Download topic as PDF
Release history for the Splunk Add-on for Cisco ESA
Latest version
The latest version of the Splunk Add-on for Cisco ESA is version 1.6.1. See Release notes for the Splunk Add-on for Cisco ESA for the release notes of this latest version.
Version 1.6.0
Version 1.6.0 of the Splunk Add-on for Cisco ESA was released on July 25, 2022.Version. 1.6.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 8.1.x, 8.2.x, 9.0 |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v10, v10.0.1, v11, v11.1, v11.5, v12, v12.1, v12.5, v13, v13.5,v13.5.1, v14.0.0 and v14.2 |
New Features
Version 1.6.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Provided support for the latest version of Cisco Email Security Appliance v14.2.
- Increased the coverage of the add-on and added support for many new events.
- Added mappings to two new Data models:
- Change Account Management
- Malware Attacks
- The values for field change_type have been corrected for a few events.
- Provided compatibility with latest CIM version 5.0.1 for all events.
- Fixed pytest-splunk-addon v3.0.8 failures.
For more detailed CIM fields mapping changes see the tables below.
Data Model Changes
| sourcetype | field | value | Previous CIM model | New CIM model |
|---|---|---|---|---|
cisco:esa:system_logs
|
description | The values describing respective alert messages. | None | Alerts |
| result | *performed user management action* | None | Change.Account_Management | |
cisco:esa:http
|
description | The values describing respective alert messages. | None | Alerts |
| result | Passphrase has been changed* | Change.All_Changes | Change.Account_Management | |
cisco:esa:amp
|
action | blocked, deferred | Alerts | Malware.Malware_Attacks |
| description | The values describing respective alert messages. | None | Alerts | |
cisco:esa:textmail
|
description | SDR: Domains for which SDR is requested | None | |
cisco:esa:antispam
|
description | bayes: cannot open bayes databases | None | Alerts |
Fixed issues
Version 1.6.0 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues
Version 1.6.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-05-24 | ADDON-62519 | Cisco ESA parsing issue |
Third-party software attributions
Version 1.6.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.5.0
Version 1.5.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 8.1.x, 8.2.x |
| CIM | 5.0.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v10, v10.0.1, v11, v11.1, v11.5, v12, v12.1, v12.5, v13, v13.5,v13.5.1 and v14.0.0 |
New Features
Version 1.5.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Support for AsyncOS v14.0.0
- Enhanced CIM mapping and compatibility with v5.0.0
- 4 new source types:
cisco:esa:antispam,cisco:esa:content_scanner,cisco:esa:error_logs,cisco:esa:system_logs. - Support for DNS, Network Session, Change, Alert, and Web CIM Data models.
- For CEF Logs, support for multi-value fields of the
recipient,file_name, andfile_hash. Modified extraction of the user field. - Fixed extraction of the subject field in
cisco:esa:textmailsourcetype for AsyncOS v14 - Fixed extractions by swapping
internal_message_idandmessage_idforcisco:esa:cef,cisco:esa:bounceandcisco:esa:deliverysource types
For more detailed CIM fields mapping changes see the tables below.
Data Model Changes
| sourcetype | Previous CIM model | New CIM model |
|---|---|---|
cisco:esa:bounce
|
None |
| sourcetype | field | value | Previous CIM model | New CIM model |
|---|---|---|---|---|
cisco:esa:authentication
|
vendor_action | logged out | None | Change.All_Changes |
cisco:esa:http
|
action | modified, started, restarted, stopped | None | Change.All_Changes |
| subject | Error in http/https connection | None | Alerts | |
| http_method | * | None | Web | |
| action | added | None | Network_Sessions.All_Sessions | |
cisco:esa:textmail
|
action | modified, started, restarted, stopped | None | Change.All_Changes |
| alert_recipient | * | None | Alerts | |
| description | The values describing any alerting messages. | None | Alerts |
Fixed issues
Version 1.5.0 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues
Version 1.5.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions
Version 1.5.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.4.0
Version 1.4.0 of the Splunk Add-on for Cisco ESA was released on August 24, 2020.
About this release
Version 1.4.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 7.2.x, 7.3.x, 8.0.x, 8.1.x |
| CIM | 4.16 |
| Platforms | Platform independent |
| Vendor Products | Cisco ESA AsyncOS v10, v10.0.1, v11, v11.1, v11.5, v12, v12.1, v12.5, v13, v13.5 and v13.5.1 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New Features
Version 1.4.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Support for Single Log Line Format.
- Support for Cisco ESA for 13.5 and 13.5.1 versions.
- New event types:
cisco_esa_cefcisco_esa_marcisco_esa_delivery
- New source types:
cisco:esa:cefcisco:esa:deliverycisco:esa:bounce
- New Email data model mappings:
cisco_esa_deliverycisco_esa_cef eventtype
- The value for CIM field "app" is now "Cisco Email Security Appliance"
- Deprecated support for AsyncOS 7.x, 8.x, 9.x
- Malware data model mapping is now removed for
cisco_esa_amp eventtype. - Web data model mapping is now removed for
cisco_esa_proxy eventtype. - Email data model mapping is now removed for
cisco_esa_email eventtype.
Fixed issues
Version 1.4.0 of the Splunk Add-on for Cisco ESA fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues
Version 1.4.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions
Version 1.4.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.3.0
Version 1.3.0 of the Splunk Add-on for Cisco ESA was released on July 26, 2018.
