-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add host to the device inventory v2 from internal logs #382
Merged
hardikhdholariya
merged 5 commits into
CY-500-implement-device-inventoy-v2
from
Add-host-to-the-device-inventory-v2-from-_internal-logs
Aug 29, 2023
Merged
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
859e747
Added the table border of the expanded tables
hardikhdholariya c18825d
Added the savedsearch to add the forwders available in splunk env.
hardikhdholariya 111225a
Added macro to the cyences configuration
hardikhdholariya 2aab449
Added index_time field to device inventory v2 and updated the cleanup…
hardikhdholariya 86a7b16
Used the _indextime instead of _time
hardikhdholariya File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3506,7 +3506,7 @@ search = `cs_lansweeper` `cs_lansweeper_timerange` \ | |
| eval product_name="Lansweeper", product_uuid=AssetID, hostname=lower(mvdedup(mvappend(AssetName, FQDN))), ip=lower(IPAddress), mac_address=lower(Mac), antivirus=mvzip(antivirus_name, antivirus_enabled, "#") \ | ||
| rename _time as time, AssetID as lansweeper_id, host as lansweeper_collected_by, site_name as Site, AssetTypename as AssetType, Statename as lansweeper_state, Userdomain as Domain, AssetGroup as GroupName, OScode as OSVersion, Username as lansweeper_user, version as AssetVersion, OS as lansweeper_os, FQDN as lansweeper_fqdn, Firstseen as FirstSeen, Lastseen as LastSeen \ | ||
| fillnull value="" hostname mac_address ip \ | ||
| dedup hostname mac_address ip \ | ||
| dedup hostname mac_address ip ```In order to avoid the duplicate entries of the similar devices which has diff AssetID``` \ | ||
| table time, product_name, product_uuid, ip, mac_address, lansweeper_id, hostname, lansweeper_collected_by, Site, AssetType, lansweeper_state, Domain, GroupName, OSVersion, BuildNumber, AssetVersion, lansweeper_user, lansweeper_os, Description, IPLocation, lansweeper_fqdn, antivirus, AssetDomain, FirstSeen, LastSeen, AssetName, Serialnumber, Processor, Model, Manufacturer, OSRelease, OSname, SystemVersion, Memory, LsAgentVersion, LastLsAgent, LastChanged, DNSName \ | ||
| cyencesdevicemanager operation="addentries" \ | ||
| stats values(GroupName) as GroupName, values(antivirus) as antivirus, values(Processor) as Processor, first(*) as * by lansweeper_id \ | ||
|
@@ -3705,6 +3705,27 @@ search = `cs_kaspersky` ProductName=KES* \ | |
| outputlookup cs_kaspersky_inventory_v2 | ||
action.cyences_notable_event_action.products = Kaspersky | ||
|
||
[Device Inventory - Splunk Internal - V2] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be similar to Lansweeper. Get the latest things only, and we can delete old stuff. |
||
disabled = 0 | ||
enableSched = 1 | ||
alert.track = 0 | ||
cron_schedule = 14 * * * * | ||
description = This report update the device inventory every hour with the available forwarders in splunk environment. \ | ||
\ | ||
Data Collection - It uses the index=_internal and do not require specific data collection. | ||
dispatch.earliest_time = -62m@m | ||
dispatch.latest_time = -2m@m | ||
display.general.type = statistics | ||
display.page.search.tab = statistics | ||
display.page.search.mode = fast | ||
request.ui_dispatch_app = cyences_app_for_splunk | ||
request.ui_dispatch_view = search | ||
search = (index=_internal sourcetype=splunkd (connectionType=cooked OR connectionType=cookedSSL) fwdType=* group=tcpin_connections) \ | ||
| stats latest(sourceIp) as ip, latest(fwdType) as forwarder_type, latest(version) as version, latest(arch) as arch, latest(os) as os, max(_time) as time values(splunk_server) as splunk_server by hostname \ | ||
| eval product_name="Splunk Internal", product_uuid=hostname."-".ip, mac_address="" \ | ||
| cyencesdevicemanager operation="addentries" | ||
action.cyences_notable_event_action.products = Splunk Internal | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @mahirchavda - Please review this and advice. |
||
|
||
|
||
# Backfill | ||
[Device Inventory Backfill - V2] | ||
|
@@ -3728,7 +3749,8 @@ search = | savedsearch "Device Inventory - Tenable Vuln - V2" | where SEARCHNOTH | |
| append [| savedsearch "Device Inventory - Sophos - V2" | where SEARCHNOTHING="SEARCHNOTHING"] \ | ||
| append [| search `cs_windows_defender` EventCode=1151 `cs_windows_defender_max_timerange` | `cs_windows_defender_inventory_fill_search_v2` | where SEARCHNOTHING="SEARCHNOTHING"] \ | ||
| append [| savedsearch "Device Inventory - CrowdStrike - V2" | where SEARCHNOTHING="SEARCHNOTHING"] \ | ||
| append [| savedsearch "Device Inventory - Kaspersky - V2" | where SEARCHNOTHING="SEARCHNOTHING"] | ||
| append [| savedsearch "Device Inventory - Kaspersky - V2" | where SEARCHNOTHING="SEARCHNOTHING"] \ | ||
| append [| savedsearch "Device Inventory - Splunk Internal - V2" | where SEARCHNOTHING="SEARCHNOTHING"] | ||
|
||
|
||
[Device Inventory Lookup CleanUp - V2] | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to remove this as we discussed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we've discussed to remove it. but I found it useful in some scenarios as following:
If 2 assets with diff assetid and same host and empty mac & ip will be there then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok