Version 1.0.4 (#32)

README.md

@@ -6,6 +6,7 @@
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/SA-CrowdstrikeDevices)
 [![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--CrowdstrikeDevices-blue)](https://splunkbase.splunk.com/app/6573)
 [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263)
+[![Crowdstrike Add-on Compatibility](https://img.shields.io/badge/Crowdstrike%20Addon%20Compatibility-3.x-success)](https://splunkbase.splunk.com/app/5570)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
 
 This supporting add-on comes with prebuilt content for CrowdStrike device data to be easily used with Splunk Enterprise Security's asset database.
@@ -26,23 +27,11 @@ Full documentation can be found at [https://splunk-sa-crowdstrike.ztsplunker.com
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.3 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.0.4 - [Splunkbase](https://splunkbase.splunk.com/app/6573/) \| [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
 Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on (Required) | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.
 
-```text
-Version 1.0.3
-
-New
-- added cleanup search to remove old/stale devices (#18).
-- added search macro for device retention period (#18).
-
-Updated
-- updated collection to include last seen field (#18).
-- updated lookup generating search to include last time seen (#18).
-```
-
 ## Issues or Feature Requests
 
 Please open an issue or feature request on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues).

src/SA-CrowdstrikeDevices/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "SA-CrowdstrikeDevices",
-      "version": "1.0.3"
+      "version": "1.0.4"
     },
     "author": [
       {
@@ -27,14 +27,14 @@
     },
     "commonInformationModels": null,
     "license": {
-      "name": null,
+      "name": "MIT License",
       "text": null,
-      "uri": null
+      "uri": "https://opensource.org/licenses/MIT"
     },
     "privacyPolicy": {
-      "name": null,
+      "name": "Splunk Privacy Policy",
       "text": null,
-      "uri": null
+      "uri": "https://www.splunk.com/en_us/legal/privacy/privacy-policy.html"
     },
     "releaseNotes": {
       "name": "README",
@@ -48,7 +48,7 @@
     },
     "SplunkEnterpriseSecuritySuite": {
       "version": ">=6.0.0",
-      "optional": false
+      "optional": true
     }
   },
   "tasks": [

src/SA-CrowdstrikeDevices/default/app.conf

@@ -4,19 +4,22 @@
 # into ../local and edit there.
 
 [install]
-state_change_requires_restart = true
+state_change_requires_restart = false
 is_configured = false
 state = enabled
-build = 2
+build = 3
 
 [launcher]
 author  = ZachTheSplunker
 description = This supporting add-on allows device information pulled from Crowdstrike to be used with Splunk Enterprise Security's Asset Database.
-version = 1.0.3
+version = 1.0.4
 
 [ui]
 is_visible = 0
 label      = SA-CrowdstrikeDevices
 
 [package]
 id = SA-CrowdstrikeDevices
+
+[triggers]
+reload.managed_configurations = simple

src/SA-CrowdstrikeDevices/default/managed_configurations.conf

@@ -0,0 +1,12 @@
+# DO NOT EDIT THIS FILE!
+# Please make all changes to files in ../local.
+# To make changes, copy the section/stanza you want to change from ./default
+# into ../local and edit there.
+
+[lookup:crowdstrike_devices]
+description = Device information generated from SA-Crowdstrike Devices.
+endpoint = /services/data/transforms/lookups/crowdstrike_devices
+editable = true
+label = Crowdstrike Devices Lookup - Gen
+lookup_type = search
+savedsearch = Crowdstrike Devices Lookup - Gen

src/SA-CrowdstrikeDevices/default/savedsearches.conf

@@ -12,7 +12,7 @@ dispatch.latest_time = -1m@m
 enableSched = 1
 schedule_window = auto
 search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
-| dedup falcon_device.device_id mac \
+| dedup falcon_device.device_id falcon_device.mac_address \
 | rename falcon_device.local_ip as ip \
 | eval \
     category=replace(replace(mvjoin(mvsort(lower(mvappend(\