You may see the error status="Lookup file error, unknown path or update time" name=crowdstrike_devices
-
This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation.
+
This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation.
You can tune out name field (crowdstrike_devices) from saved search: Identity - Identity Manager Error to stop the error messages from this source.
diff --git a/resources/js/config.js b/resources/js/config.js
index c0b5889..5f22ba3 100644
--- a/resources/js/config.js
+++ b/resources/js/config.js
@@ -1 +1 @@
-var __DOCS_CONFIG__ = {"id":"ZTqy51ygUv0PUMl3Ag7n205WaSoZAhNb1yj","key":"M81QqaJM2fK8w0gAJ2UsXJmnnDE6CMQe4DoXkfGfp9Y.Lsr9wo3sApTo6W7OR4zM5e1/M02h0wZ3D65nPeaNUwDeoq7PRk5Gc3/cx2XYI4Ld57Sq+Ru59EuCGgUG0Oxm5Q.52","base":"/SA-CrowdstrikeDevices/","host":"splunk.github.io","version":"1.0.0","useRelativePaths":true,"documentName":"index.html","appendDocumentName":false,"trailingSlash":true,"preloadSearch":false,"cacheBustingToken":"3.5.0.754789870003","cacheBustingStrategy":"query","sidebarFilterPlaceholder":"Filter","toolbarFilterPlaceholder":"Filter","showSidebarFilter":true,"filterNotFoundMsg":"No member names found containing the query \"{query}\"","maxHistoryItems":15,"homeIcon":"","access":[{"value":"public","label":"Public"},{"value":"protected","label":"Protected"}],"toolbarLinks":[{"id":"fields","label":"Fields"},{"id":"properties","label":"Properties"},{"id":"methods","label":"Methods"},{"id":"events","label":"Events"}],"sidebar":[{"n":"/","l":"Home","s":""},{"n":"start","l":"Getting Started","o":true,"i":[{"n":"prerequisites","l":"Prerequisites","s":""},{"n":"install","l":"Where to Install","s":""},{"n":"macro","l":"Update Index","s":""},{"n":"build","l":"Force build","s":""},{"n":"sources","l":"Enable asset correlation","s":""},{"n":"scheduled-search","l":"Update schedule","s":""}],"s":""},{"n":"configure","l":"Advanced Configurations","i":[{"n":"bunit","l":"Business Unit Field (bunit)"},{"n":"category","l":"Category Field"},{"n":"priority","l":"Priority Field"},{"n":"cleanup","l":"Update Cleanup"},{"n":"clone-search","l":"Clone default saved search"}],"s":""},{"n":"components","l":"Components","c":false,"i":[{"n":"all-configurations","l":"All Configurations"},{"n":"asset-mapping","l":"Asset Database Mapping"},{"n":"category","l":"Category Field"}],"s":""},{"n":"troubleshooting","l":"Troubleshooting","i":[{"n":"asset-merge","l":"Asset Merge"}],"s":""},{"n":"releases","l":"Releases","i":[{"n":"compatibility","l":"Compatibility","s":""},{"n":"issues","l":"Known issues","s":""}],"s":""}],"search":{"mode":0,"minChars":2,"maxResults":20,"placeholder":"Search","hotkeys":["k"],"noResultsFoundMsg":"Sorry, no results found.","recognizeLanguages":true,"languages":[0],"preload":false},"resources":{"History_Title_Label":"History","History_ClearLink_Label":"Clear","History_NoHistory_Label":"No history items","API_AccessFilter_Label":"Access","API_ParameterSection_Label":"PARAMETERS","API_SignatureSection_Label":"SIGNATURE","API_CopyHint_Label":"Copy","API_CopyNameHint_Label":"Copy name","API_CopyLinkHint_Label":"Copy link","API_CopiedAckHint_Label":"Copied!","API_MoreOverloads_Label":"more","API_MoreDropdownItems_Label":"More","API_OptionalParameter_Label":"optional","API_DefaultParameterValue_Label":"Default value","API_InheritedFilter_Label":"Inherited","Search_Input_Placeholder":"Search","Toc_Contents_Label":"Contents","Toc_RelatedClasses_Label":"Related Classes","History_JustNowTime_Label":"just now","History_AgoTime_Label":"ago","History_YearTime_Label":"y","History_MonthTime_Label":"mo","History_DayTime_Label":"d","History_HourTime_Label":"h","History_MinuteTime_Label":"m","History_SecondTime_Label":"s"}};
+var __DOCS_CONFIG__ = {"id":"aZiDynK7tSv3Q0e7ZK6XzwYSSR205hGH/3I","key":"H+6UGs4zFfz/XNaY8my7nLh+idjQ2/IMa9F8XrcS1ds.otZiz+AkGfJITVokoh5yXbq7aart2gJfbOhnjNZIXMdD9hgo2NGieGr3IGYR3wfelosl+7LlHSGH4St3innOwA.64","base":"/SA-CrowdstrikeDevices/","host":"splunk.github.io","version":"1.0.0","useRelativePaths":true,"documentName":"index.html","appendDocumentName":false,"trailingSlash":true,"preloadSearch":false,"cacheBustingToken":"3.5.0.755313635864","cacheBustingStrategy":"query","sidebarFilterPlaceholder":"Filter","toolbarFilterPlaceholder":"Filter","showSidebarFilter":true,"filterNotFoundMsg":"No member names found containing the query \"{query}\"","maxHistoryItems":15,"homeIcon":"","access":[{"value":"public","label":"Public"},{"value":"protected","label":"Protected"}],"toolbarLinks":[{"id":"fields","label":"Fields"},{"id":"properties","label":"Properties"},{"id":"methods","label":"Methods"},{"id":"events","label":"Events"}],"sidebar":[{"n":"/","l":"Home","s":""},{"n":"start","l":"Getting Started","o":true,"i":[{"n":"prerequisites","l":"Prerequisites","s":""},{"n":"install","l":"Where to Install","s":""},{"n":"macro","l":"Update Index","s":""},{"n":"build","l":"Force build","s":""},{"n":"sources","l":"Enable asset correlation","s":""},{"n":"scheduled-search","l":"Update schedule","s":""}],"s":""},{"n":"configure","l":"Advanced Configurations","i":[{"n":"bunit","l":"Business Unit Field (bunit)"},{"n":"category","l":"Category Field"},{"n":"priority","l":"Priority Field"},{"n":"cleanup","l":"Update Cleanup"},{"n":"clone-search","l":"Clone default saved search"}],"s":""},{"n":"components","l":"Components","c":false,"i":[{"n":"all-configurations","l":"All Configurations"},{"n":"asset-mapping","l":"Asset Database Mapping"},{"n":"category","l":"Category Field"}],"s":""},{"n":"troubleshooting","l":"Troubleshooting","i":[{"n":"asset-merge","l":"Asset Merge"}],"s":""},{"n":"releases","l":"Releases","i":[{"n":"compatibility","l":"Compatibility","s":""},{"n":"issues","l":"Known issues","s":""}],"s":""}],"search":{"mode":0,"minChars":2,"maxResults":20,"placeholder":"Search","hotkeys":["k"],"noResultsFoundMsg":"Sorry, no