Release notes for the Splunk Add-on for Cisco ESA¶
Version 1.7.0 of the Splunk Add-on for Cisco ESA was released on July 30, 2024.
About this release¶
Version 1.7.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 9.1.x, 9.2.x |
| CIM | v5.3.2 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v15.5.1 |
New Features¶
Version 1.7.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Provided support for the latest version of Cisco Email Security Appliance v15.5.1.
- Increased the coverage of the add-on and added support for ~100 new events.
- Added mappings to new data models:
Network Sessions:Session_StartEndpoint:PortsNetwork Traffic:All_Traffic
- Introduced new event types:
cisco_esa_endpoint_portscisco_esa_network_trafficcisco_esa_network_sessions_start
- Added support for IPv6 field extractions.
- Added support for
Custom Log EntriesandCustom Log Headersfield extractions for CEF logs. - The values for fields
action,type,protocol, andstatushave been corrected for a few events. - The values for
src_ipanddest_iphave been corrected for Network Session Datamodel forcisco:esa:httpsourcetype. - The following program names have been added to the
cisco:esa:system_logssource type:euq_logsservice_logsreportd_logssntpd_logssmartlicense
- The
updater_logsprogram name has been added to thecisco:esa:error_logssource type. - Provided compatibility with latest CIM version v5.3.2 for all events.
- Introduced a built-in dashboard to give insights for the add-on:
- Current add-on version.
- Total number of Cisco ESA events ingested by Splunk.
- Time-series graph of the Cisco ESA events ingested in Splunk.
- Number of events ingested by index, source, and source type.
- Trends of events, by index.
- CIM supported events.
Data model changes¶
| sourcetype | DM Identification Criteria | Previous CIM model | New CIM model |
|---|---|---|---|
cisco:esa:textmail |
The values describing respective alert messages. | None | Alerts |
cisco:esa:textmail |
The flow_id and src are non empty value. |
None | Network Traffic:All_Traffic |
cisco:esa:amp |
The values describing respective alert messages. | None | Alerts |
cisco:esa:authentication |
The result field value matches User * logged out* |
Change:All_Changes | Change:Account_Management |
cisco:esa:system_logs |
The query_type and query_count are non empty value. |
None | Network Resolution:DNS |
cisco:esa:system_logs |
The action field value matches (modified,started,restarted,stopped) |
None | Change:All_Changes |
cisco:esa:system_logs |
The values describing respective alert messages. | None | Alerts |
cisco:esa:system_logs |
The action field value matches (started,ended,blocked) and signature field value matches *The HTTP session has been established successfully*. |
None | Network Sessions:Session_Start |
cisco:esa:error_logs |
The values describing respective alert messages. | None | Alerts |
cisco:esa:http |
The dest, dest_port, and transport are non empty value. |
None | Endpoint:Ports |
cisco:esa:http |
The action field value matches (started,ended,blocked) and signature field value matches *The HTTP* session has been established successfully*. |
Network Sessions:All_Sessions | Network Sessions:Session_Start |
cisco:esa:http |
The action field value matches (started,ended,blocked) and transport, protocol, and dvc are non empty value. |
Alerts | Network Traffic:All_Traffic |
Field Changes¶
| Source type | Fields added | Fields removed |
|---|---|---|
| cisco:esa:amp | src, dest | |
| cisco:esa:cef | ESACustomLogs, ESALogHeaders | |
| cisco:esa:error_logs | src, signature_id, signature | |
| cisco:esa:http | protocol_version, state, http_protocol, protocol, transport, dest_port, http_referrer_domain, creation_time | |
| cisco:esa:legacy | vendor_product | |
| cisco:esa:textmail | protocol_version, internal_alert, transport, flow_id, signature_id |
Fixed issues¶
Version 1.7.0 of the Splunk Add-on for Cisco ESA fixes the following issues.
| Resolved date | Defect number | Description |
|---|---|---|
| 2024/06/12 | ADDON-68618 | Cisco ESA not parsing file_name when file name contains a dot |
| 2024/07/16 | ADDON-57014 | Subject Field Broken in v1.6.0 - Splunk Add-on for Cisco ESA |
Known issues¶
Version 1.7.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions¶
Version 1.7.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.