diff --git a/README.md b/README.md
index e28096f..4c0b8fd 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ Version 1.0.2
 
 New
 - added `first_seen`, `last_seen`, and `last_updated` to category field (#8).
+- added `site_name` to existing `bunit` field (#13).
 
 Updated
 - Changed app logo background to transparent.
diff --git a/docs/configure/bunit.md b/docs/configure/bunit.md
index 3095960..83c9b0c 100644
--- a/docs/configure/bunit.md
+++ b/docs/configure/bunit.md
@@ -4,6 +4,6 @@
 
 The bunit field will most likely need to be updated. Every organization will have different values for this field. The current configuration is described in the following table.
 
-Mapped Field | Crowdstrike field
+Mapped Field | Crowdstrike fields
 ------------ | -----------------
-bunit | `falcon_device.ou{}`
+bunit | `falcon_device.ou{}`, `falcon_device.site_name`
diff --git a/docs/releases/index.md b/docs/releases/index.md
index 5f1bf2a..ee953e7 100644
--- a/docs/releases/index.md
+++ b/docs/releases/index.md
@@ -13,6 +13,7 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570
 ### New
 
 - added `first_seen`, `last_seen`, and `last_updated` to category field ([#8](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/8)).
+- added `site_name` to existing `bunit` field ([#13](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/13)).
 
 ### Updated
 
diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
index 8aea616..707e8ab 100644
--- a/src/SA-CrowdstrikeDevices/default/savedsearches.conf
+++ b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -43,7 +43,7 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     nt_host=lower('falcon_device.hostname'),\
     dns=lower(nt_host.".".'falcon_device.machine_domain'),\
     mac=lower(replace('falcon_device.mac_address', "-", ":")),\
-    bunit=lower(replace(mvjoin('falcon_device.ou{}', ","), " ", "_")),\
+    bunit=lower(replace(mvjoin(mvappend('falcon_device.ou{}', 'falcon_device.site_name'), ","), " ", "_")),\
     priority=case(match(category, "domain_controller"), "critical", match(category, "server|ubuntu|rhel|linux"), "high", true(), "medium"),\
     is_expected=if(priority=="critical", "true", "false"),\
     _key=md5(nt_host)\