Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add host to the device inventory v2 from internal logs #382

Merged
merged 5 commits into from
Aug 29, 2023
Merged

Add host to the device inventory v2 from internal logs #382

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
859e747
Added the table border of the expanded tables
hardikhdholariya Aug 28, 2023
c18825d
Added the savedsearch to add the forwders available in splunk env.
hardikhdholariya Aug 28, 2023
111225a
Added macro to the cyences configuration
hardikhdholariya Aug 29, 2023
2aab449
Added index_time field to device inventory v2 and updated the cleanup…
hardikhdholariya Aug 29, 2023
86a7b16
Used the _indextime instead of _time
hardikhdholariya Aug 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 17 additions & 8 deletions cyences_app_for_splunk/appserver/static/notable_event_editor.css
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,28 +30,37 @@
/* Hidden Columns */
#notable_event_main_tbl .notable_event_id,
#notable_event_main_tbl [data\-sort\-key='notable_event_id'] {
display:none;
display: none;
}


/* Hide Table Headers */
#notable_event_main_tbl [data\-sort\-key='notable_event_selector'],
#notable_event_main_tbl [data\-sort\-key='notable_event_edit'],
#notable_event_main_tbl [data\-sort\-key='notable_event_assignee'],
#notable_event_main_tbl [data\-sort\-key='notable_event_quick_assign_to_me']
{
#notable_event_main_tbl [data\-sort\-key='notable_event_quick_assign_to_me'] {
min-width: 20px !important;
max-width: 20px !important;
width: 20px !important;
padding:0px;
margin:0px;
padding: 0px;
margin: 0px;
}

#notable_event_main_tbl [data\-sort\-key='notable_event_selector'] a,
#notable_event_main_tbl [data\-sort\-key='notable_event_edit'] a,
#notable_event_main_tbl [data\-sort\-key='notable_event_assignee'] a,
#notable_event_main_tbl [data\-sort\-key='notable_event_quick_assign_to_me'] a
{
#notable_event_main_tbl [data\-sort\-key='notable_event_quick_assign_to_me'] a {
/* color:transparent !important; */
display:none;
display: none;
}

/* raw expansion table borders */
#notable_event_history_table table tbody tr td {
border: 1px solid;
border-color: black;
}

#notable_event_result_table table tbody tr td {
border: 1px solid;
border-color: black;
}
2 changes: 1 addition & 1 deletion cyences_app_for_splunk/default/data/ui/views/cs_device_inventory_table_v2.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
</html>
<table>
<search>
<query>| rest /servicesNS/-/cyences_app_for_splunk/saved/searches count=0 splunk_server=local | search "eai:acl.app"="cyences_app_for_splunk" title IN ("Device Inventory - Lansweeper - v2", "Device Inventory - Tenable - v2", "Device Inventory - Tenable Vuln - v2", "Device Inventory - Qualys - v2", "Device Inventory - Sophos - v2", "Device Inventory - Windows Defender - v2", "Device Inventory - CrowdStrike - v2", "Device Inventory - Kaspersky - v2", "Device Inventory Backfill - V2", "Device Inventory Lookup CleanUp - V2", "Device Inventory Merge Similar Devices - V2") | table title, disabled | rename title as label | eval status=if(disabled=1, "Report is disabled", "Report is enabled") | table label, status</query>
<query>| rest /servicesNS/-/cyences_app_for_splunk/saved/searches count=0 splunk_server=local | search "eai:acl.app"="cyences_app_for_splunk" title IN ("Device Inventory - Lansweeper - v2", "Device Inventory - Tenable - v2", "Device Inventory - Tenable Vuln - v2", "Device Inventory - Qualys - v2", "Device Inventory - Sophos - v2", "Device Inventory - Windows Defender - v2", "Device Inventory - CrowdStrike - v2", "Device Inventory - Kaspersky - v2", "Device Inventory - Splunk Internal - V2", "Device Inventory Backfill - V2", "Device Inventory Lookup CleanUp - V2", "Device Inventory Merge Similar Devices - V2") | table title, disabled | rename title as label | eval status=if(disabled=1, "Report is disabled", "Report is enabled") | table label, status</query>
<earliest>0</earliest>
<latest></latest>
</search>
Expand Down
26 changes: 24 additions & 2 deletions cyences_app_for_splunk/default/savedsearches.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3506,7 +3506,7 @@ search = `cs_lansweeper` `cs_lansweeper_timerange` \
| eval product_name="Lansweeper", product_uuid=AssetID, hostname=lower(mvdedup(mvappend(AssetName, FQDN))), ip=lower(IPAddress), mac_address=lower(Mac), antivirus=mvzip(antivirus_name, antivirus_enabled, "#") \
| rename _time as time, AssetID as lansweeper_id, host as lansweeper_collected_by, site_name as Site, AssetTypename as AssetType, Statename as lansweeper_state, Userdomain as Domain, AssetGroup as GroupName, OScode as OSVersion, Username as lansweeper_user, version as AssetVersion, OS as lansweeper_os, FQDN as lansweeper_fqdn, Firstseen as FirstSeen, Lastseen as LastSeen \
| fillnull value="" hostname mac_address ip \
| dedup hostname mac_address ip \
| dedup hostname mac_address ip ```In order to avoid the duplicate entries of the similar devices which has diff AssetID``` \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to remove this as we discussed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we've discussed to remove it. but I found it useful in some scenarios as following:
If 2 assets with diff assetid and same host and empty mac & ip will be there then