results found.","recognizeLanguages":true,"languages":[0],"preload":false},"resources":{"History_Title_Label":"History","History_ClearLink_Label":"Clear","History_NoHistory_Label":"No history items","API_AccessFilter_Label":"Access","API_ParameterSection_Label":"PARAMETERS","API_SignatureSection_Label":"SIGNATURE","API_CopyHint_Label":"Copy","API_CopyNameHint_Label":"Copy name","API_CopyLinkHint_Label":"Copy link","API_CopiedAckHint_Label":"Copied!","API_MoreOverloads_Label":"more","API_MoreDropdownItems_Label":"More","API_OptionalParameter_Label":"optional","API_DefaultParameterValue_Label":"Default value","API_InheritedFilter_Label":"Inherited","Search_Input_Placeholder":"Search","Toc_Contents_Label":"Contents","Toc_RelatedClasses_Label":"Related Classes","History_JustNowTime_Label":"just now","History_AgoTime_Label":"ago","History_YearTime_Label":"y","History_MonthTime_Label":"mo","History_DayTime_Label":"d","History_HourTime_Label":"h","History_MinuteTime_Label":"m","History_SecondTime_Label":"s"}};
diff --git a/resources/js/search.json b/resources/js/search.json
index 7531a92..b574390 100644
--- a/resources/js/search.json
+++ b/resources/js/search.json
@@ -1 +1 @@
-[[{"i":"welcome-to-the-docs","l":"Welcome to the Docs!","p":["The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use CrowdStrike device data with the Asset Database. This documentation will cover the components used in the add-on and advanced configurations.","This Supporting add-on is only intended to work with Splunk Enterprise Security deployments.","Disclaimer","This Splunk Supporting Add-on is not affiliated with CrowdStrike, Inc. and is not sponsored or sanctioned by the CrowdStrike team. As such, the included documentation does not contain information on how to get started with CrowdStrike. Rather, this documentation serves as a guide to use CrowdStrike device data with Splunk Enterprise Security. Please visit https://www.crowdstrike.com for more information about CrowdStrike."]},{"l":"Assumptions","p":["This documentation assumes the following:","You have a working Splunk Enterprise Security environment. This add-on is not intended to work without Splunk Enterprise Security.","You already have CrowdStrike device data ingested using the CrowdStrike Devices technical add-on .","Familiarity with setting up a new Asset source in Splunk Enterprise Security."]},{"l":"About","p":["Info","Description","SA-CrowdstrikeDevices","1.1.2 - Splunkbase","Splunk Enterprise Security Version (Required)","7.x | 6.x","CrowdStrike Devices Add-on (Required)","3.x","Add-on has a web UI","No, this add-on does not contain views."]}],[{"l":"Getting Started"},{"l":"Navigation","p":["Where to Install","Update default index","Force Build(optional)","Enable Asset Correlation in Splunk Enterprise Security","Update default schedule(optional)"]}],[{"l":"Prerequisites","p":["Complete the prerequisites before installing this add-on.","Required App","Version","Description","Splunk Enterprise Security","7.x | 6.x","This add-on supports Splunk Enterprise Security and is not designed to work without it.","CrowdStrike Devices technical add-on","3.x","CrowdStrike device data must be brought in prior to installing this add-on. See CrowdStrike's documentation for more information."]}],[{"l":"Where to Install","p":["This supporting add-on must be installed alongside Splunk Enterprise Security. Ensure the prequisites have been completed before proceeding.","For detailed information on where to install Splunk Apps/add-ons, including best practices, can be found at Splunk Documentation: About Installing Splunk add-ons"]},{"l":"Splunk Cloud Platform","p":["Install this app to your Splunk Enterprise Security Search head. See How to install apps on The Splunk Cloud Platform ."]},{"l":"Standalone Deployments","p":["Install this add-on to the single instance. For more information see Splunk Docs: Install add-on in a single-instance Splunk deployment"]},{"l":"Distributed Deployments","p":["Comments","Do not install on Heavy Forwarders.","Do not install on Indexers.","Do not install on regular search heads.","Do not install on Universal Forwarders.","Heavy Forwarders","Indexers","Install this add-on to the Splunk Enterprise Security Search Head.","No","Required","Splunk Core Search Head (without Splunk Enterprise Security)","Splunk Enterprise Security Search Head","Splunk Instance type","Supported","The installation steps for deploying Apps/add-ons in a distributed environment can be found at Splunk Documentation: Install an add-on in a distributed Splunk deployment","Universal Forwarders","Yes"]},{"l":"Distributed Deployment Compatibility","p":["Distributed deployment feature","Supported","Comments","Search Head Clusters","Yes","You can install this add-on to an Enterprise Security search head cluster.","Indexer Clusters","No","Do not deploy this add-on to an Indexer cluster.","Deployment Server","There is no need to use a deployment server to deploy this add-on.","* For more information, see Splunk's documentation on installing add-ons."]}],[{"l":"Update Splunk Index","p":["Failure to update the index to the correct setting will cause no devices to be available in Splunk Enterprise Security.","The index definition is set by a search macro.","Macro","Default","Description","sa_crowdstrike_index","index=crowdstrike","Index definition for CrowdStrike devices index.","Update the index definition to the correct index that contains the crowdstrike:device:json sourcetype."]},{"l":"How to update"},{"i":"use-splunk-enterprise-security-s-settings-small-recommended-small","l":":icon-star-fill: Use Splunk Enterprise Security's Settings (Recommended)","p":["(In Splunk Enterprise Security) Navigate to Configure > General > General Settings.","From the \"App\" dropdown select SA-CrowdstrikeDevices.","Update the SA-CrowdstrikeDevices Index definition and click \"Save.