Release history for the Splunk Add-on for Cisco ESA¶
Latest version¶
The latest version of the Splunk Add-on for Cisco ESA is version 1.7.0. See Release notes for the Splunk Add-on for Cisco ESA for the release notes of this latest version
Version 1.6.1¶
Version 1.6.1 of the Splunk Add-on for Cisco ESA was released on July 19, 2023. Version 1.6.1 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 8.2.x, 9.0, 9.1 |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v14.2 |
New Features¶
Version 1.6.1 of the Splunk Add-on for Cisco ESA has the following new features:
Fixed issues¶
Version 1.6.1 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
- Fixed the extraction for CIM field
subjectfrom events with Certificate information for the sourcetypecisco:esa:cef
Known issues¶
Version 1.6.1 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions¶
Version 1.6.1 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.6.0¶
Version 1.6.0 of the Splunk Add-on for Cisco ESA was released on July 25, 2022.Version. 1.6.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 8.1.x, 8.2.x, 9.0 |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v10, v10.0.1, v11, v11.1, v11.5, v12, v12.1, v12.5, v13, v13.5,v13.5.1, v14.0.0 and v14.2 |
New Features¶
Version 1.6.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Provided support for the latest version of Cisco Email Security Appliance v14.2.
- Increased the coverage of the add-on and added support for many new events.
- Added mappings to two new Data models:
- Change Account Management
- Malware Attacks
- The values for field change_type have been corrected for a few events.
- Provided compatibility with latest CIM version 5.0.1 for all events.
- Fixed pytest-splunk-addon v3.0.8 failures.
For more detailed CIM fields mapping changes see the tables below.
Data Model Changes¶
| sourcetype | field | value | Previous CIM model | New CIM model |
|---|---|---|---|---|
cisco:esa:system_logs |
description | The values describing respective alert messages. | None | Alerts |
| result | *performed user management action* | None | Change.Account_Management | |
cisco:esa:http |
description | The values describing respective alert messages. | None | Alerts |
| result | Passphrase has been changed* | Change.All_Changes | Change.Account_Management | |
cisco:esa:amp |
action | blocked, deferred | Alerts | Malware.Malware_Attacks |
| description | The values describing respective alert messages. | None | Alerts | |
cisco:esa:textmail |
description | SDR: Domains for which SDR is requested | None | |
cisco:esa:antispam |
description | bayes: cannot open bayes databases | None | Alerts |
Fixed issues¶
Version 1.6.0 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues¶
Version 1.6.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions¶
Version 1.6.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.5.0¶
Version 1.5.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 8.1.x, 8.2.x |
| CIM | 5.0.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v10, v10.0.1, v11, v11.1, v11.5, v12, v12.1, v12.5, v13, v13.5,v13.5.1 and v14.0.0 |
New Features¶
Version 1.5.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Support for AsyncOS v14.0.0
- Enhanced CIM mapping and compatibility with v5.0.0
- 4 new source types:
cisco:esa:antispam,cisco:esa:content_scanner,cisco:esa:error_logs,cisco:esa:system_logs. - Support for DNS, Network Session, Change, Alert, and Web CIM Data models.
- For CEF Logs, support for multi-value fields of the
recipient,file_name, andfile_hash. Modified extraction of the user field. - Fixed extraction of the subject field in
cisco:esa:textmailsourcetype for AsyncOS v14 - Fixed extractions by swapping
internal_message_idandmessage_idforcisco:esa:cef,cisco:esa:bounceandcisco:esa:deliverysource types
For more detailed CIM fields mapping changes see the tables below.
Data Model Changes¶
| sourcetype | Previous CIM model | New CIM model |
|---|---|---|
cisco:esa:bounce |
None |
| sourcetype | field | value | Previous CIM model | New CIM model |
|---|---|---|---|---|
cisco:esa:authentication |
vendor_action | logged out | None | Change.All_Changes |
cisco:esa:http |
action | modified, started, restarted, stopped | None | Change.All_Changes |
| subject | Error in http/https connection | None | Alerts | |
| http_method | * | None | Web | |
| action | added | None | Network_Sessions.All_Sessions | |
cisco:esa:textmail |
action | modified, started, restarted, stopped | None | Change.All_Changes |
| alert_recipient | * | None | Alerts | |
| description | The values describing any alerting messages. | None | Alerts |
Fixed issues¶
Version 1.5.0 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues¶
Version 1.5.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions¶
Version 1.5.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.4.0¶
Version 1.4.0 of the Splunk Add-on for Cisco ESA was released on August 24, 2020.
About this release¶
Version 1.4.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 7.2.x, 7.3.x, 8.0.x, 8.1.x |
| CIM | 4.16 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v10, v10.0.1, v11, v11.1, v11.5, v12, v12.1, v12.5, v13, v13.5 and v13.5.1 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New Features¶
Version 1.4.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Support for Single Log Line Format.
- Support for Cisco ESA for 13.5 and 13.5.1 versions.
- New event types:
cisco_esa_cefcisco_esa_marcisco_esa_delivery
- New source types:
cisco:esa:cefcisco:esa:deliverycisco:esa:bounce
- New Email data model mappings:
cisco_esa_deliverycisco_esa_cef eventtype
- The value for CIM field “app” is now “Cisco Email Security Appliance”
- Deprecated support for AsyncOS 7.x, 8.x, 9.x
- Malware data model mapping is now removed for
cisco_esa_amp eventtype. - Web data model mapping is now removed for
cisco_esa_proxy eventtype. - Email data model mapping is now removed for
cisco_esa_email eventtype.
