Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Release notes for the Splunk Add-on for Cisco WSA

Splunk Add-on for Cisco WSA version 4.0.0 was released on August 9, 2022.

About this release

Version 4.0.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2, 9.0
CIM 5.0.0
Platforms Platform independent
Vendor Products Cisco Web Security Appliance 11.7, 11.8, 12.5 and 14.5.

New features

Version 4.0.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:

  • Support for Async OS 11.8, 12.5, 14.5
  • Support for CIM 5.0
  • Recommended format has changed to key-value format based on WSA access logs. However, v3.5.0 recommended format is still supported under cisco:wsa:w3c sourcetype, i.e. sequence of fields expected by v3.5.0 cisco:wsa:w3c:recommended is now expected by cisco:wsa:w3c sourcetype. If another sequence is used, it should be updated either in WSA log configuration or in TA input configuration by defining custom field sequence as described later in this documentation
  • As seen from the previous point, TA v4.0.0 implements a breaking change in cisco:wsa:w3c sourcetype. Previously cisco:wsa:w3c was expecting a default field sequence put by Cisco in device configuration. Since TA v4.0.0 it expects the sequence required by cisco:wsa:w3c:recommended sourcetype of TA v3.5.0.
  • The following internal (non CIM) fields extraction have been removed for access and w3c logs: **ta_cisco_wsa_proxy_action
    • vendor_action
    • txn_result_code
    • scanning_engine
    • cim_ids_types
    • http_result
    • acl_action
    • vendor_suspect_user_agent
    • hierarchy
    • contact_mode
    • result_code
    • cs_url_host
    • server_contact_mode.

Where possible these fields have been replaced with corresponding w3c log fields, for example, "hierarchy" was replaced with "s_hierarchy"

  • Since version WSA TA version 4.0.0 all access and w3c logs are tagged with "network" and "communicate" tags (Web:Proxy CIM data set) no matter if traffic was blocked or not due to malware, virus or other thread detection. In contrast to previous versions where such events were tagged for Malware:Malware_Attack CIM data set in v4.0.0 they are tagged for Web:Proxy with additional fields from Malware:Malware_Attack extracted: date, file_hash, file_name, file_path, signature.
  • The following lookups has been removed in TA v4.0.0 as no longer used in extractions: **cisco_wsa_category_map_lookup.csv
    • cisco_wsa_malware_action_lookup.csv


Fixed issues

Version 4.0.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.


Known issues

Version 4.0.0 of the Splunk Add-on for Cisco WSA has the following known issues. If no issues appear here, no issues have yet been reported.


Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Last modified on 01 September, 2022
Source types for the Splunk Add-on for Cisco WSA   Release history for the Splunk Add-on for Cisco WSA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters