Merge pull request #6 from ZachChristensen28/devel

Version 0.0.2

.github/workflows/appinspect-caller.yml

@@ -1,4 +1,4 @@
-name: Splunk Appinspect Caller
+name: Splunk Appinspect
 on:
   pull_request:
     branches:

README.md

@@ -1,7 +1,7 @@
 # Cloudflare Audit Add-on (ta_cloudflare_audit) for Splunk
 
 ![GitHub](https://img.shields.io/github/license/zachchristensen28/ta_cloudflare_audit)
-![Appinspect](https://github.com/ZachChristensen28/ta_cloudflare_audit/actions/workflows/appinspect.yml/badge.svg)
+![Appinspect](https://github.com/ZachChristensen28/ta_cloudflare_audit/actions/workflows/appinspect-caller.yml/badge.svg)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/ta_cloudflare_audit)
 [![Cloudflare API Compatibility](https://img.shields.io/badge/Cloudflare%20API%20Compatibility-v4-success)](https://developers.cloudflare.com/api)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
@@ -10,17 +10,30 @@ This Splunk Technical Add-on allows collection of Audit events on a scheduled in
 
 ## Documentation
 
-TBD
+Full documentation coming Soon.
+
+### API Token Requirements (not global token)
+
+Create a custom token with the following permissions.
+
+Setting | Item | Permission
+------- | ---- | ----------
+Account | Access: Audit Logs | Read
+Account | Account Settings | Read
+
+\***Include `All accounts` for Account Resources.**
+
+- Set Client IP address Filtering and TTL as needed.
 
 ## Disclaimer
 
-> *This Technical Add-on (TA) is __not__ affiliated with [__Cloudflare, Inc.__](https://www.cloudflare.com/) and is not sponsored or sanctioned by the Cloudflare team. As such, the included documentation does not contain information on how to get started with Cloudflare. Please visit [https://www.cloudflare.com/](https://www.cloudflare.com//) for more information about Cloudflare.*
+> *This Technical Add-on (TA) is __not__ affiliated with [__Cloudflare, Inc.__](https://www.cloudflare.com/) and is not sponsored or sanctioned by the Cloudflare team. Cloudflare is and the Cloudflare web badges are [registered trademarks](https://www.cloudflare.com/trademark/) of Cloudflare, Inc. Please visit [https://www.cloudflare.com/](https://www.cloudflare.com/) for more information about Cloudflare.*
 
 ## About
 
 Info | Description
 ------|----------
-ta_cloudflare_audit | 0.0.1 - Splunkbase - TBD \| [GitHub](https://github.com/ZachChristensen28/ta_cloudflare_audit)
+ta_cloudflare_audit | 0.0.2 - Splunkbase - TBD \| [GitHub](https://github.com/ZachChristensen28/ta_cloudflare_audit)
 
 ## Issues or Feature Requests
 

src/ta_cloudflare_audit/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "ta_cloudflare_audit",
-      "version": "0.0.1"
+      "version": "0.0.2"
     },
     "author": [
       {

src/ta_cloudflare_audit/default/app.conf

@@ -7,11 +7,11 @@
 state_change_requires_restart = true
 is_configured = false
 state = enabled
-build = 4
+build = 7
 
 [launcher]
 author = ZachTheSplunker
-version = 0.0.1
+version = 0.0.2
 description = Collects Audit logs from Cloudflare.
 
 [ui]

src/ta_cloudflare_audit/default/props.conf

@@ -14,6 +14,11 @@ INDEXED_EXTRACTIONS = JSON
 KV_MODE             = none
 SHOULD_LINEMERGE    = 0
 TIMESTAMP_FIELDS    = when
+FIELDALIAS-user     = actor.email AS user
+FIELDALIAS-user_id  = actor.id AS user_id
+FIELDALIAS-src_ip   = actor.ip AS src_ip
+FIELDALIAS-src      = actor.ip AS src
+EVAL-action         = if('action.result'=="true", "success", "failure")
 
 # --------------------------------------
 # Add-on internal logs