Release history for the Splunk Add-on for Cisco WSA¶

Latest release¶

The latest version of the Splunk Add-on for Cisco WSA is version 5.0.0. Please see Release notes for the Splunk Add-on for Cisco WSA for the release notes of this latest version.

Version 4.0.0¶

Splunk Add-on for Cisco WSA version 4.0.0 was released on August 9, 2022.

About this release¶

Version 4.0.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.1, 8.2, 9.0
CIM	5.0.0
Platforms	Platform independent
Vendor Products	Cisco Web Security Appliance 11.7, 11.8, 12.5 and 14.5.

New features¶

Version 4.0.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:

Support for Async OS 11.8, 12.5, 14.5
Support for CIM 5.0
Recommended format has changed to key-value format based on WSA access logs. However, v3.5.0 recommended format is still supported under cisco:wsa:w3c sourcetype, i.e. sequence of fields expected by v3.5.0 cisco:wsa:w3c:recommended is now expected by cisco:wsa:w3c sourcetype. If another sequence is used, it should be updated either in WSA log configuration or in TA input configuration by defining custom field sequence as described later in this documentation
As seen from the previous point, TA v4.0.0 implements a breaking change in cisco:wsa:w3c sourcetype. Previously cisco:wsa:w3c was expecting a default field sequence put by Cisco in device configuration. Since TA v4.0.0 it expects the sequence required by cisco:wsa:w3c:recommended sourcetype of TA v3.5.0.
The following internal (non CIM) fields extraction have been removed for access and w3c logs: **ta_cisco_wsa_proxy_action
vendor_action
txn_result_code
scanning_engine
cim_ids_types
http_result
acl_action
vendor_suspect_user_agent
hierarchy
contact_mode
result_code
cs_url_host
server_contact_mode.

Where possible these fields have been replaced with corresponding w3c log fields, for example, “hierarchy” was replaced with “s_hierarchy”

Since version WSA TA version 4.0.0 all access and w3c logs are tagged with “network” and “communicate” tags (Web:Proxy CIM data set) no matter if traffic was blocked or not due to malware, virus or other thread detection. In contrast to previous versions where such events were tagged for Malware:Malware_Attack CIM data set in v4.0.0 they are tagged for Web:Proxy with additional fields from Malware:Malware_Attack extracted: date, file_hash, file_name, file_path, signature.

The following lookups has been removed in TA v4.0.0 as no longer used in extractions: **cisco_wsa_category_map_lookup.csv
cisco_wsa_malware_action_lookup.csv

Fixed issues¶

Version 4.0.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 4.0.0 of the Splunk Add-on for Cisco WSA has the following known issues. If no issues appear here, no issues have yet been reported.

Third-party software attributions¶

Version 4.0.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.5.0¶

Splunk Add-on for Cisco WSA version 3.5.0 was released on August 9, 2022.

Version 3.5.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	7.3, 8.0, 8.1
CIM	4.18.0
Platforms	Platform independent
Vendor Products	Cisco Web Security Appliance 11.7, 11.8 and 12.5.

New features¶

Version 3.5.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:

Support for Async OS 11.8, 12.5
Support for CIM 4.18
Modified datamodel mapping for cisco:wsa:squid:new by removing Intrusion Detection datamodel
Added a new recommended sourcetype - cisco:wsa:w3c:recommended
Added syslog support for cisco:wsa:w3c:recommended
Fixed positions of ‘x_url’ and ‘x_avc_type’ in cisco:wsa:squid:new sourcetype
Change in CIM field vendor_product from the name of Scanning Engine (McAfee, Sophos, Webroot) to Cisco WSA

Fixed issues¶

Version 3.5.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 3.5.0 of the Splunk Add-on for Cisco WSA has the following known issues. If no issues appear here, no issues have yet been reported.

Third-party software attributions¶

Version 3.5.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.4.0¶

Version 3.4.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	7.2, 7.3, 8.0
CIM	4.15.0
Platforms	Platform independent
Vendor Products	Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0, 11.0,11.5 and 11.7.

New features¶

Version 3.4.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:

Improved CIM mapping
New Splunk Connect for Syslog filter
Support for version 11.7 of Cisco Web Security Appliance

Fixed issues¶

Version 3.4.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 3.4.0 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.4.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.3.1¶

Version 3.3.1 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	7.2, 7.3, 8.0
CIM	4.15.0
Platforms	Platform independent
Vendor Products	Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0, 11.0 and 11.5.