\""]},{"l":"Update Search Macro Manually","p":["Navigate to Settings > Advanced Search > Search Macros.","From the \"App\" dropdown choose SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to any.","Click the macro named sa_crowdstrike_index to update the index definition."]}],[{"l":"Force initial build","p":["The initial build of the CrowdStrike assets will not occur until the first scheduled runtime (see Update default saved search schedule). To force the initial build perform the following:","Navigate to Settings > Searches, reports, and alerts.","Set the \"App\" dropdown to SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to All.","Click \"Run\" under actions for the search CrowdStrike Devices Lookup - Gen.","The search will run in a new tab over the default time period of 60 minutes. Expand the timeframe to a larger window if the number of hosts in the last 60 minutes does not seem accurate. The default search is configured to run hourly to continually append new devices reported from CrowdStrike."]}],[{"l":"Enable asset correlation","p":["Confirm asset correlation has been setup in Splunk Enterprise Security.","Navigate to Splunk Enterprise Security > Configure > Data Enrichment > Asset and Identity Management.","Switch to the \"Correlation Setup\" tab.","Either enable for all sourcetypes (Recommended) or selectively by sourcetype.","If you choose to enable select sourcetypes, ensure the stash sourcetype is also selected so Notable events will be enriched with asset information.","Save."]},{"l":"Disable existing asset sources","p":["It may be possible that you have existing Asset Lookups defined. If CrowdStrike is widely deployed in your environment the existing lookups may no longer be needed."]}],[{"l":"Update default saved search schedule","p":["The default saved search runs on the 19th minute of every hour to update and continually build the CrowdStrike assets. To update the default schedule perform the following steps:","Navigate to Settings > Searches, reports, and alerts.","Set the \"App\" dropdown to SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to All.","Click \"Edit\" under actions for the search CrowdStrike Devices Lookup - Gen.","Click \"Edit Schedule\" and update the schedule and necessary."]}],[{"l":"Configure","p":["Each field can be customized to fit your environment. The following fields should be examined and tailored to your data.","Update Priority(recommended)","Update Category","Update Business Unit","Update Cleanup"]}],[{"i":"business-unit-field-bunit","l":"Business Unit Field (bunit)","p":["The bunit field will most likely need to be updated. Every organization will have different values for this field. See Asset Mappings for description of the default fields used."]}],[{"l":"Category Field","p":["The category field by default includes many important fields. Most will find that the default configuration for this field will work for their needs.","This field is an eval statement with multiple functions to map and clean field values. See the Category Field reference for full field mappings and example values."]}],[{"l":"Priority Field","p":["*Regex Match is performed on the category field.","All domain controllers","boolean","catch-all. Remaining devices receive medium severity.","Condition","critical","Default priority field definition","Description","domain_controller","high","medium","RegEx*","server|ubuntu|rhel|linux","Servers","Severity","The priority field is very generic by default and should be updated to suite your environment. The following table describes how this field is set.","true()","Type"]}],[{"l":"Update Cleanup","p":["The saved search CrowdStrike Devices Lookup - Cleanup runs every hour 29 minutes after the hour to remove old/stale device data from the kvstore. By default, it will remove any device that has not reported in longer than 2 days.","Even though a device may be removed, it will be re-added by the saved search CrowdStrike Devices Lookup - Gen if it begins to send data again."]},{"l":"Update Search Macro","p":["To change the retention period from the default 2 days, there is a search macro that will need to be updated.","Navigate to Settings > Advanced Search > Search Macros.","Set the \"App\" to SA-CrowdstrikeDeviecs.","Set the \"Owner\" to Any.","Click on sa_crowdstrike_retention to modify the definition.","Set the definition to a valid time modifier .","Make sure to keep the quotes around the definition. i.e. -7d@d"]},{"l":"Update Search Schedule","p":["It may also be necessary to update how often the cleanup search runs (default: hourly).","To update the default schedule perform the following steps:","Navigate to Settings > Searches, reports, and alerts.","Set the \"App\" dropdown to SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to All.","Click \"Edit\" under actions for the search CrowdStrike Devices Lookup - Cleanup","Click \"Edit Schedule\" and update the schedule and necessary."]}],[{"l":"Clone default saved search","p":["In order to preserve the default behavior and to compare changes to new releases, it is recommended to clone the default search CrowdStrike Devices Lookup - Gen before making any changes."]},{"l":"Clone","p":["Perform the following to clone the default search:","Navigate to Settings > Searches, reports, and alerts.","Change \"App\" filter to SA-CrowdstrikeDevices.","Change \"Owner\" to All.","For the search named \"CrowdStrike Devices Lookup - Gen\" click \"Edit\" under Actions.","From the dropdown menu click \"Clone.\"","(optional) Update the Title.","Set \"Permissions\" to clone.","Click \"Clone Report\" to finish."]},{"l":"Disable default search","p":["Disable the original search:","For the search named \"CrowdStrike Devices Lookup - Gen\" click \"Edit\" under Actions.","From the dropdown menu click \"Disable\" to disable the default search."]