunkbase :icon-link-external:](https://splunkbase.splunk.com/app/6612/){ target="blank" }
Splunk Enterprise Security Version (Required) | [7.x \| 6.x :icon-link-external:](https://splunkbase.splunk.com/app/263){ target="blank" }
SentinelOne App For Splunk (Required) | [5.1.x :icon-link-external:](https://splunkbase.splunk.com/app/5433){ target="blank" }
Add-on has a web UI | No, this add-on does not contain views.
diff --git a/docs/releases/index.md b/docs/releases/index.md
index 3d78ad6..a789b22 100644
--- a/docs/releases/index.md
+++ b/docs/releases/index.md
@@ -10,7 +10,7 @@ Latest release can be found on [Splunkbase :icon-link-external:](
## v1.0.2 [!badge text="LATEST" variant="info" icon="package"]
-Released: [December 16, 2023 :icon-link-external:](https://github.com/splunk/SA-SentinelOneDevices/releases/tag/v1.0.2){ target="blank" }
+Released: [December 19, 2023 :icon-link-external:](https://github.com/splunk/SA-SentinelOneDevices/releases/tag/v1.0.2){ target="blank" }
+++ Improved :icon-thumbsup:
- [x] Added managed configurations for Splunk Enterprise Security to control retention of lookup file --> [Schedule Search](/start/scheduled-search.md){ target="blank" }
diff --git a/docs/retype.yml b/docs/retype.yml
index 16cb1cc..79c2ec8 100644
--- a/docs/retype.yml
+++ b/docs/retype.yml
@@ -4,7 +4,7 @@ url: splunk.github.io/SA-SentinelOneDevices/
branding:
title: SA-SentinelOneDevices
- label: v1.0.1
+ label: v1.0.2
links:
- text: Splunkbase