About this release
Version 1.3.0 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.3 and later |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort ESA C370 on AsyncOS 7.x, 8.x, 9.x, 10.x, 11.x |
New Features
Version 1.3.0 of the Splunk Add-on for Cisco ESA has the following new features:
- Support for graymail logs
- Support for country logs
- Support for amp logs
- Improved extraction of src_ip, dest_ip, src_host, and dest_port fields
Fixed issues
Version 1.3.0 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Date resolved | Issue number | Description |
|---|---|---|
| 2018-06-04 | ADDON-18065 | Provide support for IPV6 for all the sourcetypes |
| 2018-05-28 | ADDON-18062 | Extraction Issue: vendor_action TLS failed is not being extracted |
| 2018-05-27 | ADDON-18061 | Extraction issues when vendor_action equals Connection Error |
| 2018-05-17 | ADDON-13220 | An action value missing from search-time field extraction |
| 2018-05-16 | ADDON-8717 | Cisco ESA Add-On Version 1.2.1 - Regex for identifying src_ip is incorrect, only getting last three octets |
| 2018-05-10 | ADDON-13181 | Incorrect field mapping in cisco_esa_email_action_lookup.csv lookup file |
| 2018-05-09 | ADDON-12779 | AV regex doesn't capture negative results |
| 2018-05-09 | ADDON-16588 | Fix tls_for_cisco_esa transform |
Known issues
Version 1.3.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 1.3.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.2.2
Version 1.2.2 of the Splunk Add-on for Cisco ESA is compatible with the following platforms, CIM versions, and products:
| Splunk platform versions | 6.3 and above |
| CIM | 4.3 and above |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort ESA C370 on AsyncOS 7.x |
Fixed issues
Version 1.2.2 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Resolved date | Defect number | Description |
|---|---|---|
| 2016/04/18 | ADDON-8725 | CIM mapping is missing for the action field in the cisco:esa:http source type.
|
| 2016/04/12 | ADDON-8207 | Some fields in the cisco:esa:legacy source type are not extracted.
|
| 2016/04/05 | ADDON-8570 | Regex sometimes fails to extract IP addresses correctly. |
| 2016/03/15 | ADDON-7955 | Performance issues in Splunk Enterprise Security related to tag expansions. |
| 2016/02/19 | ADDON-7765 | src_ip is not captured correctly in the src_dest_fields_for_cisco_esa field extraction.
|
| 2016/02/19 | ADDON-7743 | Incorrect CIM mapping for src_user.
|
Known issues
Version 1.2.2 of the Splunk Add-on for Cisco ESA has no reported known issues.
Third-party software attributions
Version 1.2.2 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.2.1
Version 1.2.1 of the Splunk Add-on for Cisco ESA has the same compatibility specifications as version 1.2.2.
Fixed issues
Version 1.2.1 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Resolved date | Defect number | Description |
|---|---|---|
| 2016/01/22 | ADDON-6405 | Invalid key-value parser warnings due to mismatches between props.conf and transforms.conf. |
| 2016/01/11 | ADDON-7389 | Warning message in log concerning timestamp for cisco:esa:http. |
Known issues
Version 1.2.1 of the Splunk Add-on for Cisco ESA has the following known issues:
| Publication date | Defect number | Description |
|---|---|---|
| 2016/02/11 | ADDON-7765 | src_ip not captured correctly in src_dest_fields_for_cisco_esa field extraction. |
Third-party software attributions
Version 1.2.1 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.2.0
Version 1.2.0 of the Splunk Add-on for Cisco ESA has the same compatibility specifications as version 1.2.1.
New features
Version 1.2.0 of the Splunk Add-on for Cisco ESA had the following new feature:
| Date | Issue number | Description |
|---|---|---|
| 2014/11/13 | ADDON-2313 | Cisco ESA source types are now backwards compatible with legacy source types, cisco:esa and cisco_esa. See source types for details. |
Fixed issues
Version 1.2.0 of the Splunk Add-on for Cisco ESA fixed the following issue:
| Resolved date | Defect number | Description |
|---|---|---|
| 2014/11/17 | ADDON-2305 | Syntax error in 7th field in the format line of the transform "connection_drop_for_cisco_esa" is reverse_dns=$7 instead of reverse_dns::$7. |
Known issues
Version 1.2.0 of the Splunk Add-on for Cisco ESA has no reported known issues.
Third-party software attributions
Version 1.2.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
Version 1.1.0
Version 1.1.0 of the Splunk Add-on for Cisco ESA has the same compatibility specifications as version 1.2.0.
Fixed issues
Version 1.1.0 of the Splunk Add-on for Cisco ESA fixes the following issues:
| Resolved date | Defect number | Description |
|---|---|---|
| 2014/10/30 | ADDON-2181 | Events should not be source typed cisco:sea:syslog |
| 2014/10/28 | ADDON-2134 | Need to extract more fields for Authentication logs |
| 2014/10/28 | ADDON-2133 | Need to extract more fields for HTTP logs |
| 2014/10/28 | ADDON-2132 | Need to extract more fields for System logs |
| 2014/10/28 | ADDON-2148 | Extract fields from Spam Quarantine Logs |
| 2014/10/28 | ADDON-2149 | Extract fields from Spam Quarantine GUI Logs |
| 2014/10/28 | ADDON-2151 | Extract fields from Safe/Block Lists Logs |
| 2014/10/28 | ADDON-2131 | Extract more fields for Text Mail logs |
| 2014/10/21 | ADDON-2189 | TA folder name is wrong |
Known issues
Version 1.1.0 of the Splunk Add-on for Cisco ESA has the following known issue:
| Publication date | Defect number | Description |
|---|---|---|
| 2014/11/13 | ADDON-2313 | New Cisco ESA source types are not backwards compatible. Version 1.0.0 used only one source type, cisco:esa. Prior versions used cisco_esa. There are currently no rename functions included with the add-on to support the mapping of old data. |
Third-party software attributions
Version 1.1.0 of the Splunk Add-on for Cisco ESA does not incorporate any third-party software or libraries.
|
PREVIOUS Release notes for the Splunk Add-on for Cisco ESA |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!