Version 1.1.3 (#65)

- Added managed configurations for Splunk Enterprise Security to control the retention of the lookup file - Deprecating use of the search macro "sa_crowdstrike_retention" and the corresponding saved search. --------- Signed-off-by: Zachary Christensen <[email protected]>
splunk · Dec 8, 2023 · 586cc40 · 586cc40
1 parent 9be3fc8
commit 586cc40
Show file tree

Hide file tree

Showing 27 changed files with 87 additions and 62 deletions.
diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
@@ -1,5 +1,6 @@
 name: Splunk Appinspect
 on:
+  workflow_dispatch:
   pull_request:
     branches:
       - main

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,6 @@
 name: release
 on:
+  workflow_dispatch:
   push:
     branches:
       - master

diff --git a/README.md b/README.md
@@ -1,3 +1,9 @@
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="docs/static/hero.webp">
+  <source media="(prefers-color-scheme: light)" srcset="docs/static/hero.webp">
+  <img alt="SA-CrowdstrikeDevices" src="docs/static/hero.webp">
+</picture>
+
 <div align="center">
     <h3>CrowdStrike Devices for Splunk Enterprise Security</h3>
     <p>This supporting add-on comes with prebuilt content for  CrowdStrike device data to be easily used with Splunk Enterprise Security's asset database.</p>
@@ -29,7 +35,7 @@ Full documentation can be found at [https://splunk.github.io/SA-CrowdstrikeDevic
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.1.2 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) 
+SA-CrowdstrikeDevices | 1.1.3 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) 
 Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 CrowdStrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.

diff --git a/SA-CrowdstrikeDevices/app.manifest b/SA-CrowdstrikeDevices/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "SA-CrowdstrikeDevices",
-      "version": "1.1.2"
+      "version": "1.1.3"
     },
     "author": [
       {

diff --git a/SA-CrowdstrikeDevices/default/app.conf b/SA-CrowdstrikeDevices/default/app.conf
@@ -8,7 +8,7 @@ email = [email protected]
 
 [id]
 name = SA-CrowdstrikeDevices
-version = 1.1.2
+version = 1.1.3
 
 [install]
 state_change_requires_restart = false
@@ -19,7 +19,7 @@ build = 10
 [launcher]
 author  = ZachTheSplunker
 description = This supporting add-on allows device information pulled from CrowdStrike to be used with Splunk Enterprise Security's Asset Database.
-version = 1.1.2
+version = 1.1.3
 
 [ui]
 is_visible = 0

diff --git a/SA-CrowdstrikeDevices/default/macros.conf b/SA-CrowdstrikeDevices/default/macros.conf
@@ -7,6 +7,7 @@
 definition = index=crowdstrike
 iseval = false
 
+# Deprecated
 [sa_crowdstrike_retention]
 definition = "-2d"
 iseval = false
diff --git a/SA-CrowdstrikeDevices/default/managed_configurations.conf b/SA-CrowdstrikeDevices/default/managed_configurations.conf
@@ -7,9 +7,15 @@
 description = Device information generated from SA-Crowdstrike Devices.
 endpoint = /services/data/transforms/lookups/crowdstrike_devices
 editable = true
-label = CrowdStrike Devices Lookup - Gen
+label = SA-CrowdStrikeDevices
 lookup_type = search
 savedsearch = CrowdStrike Devices Lookup - Gen
+retention = {\
+    "disabled": 0,\
+    "earliestTime": "-2d",\
+    "timeField": "_last_seen",\
+    "timeFormat": "%s"\
+}\
 
 [setting:sa_crowdstrike_index]
 endpoint = /services/admin/macros/sa_crowdstrike_index
@@ -18,11 +24,3 @@ description = Configure SA-CrowdstrikeDevices index for Asset Database
 attribute = definition
 attribute_type = string
 link = [/manager/$@namespace$/data/macros/sa_crowdstrike_index?action=edit|Edit in manager]
-
-[setting:sa_crowdstrike_retention]
-endpoint = /services/admin/macros/sa_crowdstrike_retention
-label = SA-CrowdstrikeDevices Retention
-description = Amount of time before a device is removed from the Asset Database.
-attribute = definition
-attribute_type = string
-link = [/manager/$@namespace$/data/macros/sa_crowdstrike_retention?action=edit|Edit in manager]
diff --git a/SA-CrowdstrikeDevices/default/savedsearches.conf b/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -62,8 +62,9 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
 | outputlookup key_field=_key crowdstrike_devices \
 | stats count
 
