Splunk® Supported Add-ons

Splunk Add-on for Cisco ASA

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Cisco ASA

Version 4.1.0 of the Splunk Add-on for Cisco ASA was released on October 6, 2020.

Compatibility

Version 4.1.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.17
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302015, 302020, 303002, 304001, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

You can only use versions 4.x and above of the Splunk Add-on for Cisco ASA with the new FIELDALIAS functionality. You can't use the Splunk Add-on for Cisco ASA with old FIELDALIAS configurations.


New or changed features

As of version 4.1.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.1.0:

  • Change Data model mapping has been removed from event type cisco_asa_configuration_change.
  • Endpoint Data model mapping has been removed from event type cisco_asa_endpoint_processes and cisco_asa_endpoint_filesystem.
  • Network Resolution (DNS) mapping has been removed from eventtype cisco_asa_network_resolution
  • The event type cisco_asa_audit_change has been added and maps to the Change data model

message_id changes

For the message_ids, CIM data models mappings have changed as follows:

message_id Old Data Model New Data Model
313005 Network Intrusion,

Network Traffic

Network Traffic
302015 Network_Traffic,

Network_Sessions

Network Traffic
109025 Authentication,

Network_Traffic

Network_Traffic

Mappings with CIM data models have been removed for the following message_ids. 113003, 302014, 302016, 302021, 304001, 305012, 305013, 314001, 402119, 405001, 500001, 500002, 504001, 504002, 505001, 505002, 505003, 505005, 505006, 505007, 505008, 507003, 602101, 607001, 608001, 702307, 710006, 713154, 713160, 713162, 713163, 716014, 716015, 716016, 716603, 722053, 725001, 725002, 722036, 725003, 725006, 725007, 725012, 725016, 734003, 751026, 805001, 805002, 805003


CIM mappings have been modified to map as follows:

Event type Cisco ASA Message ID
cisco_vpn_start 113039,716001,722022,602303,722033,722034
cisco_vpn_end 113019, 716002, 722023, 602304
cisco_vpn 722051, 713228
cisco_intrusion 400032, 313005, 106016, 10601
cisco_connection 109025, 302013, 305011, 302015, 106023, 106015, 106012, 106100, 106103, 110002, 302020, 338301, 400013, 710003, 710005, 419002, 106021, 313005, 106001, 313001, 106007, 303002, 710002, 313009, 500003, 106006, 106014, 419003, 106020, 338002, 313004
cisco_authentication_privileged 502103
cisco_authentication 113008, 113012, 113004, 113005, 611101, 605005, 713166, 713167, 713185, 716038, 716039, 713198
cisco_asa_network_sessions 716058, 716059, 722028, 722029, 722030, 722031, 722037, 751025
cisco_asa_network_resolution 713154
cisco_asa_endpoint_processes 111010
cisco_asa_endpoint_filesystem 716015, 716014, 716016
cisco_asa_configuration_change 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505015, 113003 and all events having value for change_class
cisco_asa_certificates 717009, 717022, 717027, 717028, 717029, 717037
cisco_asa_audit_change 502102, 502101, 502103, 502111, 111010, 502112, 505015, 505004, 505009

Fixed issues

Version 4.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2020-09-21 ADDON-27927 Cisco ASA TA - cisco_asa_action_lookup.csv actions not consistent with CIM compliancy - network_traffic" DM (action=allowed OR action=blocked)
2020-08-10 ADDON-27928 Cisco ASA TA - new Regex doesn't pick up spaces

Known issues

Version 4.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:


Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Last modified on 18 November, 2020
PREVIOUS
Lookups for the Splunk Add-on for Cisco ASA
  NEXT
Release history for the Splunk Add-on for Cisco ASA

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters