Feature 13 (#14)

changes for #13

Signed-off-by: Zach Christensen <[email protected]>

README.md

@@ -36,6 +36,7 @@ Version 1.0.2
 
 New
 - added `first_seen`, `last_seen`, and `last_updated` to category field (#8).
+- added `site_name` to existing `bunit` field (#13).
 
 Updated
 - Changed app logo background to transparent.

docs/configure/bunit.md

@@ -4,6 +4,6 @@
 
 The bunit field will most likely need to be updated. Every organization will have different values for this field. The current configuration is described in the following table.
 
-Mapped Field | Crowdstrike field
+Mapped Field | Crowdstrike fields
 ------------ | -----------------
-bunit | `falcon_device.ou{}`
+bunit | `falcon_device.ou{}`, `falcon_device.site_name`

docs/releases/index.md

@@ -13,6 +13,7 @@ Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570
 ### New
 
 - added `first_seen`, `last_seen`, and `last_updated` to category field ([#8](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/8)).
+- added `site_name` to existing `bunit` field ([#13](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/13)).
 
 ### Updated
 

src/SA-CrowdstrikeDevices/default/savedsearches.conf

@@ -43,7 +43,7 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     nt_host=lower('falcon_device.hostname'),\
     dns=lower(nt_host.".".'falcon_device.machine_domain'),\
     mac=lower(replace('falcon_device.mac_address', "-", ":")),\
-    bunit=lower(replace(mvjoin('falcon_device.ou{}', ","), " ", "_")),\
+    bunit=lower(replace(mvjoin(mvappend('falcon_device.ou{}', 'falcon_device.site_name'), ","), " ", "_")),\
     priority=case(match(category, "domain_controller"), "critical", match(category, "server|ubuntu|rhel|linux"), "high", true(), "medium"),\
     is_expected=if(priority=="critical", "true", "false"),\
     _key=md5(nt_host)\