}],[{"l":"All Configurations","p":["** If you have the Splunk App for Lookup File Editing , the KVStore collection crowdstrike_devices_collection is viewable within the Web interface.","*CLI locations are relative to ../default. Any update to CLI configuration files should be done in the local directory.","Asset configuration lookup to load CrowdStrike devices into the asset database.","Asset lookup configuration","Below is a table that list all configuration for this add-on.","CLI Location*","collections.conf","CrowdStrike Devices Lookup - Cleanup","CrowdStrike Devices Lookup - Gen","crowdstrike_devices","crowdstrike_devices_collection","Description","Enterprise Security > Configure > Data Enrichment > Asset and Identity Management > Asset Lookups","identity_manager://crowdstrike_devices","Index definition for the crowdstrike index that contains the sourcetype crowdstrike:device:json.","inputs.conf","KVStore collection","KVStore configuration.","lookup","Lookup definition for the KVStore collection crowdstrike_devices_collection.","macros.conf","n/a**","Name","Populates the lookup file crowdstrike_devices.","removes old entries from kvstore lookup: crowdstrike_devices.","sa_crowdstrike_index","sa_crowdstrike_retention","Saved Search","savedsearches.conf","Search macro","Settings > Advanced Search > Search Macros","Settings > Lookups > Lookup definitions","Settings > Searches reports, and alerts","Settings> Advanced Search > Search Macros","The amount of time for the device not being updated before it is removed from the lookup. default -2d","transforms.conf","Type","Web Location"]}],[{"l":"Asset Database Mapping","p":["-111.89096","10.15.23.8","40.76073","61:se:e3:1s:7r:38","Asset lookup field","bunit","category","cim_entity_zone","city","computer,finance","country","CrowdStrike Device TA Fields","dev-server01","dev-server01.example.com","dns","Example value","falcon_device.hostname","falcon_device.local_ip","falcon_device.ou{}+ falcon_device.site_name","false","from iplocation of falcon_device.external_ip","ip","is_expected","lat","long","mac","medium","Multi-value allowed","n/a","not mapped","nt_host","nt_host+ falcon_device.machine_domain","owner","pci_domain","priority","reference Format an asset or identity in Splunk Enterprise Security","requires_av","Salt Lake City","see Category field reference","see Configure Priority","should_timesync","should_update","The following table describes how this add-on maps to the Asset Database.","true","United States"]}],[{"l":"Category Field"},{"l":"Default category field mapping","p":["0.0.0.0","02/14/22 09:52:05 MST","08/24/22 13:25:24 MDT","08/26/22 18:54:42 MDT","1.6.5","10","10.0.19044.1889","6.40.15406.0","bios","bios_version","CrowdStrike Event Field","cs_agent_version","cs_dv_control_applied","cs_dv_firewall_applied","cs_dv_globalconfig_applied","cs_dv_sensorupdate_applied","cs_first_seen","cs_last_seen","cs_tags","cs_uninstallprotection","Dell Inc","dvc_manufacturer","dvc_name","dvc_status","dvc_type","enabled","Example value","external_ip","falcon_device.agent_version","falcon_device.bios_manufacturer","falcon_device.bios_version","falcon_device.device_policies.device_control.applied","falcon_device.device_policies.firewall.applied","falcon_device.device_policies.global_config.applied","falcon_device.device_policies.sensor_update.applied","falcon_device.device_policies.sensor_update.uninstall_protection","falcon_device.external_ip","falcon_device.first_seen","falcon_device.kernel_version","falcon_device.major_version","falcon_device.os_version","falcon_device.platform_name","falcon_device.product_type_desc","falcon_device.reduced_functionality_mode","falcon_device.status","falcon_device.system_manufacturer","falcon_device.system_product_name","falcon_device.tags{}","hp","hp_elitebook_850_g7_notebook_pc","kernel_version","Mapped Field","n/a","no","normal","os_major_version","os_name","os_platform","reduced_functionality_mode","splunk_last_update","true","windows","windows 10","workstation"]},{"l":"Full example of category value"}],[{"l":"Troubleshooting","p":["There can be many issues when setting up a new app/add-on in Splunk. Below highlights the most common issues with this Add-on. Don't see your issue? Submit a new issue on Github .","Issue","Description","Solution","Multiple asset merge","It is possible that some of your devices share a common key field ( dns, ip, mac, nt_host) which will cause merging by default.","See the Asset Merge Solutions for ways to improve the merging behavior.","Asset Database not populating with CrowdStrike Data","The asset database may show no CrowdStrike data if the initial search has not run to build the asset database or the default macro has not been updated.","Verify the default macro has the correct index definition (see Update Default Macro). Also see Force build to build the CrowdStrike assets lookup before the first scheduled run."]}],[{"l":"Asset Merge","p":["It is possible that some of your devices share a common key field ( dns, ip, mac, nt_host) that is causing an erroneous merge of your assets. There are a few ways to overcome this:","Problem Scenario","Default merge","Expected behavior","Solutions","Disable Asset Merging","Update Asset Key Fields"]},{"l":"Problem Scenario","p":["Consider you have the following assets:","Host","dns","ip","mac","nt_host","host1","host1.local","10.0.34.9","77:61:f5:cb:33:a7","host2","host2.local","a5:e7:5c:39:77:d1","Since these two systems share the same IP they will be merged into a single asset by default."]