New features¶

Version 3.3.1 of the Splunk Add-on for Cisco WSA fixes bugs and adds support for Cisco IronPort AsyncOS v10.x+

Support for AsyncOS 11.5 for Cisco WSA
Support for CIM 4.15.0

Fixed issues¶

Version 3.3.1 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 3.3.1 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.4.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.3.0¶

Version 3.3.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.2 or later
Platforms	Platform independent
Vendor Products	Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0 and 11.0.

New features¶

Version 3.3.0 of the Splunk Add-on for Cisco WSA fixes bugs and adds support for Cisco IronPort AsyncOS v10.x+

Fixed issues¶

Version 3.3.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 3.3.0 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.3.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.4¶

Version 3.2.4 of the Splunk Add-on for Cisco WSA has the same compatibility specifications as version 3.3.0.

Fixed issues¶

Version 3.2.4 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 3.2.4 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.2.4 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.3¶

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the same compatibility specifications as version 3.2.4.

New features¶

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following new features.

Date	Issue number	Description
2015-11-06	ADDON-6278	Support for Cisco WSA version 8.5.3 and 9.0.

Fixed issues¶

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Known issues¶

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.2.3 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.2¶

Version 3.2.2 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.2 or later
CIM	4.2 or later
Platforms	Platform independent
Vendor Products	Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, and 8.5.2.

New features¶

Version 3.2.2 of the Splunk Add-on for Cisco WSA has the following new features.

Resolved date	Issue number	Description
2015-09-24	ADDON-5055	Support for Cisco WSA version 8.5.

Fixed issues¶

Version 3.2.2 of the Splunk Add-on for Cisco WSA has no fixed issues.

Known issues¶

Version 3.2.2 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.2.2 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.1¶

Version 3.2.1 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.2 or later
CIM	4.2 or later
Platforms	Platform independent
Vendor Products	Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, and 8.1.0.

New features¶

Version 3.2.1 of the Splunk Add-on for Cisco WSA has the following new features.

Resolved date	Issue number	Description
08/17/15	ADDON-4025	Extract additional fields from Cisco WSA access log (sourcetype=cisco:wsa:squid) and map those fields to CIM.

Fixed issues¶

Version 3.2.1 of the Splunk Add-on for Cisco WSA has no fixed issues.

Known issues¶

Version 3.2.1 of the Splunk Add-on for Cisco WSA has the following known issue.

Third-party software attributions¶

Version 3.2.1 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.0¶

New features¶

Version 3.2.0 of the Splunk Add-on for Cisco WSA had the following new features.

Resolved date	Issue number	Description
05/01/15	ADDON-3799/ ADDON-3384/ ADDON-2774	Support for versions 8.0, 8.0.6, and 8.1.0 of Cisco WSA.
05/01/15	ADDON-3066	Malware detection support.

Fixed issues¶

Version 3.2.0 of the Splunk Add-on for Cisco WSA fixed the following issues.

Known issues¶

Version 3.2.0 of the Splunk Add-on for Cisco WSA had the following known issue.

Third-party software attributions¶

Version 3.2.0 of the Splunk Add-on for Cisco WSA did not incorporate any third-party software or libraries.

Version 3.1.1¶

Fixed issues¶

Version 3.1.1 of the Splunk Add-on for Cisco WSA fixed the following issue.

Known issues¶

Version 3.1.1 of the Splunk Add-on for Cisco WSA had the following known issues.

Third-party software attributions¶

Version 3.1.1 of the Splunk Add-on for Cisco WSA did not incorporate any third-party software or libraries.

Version 3.1.0¶

New features¶

Version 3.1.0 of the Splunk Add-on for Cisco WSA included the following new features:

Support for Cisco WSA 7.7.0 syslog (ADDON-1702)

Fixed issues¶

Version 3.1.0 of the Splunk Add-on for Cisco WSA fixed the following issues:

Splunk Enterprise should be able to extract user agent and category fields from WSA data (ADDON-1114)
Non communication events should not be tagged “communicate” (ADDON-1030)
Incorrect extraction due to regex syntax (ADDON-1029)
Add-on should include lookup for action based on vendor_action (ADDON-959)

Known issues¶

Version 3.1.0 of the Splunk Add-on for Cisco WSA had the following known issues:

Splunk_TA_cisco-wsa needs to provide backwards-compatible eventtypes as an option in the add-on. 3.0.1 version of this add-on defined the cisco-wsa-squid eventtype, which is used in most pre-built searches of the Cisco Security Suite. (ADDON-2292)
Cisco Security Suite 3.0.3 compatibility issues. Knowledge object updates needed in props and transforms to support CSS searches. (ADDON-2350)
Cisco Security Suite category widget produces: “Error in ‘lookup’ command: The lookup table ‘cisco-wsa-category’ does not exist.” (ADDON-2349)