Fixed issues¶
Version 1.4.0 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues¶
Version 1.4.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions¶
Version 1.4.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.3.0¶
Version 1.3.0 of the Splunk Add-on for Cisco ESA was released on July 26, 2018.
About this release¶
Version 1.3.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.3 and later |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort ESA C370 on AsyncOS 7.x, 8.x, 9.x, 10.x, 11.x |
New Features¶
Version 1.3.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Support for graymail logs
- Support for country logs
- Support for amp logs
- Improved extraction of src_ip, dest_ip, src_host, and dest_port fields
Fixed issues¶
Version 1.3.0 of the Splunk Add-on for Cisco ESA fixes the following issues:
Known issues¶
Version 1.3.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported:
Third-party software attributions¶
Version 1.3.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.2.2¶
Version 1.2.2 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 6.3 and above |
| CIM | 4.3 and above |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort ESA C370 on AsyncOS 7.x |
Fixed issues¶
Version 1.2.2 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Resolved date | Defect number | Description |
|---|---|---|
| 2016/04/18 | ADDON-8725 | CIM mapping is missing for the action field in the cisco:esa:http source type. |
| 2016/04/12 | ADDON-8207 | Some fields in the cisco:esa:legacy source type are not extracted. |
| 2016/04/05 | ADDON-8570 | Regex sometimes fails to extract IP addresses correctly. |
| 2016/03/15 | ADDON-7955 | Performance issues in Splunk Enterprise Security related to tag expansions. |
| 2016/02/19 | ADDON-7765 | src_ip is not captured correctly in the src_dest_fields_for_cisco_esa field extraction. |
| 2016/02/19 | ADDON-7743 | Incorrect CIM mapping for src_user. |
Known issues¶
Version 1.2.2 of the Splunk Add-on for Cisco ESA has no reported known issues.
Third-party software attributions¶
Version 1.2.2 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.2.1¶
Version 1.2.1 of the Splunk Add-on for Cisco ESA has the same compatibility specifications as version 1.2.2.
Fixed issues¶
Version 1.2.1 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Resolved date | Defect number | Description |
|---|---|---|
| 2016/01/22 | ADDON-6405 | Invalid key-value parser warnings due to mismatches between props.conf and transforms.conf. |
| 2016/01/11 | ADDON-7389 | Warning message in log concerning timestamp for cisco:esa:http. |
Known issues¶
Version 1.2.1 of the Splunk Add-on for Cisco ESA has the following known issues:
| Publication date | Defect number | Description |
|---|---|---|
| 2016/02/11 | ADDON-7765 | src_ip not captured correctly in src_dest_fields_for_cisco_esa field extraction. |
Third-party software attributions¶
Version 1.2.1 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.2.0¶
Version 1.2.0 of the Splunk Add-on for Cisco ESA has the same compatibility specifications as version 1.2.1.
New features¶
Version 1.2.0 of the Splunk Add-on for Cisco ESA had the following new feature:
| Date | Issue number | Description |
|---|---|---|
| 2014/11/13 | ADDON-2313 | Cisco ESA source types are now backwards compatible with legacy source types, cisco:esa and cisco_esa. See source types for details. |
Fixed issues¶
Version 1.2.0 of the Splunk Add-on for Cisco ESA fixed the following issue:
| Resolved date | Defect number | Description |
|---|---|---|
| 2014/11/17 | ADDON-2305 | Syntax error in 7th field in the format line of the transform “connection_drop_for_cisco_esa” is reverse_dns=$7 instead of reverse_dns::$7. |
Known issues¶
Version 1.2.0 of the Splunk Add-on for Cisco ESA has no reported known issues.
Third-party software attributions¶
Version 1.2.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.1.0¶
Version 1.1.0 of the Splunk Add-on for Cisco ESA has the same compatibility specifications as version 1.2.0.
Fixed issues¶
Version 1.1.0 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Resolved date | Defect number | Description |
|---|---|---|
| 2014/10/30 | ADDON-2181 | Events should not be source typed cisco:sea:syslog |
| 2014/10/28 | ADDON-2134 | Need to extract more fields for Authentication logs |
| 2014/10/28 | ADDON-2133 | Need to extract more fields for HTTP logs |
| 2014/10/28 | ADDON-2132 | Need to extract more fields for System logs |
| 2014/10/28 | ADDON-2148 | Extract fields from Spam Quarantine Logs |
| 2014/10/28 | ADDON-2149 | Extract fields from Spam Quarantine GUI Logs |
| 2014/10/28 | ADDON-2151 | Extract fields from Safe/Block Lists Logs |
| 2014/10/28 | ADDON-2131 | Extract more fields for Text Mail logs |
| 2014/10/21 | ADDON-2189 | TA folder name is wrong |
Known issues¶
Version 1.1.0 of the Splunk Add-on for Cisco ESA has the following known issue:
| Publication date | Defect number | Description |
|---|---|---|
| 2014/11/13 | ADDON-2313 | New Cisco ESA source types are not backwards compatible. Version 1.0.0 used only one source type, cisco:esa. Prior versions used cisco_esa. There are currently no rename functions included with the add-on to support the mapping of old data. |
Third-party software attributions¶
Version 1.1.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.