},{"l":"Default merge","p":["Asset","dns","ip","mac","nt_host","host1 host2 host1.local 10.0.34.9 77:61:f5:cb:33:a7 a5:e7:5c:39:77:d1","host1.local host2.local","10.0.34.9","77:61:f5:cb:33:a7 a5:e7:5c:39:77:d1","host1 host2"]},{"l":"Expected behavior","p":["see next section to accomplish this expected behavior","Asset","dns","ip","mac","nt_host","host1 host1.local 10.0.34.9 77:61:f5:cb:33:a7","host1.local","10.0.34.9","77:61:f5:cb:33:a7","host1","host2 host2.local 10.0.34.9 a5:e7:5c:39:77:d1","host2.local","a5:e7:5c:39:77:d1","host2"]},{"l":"Solutions"},{"l":"Disable Asset Merging","p":["If CrowdStrike is your only data source for assets, you can disable asset merge in the global settings.","In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings.","Toggle off \"Assets\" under Enable Merge for Assets or Identities.","Changes should reflect the next time the Asset database builds (usually 5-10 minutes).","* For more information, see Splunk Docs."]},{"l":"Update Asset Key Fields","p":["If you have more than one asset list configured you can look at disabling the common key field to prevent the default merging behavior.","(In Enterprise Security) Navigate to Configure > Data Enrichment > Asset and Identity Management.","Select the \"Asset Fields\" Tab.","Select the ip field (or the field you want to disable) and \"uncheck\" it from being a Key.","Disable Asset Key by unchecking \"Key\"","Changes should reflect the next time the Asset database builds (usually 5-10 minutes)."]}],[{"l":"Release Notes","p":["Latest release can be found on Splunkbase ."]},{"l":"v1.1.2","p":["Released: December 1, 2023","SplunkWorks updates","This release has no functional changes of the add-on.","Released: April 19, 2023","New format for the category field, see Category.","The cs_ prefix has been removed from many fields.","Spaces have been added for easier readability.","Hotfix for priority field failing default regex match"]},{"i":"v105","l":"v1.0.5","p":["Released: December 19, 2022","Added macro and retention definition to the General Settings in Splunk Enterprise Security"]},{"i":"v104","l":"v1.0.4","p":["Released: November 22, 2022","Added managed configuration to Splunk Enterprise Security","Fixed incorrect mac field (Thanks @PaddlingCode )"]},{"i":"v103","l":"v1.0.3","p":["Released: September 20, 2022","added cleanup search to remove old/stale devices","added search macro for device retention period","updated collection to include last seen field","updated lookup generating search to include last time seen"]},{"i":"v102","l":"v1.0.2","p":["Released: September 8,2022","added first_seen, last_seen, and last_updated to category field","added site_name to existing bunit field","Changed app logo background to transparent.","Updated saved search to preserve hosts with multiple IP/MAC addresses"]},{"i":"v101","l":"v1.0.1","p":["Released: August 25, 2022","Hotfix for missing _key field in saved search."]},{"i":"v100","l":"v1.0.0","p":["Released: August 25, 2022","Initial Release"]}],[{"l":"Compatibility","p":["Product","Version","Splunk Platform versions","9.x, 8.x","Splunk Enterprise Security version","7.x, 6.x","CrowdStrike Device add-on version","3.x"]}],[{"l":"Known issues","p":["Issue","Description","Solution","Lookup file error","You may see the error status=Lookup file error, unknown path or update time name=crowdstrike_devices","This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation."]}]]
\ No newline at end of file
+[[{"i":"welcome-to-the-docs","l":"Welcome to the Docs!","p":["The SA-CrowdstrikeDevices add-on allows Splunk Enterprise Security admins to use CrowdStrike device data with the Asset Database. This documentation will cover the components used in the add-on and advanced configurations.","This Supporting add-on is only intended to work with Splunk Enterprise Security deployments.","Disclaimer","This Splunk Supporting Add-on is not affiliated with CrowdStrike, Inc. and is not sponsored or sanctioned by the CrowdStrike team. As such, the included documentation does not contain information on how to get started with CrowdStrike. Rather, this documentation serves as a guide to use CrowdStrike device data with Splunk Enterprise Security. Please visit https://www.crowdstrike.com for more information about CrowdStrike."]},{"l":"Assumptions","p":["This documentation assumes the following:","You have a working Splunk Enterprise Security environment. This add-on is not intended to work without Splunk Enterprise Security.","You already have CrowdStrike device data ingested using the CrowdStrike Devices technical add-on .","Familiarity with setting up a new Asset source in Splunk Enterprise Security."]},{"l":"About","p":["Info","Description","SA-CrowdstrikeDevices","1.1.2 - Splunkbase","Splunk Enterprise Security Version (Required)","7.x | 6.x","CrowdStrike Devices Add-on (Required)","3.x","Add-on has a web UI","No, this add-on does not contain views."]}],[{"l":"Getting Started"},{"l":"Navigation","p":["Where to Install","Update default index","Force Build(optional)","Enable Asset Correlation in Splunk Enterprise Security","Update default schedule(optional)"]}],[{"l":"Prerequisites","p":["Complete the prerequisites before installing this add-on.","Required App","Version","Description","Splunk Enterprise Security","7.x | 6.x","This add-on supports Splunk Enterprise Security and is not designed to work without it.","CrowdStrike Devices technical add-on","3.x","CrowdStrike device data must be brought in prior to installing this add-on. See CrowdStrike's documentation for more information."]}],[{"l":"Where to Install","p":["This supporting add-on must be installed alongside Splunk Enterprise Security. Ensure the prequisites have been completed before proceeding.","For detailed information on where to install Splunk Apps/add-ons, including best practices, can be found at Splunk Documentation: About Installing Splunk add-ons"]},{"l":"Splunk Cloud Platform","p":["Install this app to your Splunk Enterprise Security Search head. See How to install apps on The Splunk Cloud Platform ."]