+# Deprecated
 [CrowdStrike Devices Lookup - Cleanup]
-disabled = false
+disabled = true
 cron_schedule = 29 * * * *
 description = removes old entries from kvstore lookup: crowdstrike_devices
 dispatch.earliest_time = -1s

diff --git a/SA-CrowdstrikeDevices/default/static/appIcon.png b/SA-CrowdstrikeDevices/default/static/appIcon.png
diff --git a/SA-CrowdstrikeDevices/default/static/appIconAlt.png b/SA-CrowdstrikeDevices/default/static/appIconAlt.png
diff --git a/SA-CrowdstrikeDevices/default/static/appIconAlt_2x.png b/SA-CrowdstrikeDevices/default/static/appIconAlt_2x.png
diff --git a/SA-CrowdstrikeDevices/default/static/appIcon_2x.png b/SA-CrowdstrikeDevices/default/static/appIcon_2x.png
diff --git a/docs/android-chrome-144x144.png b/docs/android-chrome-144x144.png
diff --git a/docs/apple-touch-icon.png b/docs/apple-touch-icon.png
diff --git a/docs/configure/cleanup.md b/docs/configure/cleanup.md
diff --git a/docs/configure/index.md b/docs/configure/index.md
@@ -14,4 +14,3 @@ Each field can be customized to fit your environment. The following fields shoul
 - [Update Priority](priority.md) <small>(recommended)</small>
 - [Update Category](category.md)
 - [Update Business Unit](bunit.md)
-- [Update Cleanup](cleanup.md)
diff --git a/docs/favicon-16x16.png b/docs/favicon-16x16.png
diff --git a/docs/favicon-32x32.png b/docs/favicon-32x32.png
diff --git a/docs/favicon.ico b/docs/favicon.ico
diff --git a/docs/index.md b/docs/index.md
@@ -1,8 +1,11 @@
 ---
 icon: home
 label: Home
+image: static/hero.webp
 ---
 
+![](static/hero.webp)
+
 # Welcome to the Docs!
 
 The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use [CrowdStrike <small>:icon-link-external:</small>][crowdstrike]{ target="blank" } device data with the Asset Database. This documentation will cover the components used in the add-on and advanced configurations. 
@@ -13,7 +16,7 @@ This Supporting add-on is only intended to work with [Splunk Enterprise Security
 
 > __*Disclaimer*__
 > 
-> *This Splunk Supporting Add-on is __not__ affiliated with [__CrowdStrike, Inc.__ <small>:icon-link-external:</small>][crowdstrike]{ target="blank" } and is not sponsored or sanctioned by the CrowdStrike team. As such, the included documentation does not contain information on how to get started with CrowdStrike. Rather, this documentation serves as a guide to use CrowdStrike device data with Splunk Enterprise Security. Please visit [https://www.crowdstrike.com <small>:icon-link-external:</small>][crowdstrike]{ target="blank" } for more information about CrowdStrike.*
+> *This Splunk Supporting Add-on is __not__ affiliated with [__CrowdStrike, Inc.__ <small>:icon-link-external:</small>][crowdstrike]{ target="blank" } and is not sponsored or sanctioned by the CrowdStrike team. Please visit [https://www.crowdstrike.com <small>:icon-link-external:</small>][crowdstrike]{ target="blank" } for more information about CrowdStrike.*
 
 ## Assumptions
 
@@ -27,7 +30,7 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.1.2 - [Splunkbase <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/6573){ target="blank" } 
+SA-CrowdstrikeDevices | 1.1.3 - [Splunkbase <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/6573){ target="blank" } 
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x \| 6.x <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/263){ target="blank" }
 CrowdStrike Devices Add-on <small>(Required)</small> | [3.x <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/5570){ target="blank" }
 Add-on has a web UI | No, this add-on does not contain views.

diff --git a/docs/mstile-150x150.png b/docs/mstile-150x150.png
diff --git a/docs/releases/index.md b/docs/releases/index.md
@@ -8,9 +8,23 @@ label: Releases
 
 Latest release can be found on [Splunkbase <small>:icon-link-external:</small>](https://splunkbase.splunk.com/app/6573){ target="blank" }.
 
