Release notes for the Splunk Add-on for Cisco WSA¶
Splunk Add-on for Cisco WSA version 5.0.0 was released on December 13, 2024.
About this release¶
Version 5.0.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.1.x, 9.2.x, 9.3 |
| CIM | 5.0.x, 5.1.x, 5.2.x, 5.3.x, 6.0.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco Web Security Appliance 12.5, 14.5, 15.0, and 15.2 |
New features¶
Version 5.0.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:
- Support for Async OS v15.0 and v15.2.
- Support for CIM v6.0.0.
- Enhanced CIM extractions.
- Support for IPv6 field extractions.
- Support for new
cisco:wsa:syslogsourcetype.- Events of
audit_logs,gui_logsandcli_logsare categorized in this sourcetype.
- Events of
- Introduced a built-in dashboard to give insights for the add-on:
- Current add-on version.
- Total number of Cisco WSA events ingested by Splunk.
- Time-series graph of the Cisco WSA events ingested in Splunk.
- Number of events ingested by index, source, and source type.
- Trends of events, by index.
- CIM-supported events.
- Removed support of
cisco:wsa:squid:newsourcetype.
Note
- Support for backward compatibility has been ensured, and all logs with the
cisco:wsa:squid:newsourcetype will now be merged into the existigcisco:wsa:squidsourcetype. To restorecisco:wsa:squid:newsourcetype and it’s logs refer steps for restoration
- Addition of new data model
Change. - Removed field extraction for ‘-’ value.
- Bug fixes and enhancements.
Field Changes¶
| Event Format | Fields Added | Fields Removed | Fields Modified | Notes |
|---|---|---|---|---|
| All events with x_* field extracted as “-“ | x_* | - | - | All fields starting with x_ which has “-” extracted will not be extracted |
| All events with field extracted as unknown | - | All with unknown as value | - | - |
| All events with IPv6 addresses | - | - | dest_port | dest_port extraction is corrected |
| All events of cisco:wsa:w3c:recommended sourcetype | - | - | x_webroot_threat_name | Corrected the incomplete extraction |
| All events of cisco:wsa:squid sourcetype with DECRYPT_EUN_WBRS and status code in 4XX, 5XX range | - | - | action | action value is corrected from allowed to blocked |
| All events with cisco:wsa:syslog sourcetype | app, change_type, dest, urldata_dest, object_path, http_user_agent_length, url_length, tag::eventtype, user, gui_logs_url, tag, object_category, eventtype, src, vendor_product, url, object_attrs, uri_query, result, uri_path, object, status, dest_port, user_name, dvc, description, http_user_agent, http_method | - | - | - |
Fixed issues¶
Version 5.0.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.
Known issues¶
Version 5.0.0 of the Splunk Add-on for Cisco WSA has the following known issues. If no issues appear here, no issues have yet been reported.
Third-party software attributions¶
Version 5.0.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.