},{"l":"Standalone Deployments","p":["Install this add-on to the single instance. For more information see Splunk Docs: Install add-on in a single-instance Splunk deployment"]},{"l":"Distributed Deployments","p":["Comments","Do not install on Heavy Forwarders.","Do not install on Indexers.","Do not install on regular search heads.","Do not install on Universal Forwarders.","Heavy Forwarders","Indexers","Install this add-on to the Splunk Enterprise Security Search Head.","No","Required","Splunk Core Search Head (without Splunk Enterprise Security)","Splunk Enterprise Security Search Head","Splunk Instance type","Supported","The installation steps for deploying Apps/add-ons in a distributed environment can be found at Splunk Documentation: Install an add-on in a distributed Splunk deployment","Universal Forwarders","Yes"]},{"l":"Distributed Deployment Compatibility","p":["Distributed deployment feature","Supported","Comments","Search Head Clusters","Yes","You can install this add-on to an Enterprise Security search head cluster.","Indexer Clusters","No","Do not deploy this add-on to an Indexer cluster.","Deployment Server","There is no need to use a deployment server to deploy this add-on.","* For more information, see Splunk's documentation on installing add-ons."]}],[{"l":"Update Splunk Index","p":["Failure to update the index to the correct setting will cause no devices to be available in Splunk Enterprise Security.","The index definition is set by a search macro.","Macro","Default","Description","sa_crowdstrike_index","index=crowdstrike","Index definition for CrowdStrike devices index.","Update the index definition to the correct index that contains the crowdstrike:device:json sourcetype."]},{"l":"How to update"},{"i":"use-splunk-enterprise-security-s-settings-small-recommended-small","l":":icon-star-fill: Use Splunk Enterprise Security's Settings (Recommended)","p":["(In Splunk Enterprise Security) Navigate to Configure > General > General Settings.","From the \"App\" dropdown select SA-CrowdstrikeDevices.","Update the SA-CrowdstrikeDevices Index definition and click \"Save.\""]},{"l":"Update Search Macro Manually","p":["Navigate to Settings > Advanced Search > Search Macros.","From the \"App\" dropdown choose SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to any.","Click the macro named sa_crowdstrike_index to update the index definition."]}],[{"l":"Force initial build","p":["The initial build of the CrowdStrike assets will not occur until the first scheduled runtime (see Update default saved search schedule). To force the initial build perform the following:","Navigate to Settings > Searches, reports, and alerts.","Set the \"App\" dropdown to SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to All.","Click \"Run\" under actions for the search CrowdStrike Devices Lookup - Gen.","The search will run in a new tab over the default time period of 60 minutes. Expand the timeframe to a larger window if the number of hosts in the last 60 minutes does not seem accurate. The default search is configured to run hourly to continually append new devices reported from CrowdStrike."]}],[{"l":"Enable asset correlation","p":["Confirm asset correlation has been setup in Splunk Enterprise Security.","Navigate to Splunk Enterprise Security > Configure > Data Enrichment > Asset and Identity Management.","Switch to the \"Correlation Setup\" tab.","Either enable for all sourcetypes (Recommended) or selectively by sourcetype.","If you choose to enable select sourcetypes, ensure the stash sourcetype is also selected so Notable events will be enriched with asset information.","Save."]},{"l":"Disable existing asset sources","p":["It may be possible that you have existing Asset Lookups defined. If CrowdStrike is widely deployed in your environment the existing lookups may no longer be needed."]}],[{"l":"Update default saved search schedule","p":["The default saved search runs on the 19th minute of every hour to update and continually build the CrowdStrike assets. To update the default schedule perform the following steps:","Navigate to Settings > Searches, reports, and alerts.","Set the \"App\" dropdown to SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to All.","Click \"Edit\" under actions for the search CrowdStrike Devices Lookup - Gen.","Click \"Edit Schedule\" and update the schedule and necessary."]}],[{"l":"Configure","p":["Each field can be customized to fit your environment. The following fields should be examined and tailored to your data.","Update Priority(recommended)","Update Category","Update Business Unit","Update Cleanup"]}],[{"i":"business-unit-field-bunit","l":"Business Unit Field (bunit)","p":["The bunit field will most likely need to be updated. Every organization will have different values for this field. See Asset Mappings for description of the default fields used."]}],[{"l":"Category Field","p":["The category field by default includes many important fields. Most will find that the default configuration for this field will work for their needs.","This field is an eval statement with multiple functions to map and clean field values. See the Category Field reference for full field mappings and example values."]}],[{"l":"Priority Field","p":["*Regex Match is performed on the category field.","All domain controllers","boolean","catch-all. Remaining devices receive medium severity.","Condition","critical","Default priority field definition","Description","domain_controller","high","medium","RegEx*","server|ubuntu|rhel|linux","Servers","Severity","The priority field is very generic by default and should be updated to suite your environment. The following table describes how this field is set.","true()","Type"]}],[{"l":"Update Cleanup","p":["The saved search CrowdStrike Devices Lookup - Cleanup runs every hour 29 minutes after the hour to remove old/stale device data from the kvstore. By default, it will remove any device that has not reported in longer than 2 days.","Even though a device may be removed, it will be re-added by the saved search CrowdStrike Devices Lookup - Gen if it begins to send data again."]