-## v1.1.2 [!badge text="LATEST" variant="info"]
+## v1.1.3 [!badge text="LATEST" variant="info" icon="package"]
 
-Released: December 1, 2023
+Released: [December 7, 2023 <small>:icon-link-external:</small>](https://github.com/splunk/SA-CrowdstrikeDevices/releases/tag/v1.1.3){ target="blank" }
+
++++ Improved :icon-thumbsup:
+- [x] Added managed configurations for Splunk Enterprise Security to control retention of lookup file --> [Schedule Search](/start/scheduled-search.md){ target="blank" }
++++ Deprecated :icon-diff-removed:
+- [x] Deprecating use of the search macro "sa_crowdstrike_retention" and the corresponding saved search.
++++
+
+Full Changelog: [v1.1.2...v1.1.3 <small>:icon-link-external:</small>](https://github.com/splunk/SA-CrowdstrikeDevices/compare/v1.1.1...v1.1.2){ target="blank" }
+
+---
+
+## v1.1.2
+
+Released: [December 1, 2023 <small>:icon-link-external:</small>](https://github.com/splunk/SA-CrowdstrikeDevices/releases/tag/v1.1.2){ target="blank" }
 
 +++ New :icon-shield-check:
 - [x] SplunkWorks updates

diff --git a/docs/retype.yml b/docs/retype.yml
@@ -1,21 +1,34 @@
 input: .
 output: .retype
 url: splunk.github.io/SA-CrowdstrikeDevices/
+
 branding:
   title: SA-CrowdstrikeDevices
-  label: v1.1.2
-  colors:
-    label:
-      text: "#fff"
-      background: "#FC0000"
+  label: v1.1.3
+  logo: static/site-logo.webp
+
 links:
 - text: Splunkbase
   link: https://splunkbase.splunk.com/app/6573
   target: blank
   icon: apps
+
 - text: GitHub
   link: https://github.com/splunk/SA-CrowdstrikeDevices/releases
   target: blank
   icon: mark-github
+
+- text: Issues
+  link: https://github.com/splunk/SA-CrowdstrikeDevices/issues
+  icon: comment-discussion
+  target: blank
+
+footer:
+  links:
+    - text: License - SPLUNK GENERAL TERMS
+      link: https://www.splunk.com/en_us/legal/splunk-general-terms.html
+      target: blank
+      icon: shield-check
+
 markdown:
   lineBreaks: hard
diff --git a/docs/safari-pinned-tab.svg b/docs/safari-pinned-tab.svg
diff --git a/docs/start/scheduled-search.md b/docs/start/scheduled-search.md
@@ -11,8 +11,16 @@ icon: clock
 
 The default saved search runs on the 19th minute of every hour to update and continually build the CrowdStrike assets. To update the default schedule perform the following steps:
 
+==- :icon-star-fill: Use Enterprise Security's Settings <small>(Recommended)</small>
+1. <small>(In Enterprise Security)</small> Navigate to Configure > Content > Content Management.
+2. Type "SA-CrowdStrikeDevices" in the filter text box.
+3. Click "SA-CrowdstrikeDevices"
+4. Update the "Schedule" section as necessary
+5. If necessary, the retention settings can be modified by changing the "Retention" at the bottom.
+==- Update the Schedule Manually (For retention settings follow previous steps)
 1. Navigate to Settings > Searches, reports, and alerts.
-1. Set the "App" dropdown to `SA-CrowdstrikeDevices`.
-1. Set the "Owner" dropdown to `All`.
-1. Click "Edit" under actions for the search `CrowdStrike Devices Lookup - Gen`.
-1. Click "Edit Schedule" and update the schedule and necessary.
+2. Set the "App" dropdown to `SA-CrowdstrikeDevices`.
+3. Set the "Owner" dropdown to `All`.
+4. Click "Edit" under actions for the search `CrowdStrike Devices Lookup - Gen`.
+5.  Click "Edit Schedule" and update the schedule and necessary.
+===
diff --git a/docs/static/hero.webp b/docs/static/hero.webp
diff --git a/docs/static/site-logo.webp b/docs/static/site-logo.webp