Changelog Cisco Secure Access Add-on for Splunk

Changelog: Cisco Secure Access Add-On for Splunk

v1.0.50

Added Secure Access Push Security Events.
Added Secure Access Alerts.
Reduced Latency for DNS and FW Events from S3.
Added the event type support of Network Tunnel Groups and IPsec tunnel connectivity logs.
Fixed various software bugs in the add-on.

Updated the display name of the add-on to Cisco Secure Access Add-on for Splunk.
Updated the aliases for the fields in the DNS event type.

In the add-on, automated the rotation of the organization's AWS S3 API key for a Cisco-managed S3 bucket. An administrator can also configure the rotation of the S3 bucket API key for a Cisco-managed S3 bucket in the add-on manually.
Enabled the configuration of the AWS S3 bucket base folder only, which supports the set up of the sub-folders in the S3 bucket.
- Added the discovery of new log sources automatically. The add-on can detect a new log source and then add the log source as an input.
On the main menu in the add-on, added a tab that links directly to the Cisco Cloud Security App for Splunk.
Added support for the Cisco Secure Access v13 log format.
Updated the default landing page.
Fixed an issue with the detection of the header for the extraction of the fields automatically.

Added automatic field extraction using headers.
Simplified the configuration of the AWS account information and Event Log entry in the add-on.
Added the option to configure the settings for a specific log type or choose Create inputs for all event types.
Added the option to enter a Default Start Date with the current day using the YYYY-MM-DD format.
Updated the add-on to migrate any existing inputs to the new add-on's settings after an upgrade of the add-on.
Added support for the Fileevent event type.
Added support for the Cisco Secure Access v12 log format.
Added the Splunk Common Information Model (CIM) mapping for the Fileevent event type and v12 log schema.
Fixed various software bugs in the add-on.

Added support for the the v11 log schema. The v11 log schema is available for the audit, DNS, RAVPN, Zero Trust Access (ZTA), ZTA Flow, proxy, firewall, intrusion, and DLP logs.
Added the configuration of the input for the ZTA Flow logs.
Removed the requirement to restart Splunk after you install or update the add-on.
Fixed the tagging of the log events with a prior schema version. When you updated the version of the log schema, the add-on did not tag the previous version of the log events correctly.
Updated the icon for the add-on.
If you enable headers for event logs in Log Management, Splunk displays the log headers and the event data.

Added the v10 schema log fields for the DNS, RAVPN, ZTNA, proxy, firewall, intrusion, and DLP logs.
Updated the data models:
- Changed the priority to 1 for the intrusion, firewall, and proxy logs.
- Added the session data for the RAVPN log.
- Added the authentication data for the ZTNA log.
- Applied fixes for the intrusion and ZTNA models.

Updated the Zero Trust Network Access (ZTNA) and Remote Access Virtual Private Network (RAVPN) log schemas.
Added a mechanism to handle split events.
Updated the add-on's internal libraries.
Addressed known bugs in the add-on.

In the add-on, set up these data inputs for Umbrella or Secure Access:

For Secure Access, configure these additional event types:

For information about the Cisco Cloud Security Umbrella Add-On for Splunk, see Cisco Cloud Security Umbrella Add-On for Splunk Integration Guide.