},{"l":"Update Search Macro","p":["To change the retention period from the default 2 days, there is a search macro that will need to be updated.","Navigate to Settings > Advanced Search > Search Macros.","Set the \"App\" to SA-CrowdstrikeDeviecs.","Set the \"Owner\" to Any.","Click on sa_crowdstrike_retention to modify the definition.","Set the definition to a valid time modifier .","Make sure to keep the quotes around the definition. i.e. -7d@d"]},{"l":"Update Search Schedule","p":["It may also be necessary to update how often the cleanup search runs (default: hourly).","To update the default schedule perform the following steps:","Navigate to Settings > Searches, reports, and alerts.","Set the \"App\" dropdown to SA-CrowdstrikeDevices.","Set the \"Owner\" dropdown to All.","Click \"Edit\" under actions for the search CrowdStrike Devices Lookup - Cleanup","Click \"Edit Schedule\" and update the schedule and necessary."]}],[{"l":"Clone default saved search","p":["In order to preserve the default behavior and to compare changes to new releases, it is recommended to clone the default search CrowdStrike Devices Lookup - Gen before making any changes."]},{"l":"Clone","p":["Perform the following to clone the default search:","Navigate to Settings > Searches, reports, and alerts.","Change \"App\" filter to SA-CrowdstrikeDevices.","Change \"Owner\" to All.","For the search named \"CrowdStrike Devices Lookup - Gen\" click \"Edit\" under Actions.","From the dropdown menu click \"Clone.\"","(optional) Update the Title.","Set \"Permissions\" to clone.","Click \"Clone Report\" to finish."]},{"l":"Disable default search","p":["Disable the original search:","For the search named \"CrowdStrike Devices Lookup - Gen\" click \"Edit\" under Actions.","From the dropdown menu click \"Disable\" to disable the default search."]}],[{"l":"All Configurations","p":["** If you have the Splunk App for Lookup File Editing , the KVStore collection crowdstrike_devices_collection is viewable within the Web interface.","*CLI locations are relative to ../default. Any update to CLI configuration files should be done in the local directory.","Asset configuration lookup to load CrowdStrike devices into the asset database.","Asset lookup configuration","Below is a table that list all configuration for this add-on.","CLI Location*","collections.conf","CrowdStrike Devices Lookup - Cleanup","CrowdStrike Devices Lookup - Gen","crowdstrike_devices","crowdstrike_devices_collection","Description","Enterprise Security > Configure > Data Enrichment > Asset and Identity Management > Asset Lookups","identity_manager://crowdstrike_devices","Index definition for the crowdstrike index that contains the sourcetype crowdstrike:device:json.","inputs.conf","KVStore collection","KVStore configuration.","lookup","Lookup definition for the KVStore collection crowdstrike_devices_collection.","macros.conf","n/a**","Name","Populates the lookup file crowdstrike_devices.","removes old entries from kvstore lookup: crowdstrike_devices.","sa_crowdstrike_index","sa_crowdstrike_retention","Saved Search","savedsearches.conf","Search macro","Settings > Advanced Search > Search Macros","Settings > Lookups > Lookup definitions","Settings > Searches reports, and alerts","Settings> Advanced Search > Search Macros","The amount of time for the device not being updated before it is removed from the lookup. default -2d","transforms.conf","Type","Web Location"]}],[{"l":"Asset Database Mapping","p":["-111.89096","10.15.23.8","40.76073","61:se:e3:1s:7r:38","Asset lookup field","bunit","category","cim_entity_zone","city","computer,finance","country","CrowdStrike Device TA Fields","dev-server01","dev-server01.example.com","dns","Example value","falcon_device.hostname","falcon_device.local_ip","falcon_device.ou{}+ falcon_device.site_name","false","from iplocation of falcon_device.external_ip","ip","is_expected","lat","long","mac","medium","Multi-value allowed","n/a","not mapped","nt_host","nt_host+ falcon_device.machine_domain","owner","pci_domain","priority","reference Format an asset or identity in Splunk Enterprise Security","requires_av","Salt Lake City","see Category field reference","see Configure Priority","should_timesync","should_update","The following table describes how this add-on maps to the Asset Database.","true","United States"]}],[{"l":"Category Field"},{"l":"Default category field mapping","p":["0.0.0.0","02/14/22 09:52:05 MST","08/24/22 13:25:24 MDT","08/26/22 18:54:42 MDT","1.6.5","10","10.0.19044.1889","6.40.15406.0","bios","bios_version","CrowdStrike Event Field","cs_agent_version","cs_dv_control_applied","cs_dv_firewall_applied","cs_dv_globalconfig_applied","cs_dv_sensorupdate_applied","cs_first_seen","cs_last_seen","cs_tags","cs_uninstallprotection","Dell Inc","dvc_manufacturer","dvc_name","dvc_status","dvc_type","enabled","Example value","external_ip","falcon_device.agent_version","falcon_device.bios_manufacturer","falcon_device.bios_version","falcon_device.device_policies.device_control.applied","falcon_device.device_policies.firewall.applied","falcon_device.device_policies.global_config.applied","falcon_device.device_policies.sensor_update.applied","falcon_device.device_policies.sensor_update.uninstall_protection","falcon_device.external_ip","falcon_device.first_seen","falcon_device.kernel_version","falcon_device.major_version","falcon_device.os_version","falcon_device.platform_name","falcon_device.product_type_desc","falcon_device.reduced_functionality_mode","falcon_device.status","falcon_device.system_manufacturer","falcon_device.system_product_name","falcon_device.tags{}","hp","hp_elitebook_850_g7_notebook_pc","kernel_version","Mapped