  1. dedup will treat it as a one asset
  2. without using dedup, it will be 2 assets in device inventory because it considers the same asset only if 2 property(from host, ip, mac) is same (where values should not be empty or null).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

| table time, product_name, product_uuid, ip, mac_address, lansweeper_id, hostname, lansweeper_collected_by, Site, AssetType, lansweeper_state, Domain, GroupName, OSVersion, BuildNumber, AssetVersion, lansweeper_user, lansweeper_os, Description, IPLocation, lansweeper_fqdn, antivirus, AssetDomain, FirstSeen, LastSeen, AssetName, Serialnumber, Processor, Model, Manufacturer, OSRelease, OSname, SystemVersion, Memory, LsAgentVersion, LastLsAgent, LastChanged, DNSName \
| cyencesdevicemanager operation="addentries" \
| stats values(GroupName) as GroupName, values(antivirus) as antivirus, values(Processor) as Processor, first(*) as * by lansweeper_id \
Expand Down Expand Up @@ -3705,6 +3705,27 @@ search = `cs_kaspersky` ProductName=KES* \
| outputlookup cs_kaspersky_inventory_v2
action.cyences_notable_event_action.products = Kaspersky

[Device Inventory - Splunk Internal - V2]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be similar to Lansweeper. Get the latest things only, and we can delete old stuff.

disabled = 0
enableSched = 1
alert.track = 0
cron_schedule = 14 * * * *
description = This report update the device inventory every hour with the available forwarders in splunk environment. \
\
Data Collection - It uses the index=_internal and do not require specific data collection.
dispatch.earliest_time = -62m@m
dispatch.latest_time = -2m@m
display.general.type = statistics
display.page.search.tab = statistics
display.page.search.mode = fast
request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = (index=_internal sourcetype=splunkd (connectionType=cooked OR connectionType=cookedSSL) fwdType=* group=tcpin_connections) \
| stats latest(sourceIp) as ip, latest(fwdType) as forwarder_type, latest(version) as version, latest(arch) as arch, latest(os) as os, max(_time) as time values(splunk_server) as splunk_server by hostname \
| eval product_name="Splunk Internal", product_uuid=hostname."-".ip, mac_address="" \
| cyencesdevicemanager operation="addentries"
action.cyences_notable_event_action.products = Splunk Internal
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mahirchavda - Please review this and advice.



# Backfill
[Device Inventory Backfill - V2]
Expand All @@ -3728,7 +3749,8 @@ search = | savedsearch "Device Inventory - Tenable Vuln - V2" | where SEARCHNOTH
| append [| savedsearch "Device Inventory - Sophos - V2" | where SEARCHNOTHING="SEARCHNOTHING"] \
| append [| search `cs_windows_defender` EventCode=1151 `cs_windows_defender_max_timerange` | `cs_windows_defender_inventory_fill_search_v2` | where SEARCHNOTHING="SEARCHNOTHING"] \
| append [| savedsearch "Device Inventory - CrowdStrike - V2" | where SEARCHNOTHING="SEARCHNOTHING"] \
| append [| savedsearch "Device Inventory - Kaspersky - V2" | where SEARCHNOTHING="SEARCHNOTHING"]
| append [| savedsearch "Device Inventory - Kaspersky - V2" | where SEARCHNOTHING="SEARCHNOTHING"] \
| append [| savedsearch "Device Inventory - Splunk Internal - V2" | where SEARCHNOTHING="SEARCHNOTHING"]


[Device Inventory Lookup CleanUp - V2]
Expand Down
Loading