Field","n/a","no","normal","os_major_version","os_name","os_platform","reduced_functionality_mode","splunk_last_update","true","windows","windows 10","workstation"]},{"l":"Full example of category value"}],[{"l":"Troubleshooting","p":["There can be many issues when setting up a new app/add-on in Splunk. Below highlights the most common issues with this Add-on. Don't see your issue? Submit a new issue on Github .","Issue","Description","Solution","Multiple asset merge","It is possible that some of your devices share a common key field ( dns, ip, mac, nt_host) which will cause merging by default.","See the Asset Merge Solutions for ways to improve the merging behavior.","Asset Database not populating with CrowdStrike Data","The asset database may show no CrowdStrike data if the initial search has not run to build the asset database or the default macro has not been updated.","Verify the default macro has the correct index definition (see Update Default Macro). Also see Force build to build the CrowdStrike assets lookup before the first scheduled run."]}],[{"l":"Asset Merge","p":["It is possible that some of your devices share a common key field ( dns, ip, mac, nt_host) that is causing an erroneous merge of your assets. There are a few ways to overcome this:","Problem Scenario","Default merge","Expected behavior","Solutions","Disable Asset Merging","Update Asset Key Fields"]},{"l":"Problem Scenario","p":["Consider you have the following assets:","Host","dns","ip","mac","nt_host","host1","host1.local","10.0.34.9","77:61:f5:cb:33:a7","host2","host2.local","a5:e7:5c:39:77:d1","Since these two systems share the same IP they will be merged into a single asset by default."]},{"l":"Default merge","p":["Asset","dns","ip","mac","nt_host","host1 host2 host1.local 10.0.34.9 77:61:f5:cb:33:a7 a5:e7:5c:39:77:d1","host1.local host2.local","10.0.34.9","77:61:f5:cb:33:a7 a5:e7:5c:39:77:d1","host1 host2"]},{"l":"Expected behavior","p":["see next section to accomplish this expected behavior","Asset","dns","ip","mac","nt_host","host1 host1.local 10.0.34.9 77:61:f5:cb:33:a7","host1.local","10.0.34.9","77:61:f5:cb:33:a7","host1","host2 host2.local 10.0.34.9 a5:e7:5c:39:77:d1","host2.local","a5:e7:5c:39:77:d1","host2"]},{"l":"Solutions"},{"l":"Disable Asset Merging","p":["If CrowdStrike is your only data source for assets, you can disable asset merge in the global settings.","In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings.","Toggle off \"Assets\" under Enable Merge for Assets or Identities.","Changes should reflect the next time the Asset database builds (usually 5-10 minutes).","* For more information, see Splunk Docs."]},{"l":"Update Asset Key Fields","p":["If you have more than one asset list configured you can look at disabling the common key field to prevent the default merging behavior.","(In Enterprise Security) Navigate to Configure > Data Enrichment > Asset and Identity Management.","Select the \"Asset Fields\" Tab.","Select the ip field (or the field you want to disable) and \"uncheck\" it from being a Key.","Disable Asset Key by unchecking \"Key\"","Changes should reflect the next time the Asset database builds (usually 5-10 minutes)."]}],[{"l":"Release Notes","p":["Latest release can be found on Splunkbase ."]},{"l":"v1.1.2","p":["Released: December 1, 2023","SplunkWorks updates","This release has no functional changes of the add-on.","Released: April 19, 2023","New format for the category field, see Category.","The cs_ prefix has been removed from many fields.","Spaces have been added for easier readability.","Hotfix for priority field failing default regex match"]},{"i":"v105","l":"v1.0.5","p":["Released: December 19, 2022","Added macro and retention definition to the General Settings in Splunk Enterprise Security"]},{"i":"v104","l":"v1.0.4","p":["Released: November 22, 2022","Added managed configuration to Splunk Enterprise Security","Fixed incorrect mac field (Thanks @PaddlingCode )"]},{"i":"v103","l":"v1.0.3","p":["Released: September 20, 2022","added cleanup search to remove old/stale devices","added search macro for device retention period","updated collection to include last seen field","updated lookup generating search to include last time seen"]},{"i":"v102","l":"v1.0.2","p":["Released: September 8,2022","added first_seen, last_seen, and last_updated to category field","added site_name to existing bunit field","Changed app logo background to transparent.","Updated saved search to preserve hosts with multiple IP/MAC addresses"]},{"i":"v101","l":"v1.0.1","p":["Released: August 25, 2022","Hotfix for missing _key field in saved search."]},{"i":"v100","l":"v1.0.0","p":["Released: August 25, 2022","Initial Release"]}],[{"l":"Compatibility","p":["Product","Version","Splunk Platform versions","9.x, 8.x","Splunk Enterprise Security version","7.x, 6.x","CrowdStrike Device add-on version","3.x"]}],[{"l":"Known issues","p":["Issue","Description","Solution","Lookup file error","You may see the error status=Lookup file error, unknown path or update time name=crowdstrike_devices","This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation. You can tune out name field (crowdstrike_devices) from saved search: Identity - Identity Manager Error to stop the error messages from this source."]}]]
\ No newline at end of file
diff --git a/sitemap.xml.gz b/sitemap.xml.gz
index e537e9d..098dbab 100644
Binary files a/sitemap.xml.gz and b/sitemap.xml.gz differ
diff --git a/start/build/index.html b/start/build/index.html
index 7c2eeba..a1e61ab 100644
--- a/start/build/index.html
+++ b/start/build/index.html
@@ -4,7 +4,7 @@
-
+
@@ -31,11 +31,11 @@
-
+
-
+
-
+