The Cisco Security Cloud application offers a seamless integration experience for connecting your Cisco devices with Splunk, providing a rich and uniform interface. The application is equipped with detailed instructions to facilitate every step of the setup process and assists with monitoring to ensure that your data pipelines maintain their operational integrity.
The Cisco Security Cloud app combines the concept of both TA and Splunk App into a single offering to help improve the efficiency and effectiveness of your data analysis within Splunk, providing a more powerful and comprehensive solution for your monitoring and analytics needs.
The present version supports the following core application features:
Baseline Core Application Features
- Performance Monitoring, Resource Utilization and Error Handling
- Data Integrity and Observability
- Modular Application UX Configuration Setup
- Baseline Analytics to showcase product integration and detections
Product(s) Enabled:
Cisco AI Defense
Cisco Duo
Cisco Email Threat Defense (ETD)
Cisco Multicloud Defense
Cisco Secure Endpoint
Cisco Secure Firewall (FTD/eStreamer/ASA)
Cisco Secure Malware Analytics (SMA)
Cisco Secure Network Analytics (SNA)
Cisco XDR (Incident Import & Promote to ES Notable)
The Cisco Security Cloud application offers a seamless integration experience for connecting your Cisco devices with Splunk. The application is equipped with a modular user interface that provides detailed instructions for each Cisco product to help facilitate the setup process. It also features built-in health checks and constant monitoring to ensure data pipelines maintain their operational integrity.
This update includes a hotfix for the CII implementation
CIM Compliance Note (6.x) - This TA aims to map all Cisco product fields to the latest CIM standards, but some fields or values may remain unmapped. If you encounter such cases, please open a TAC ticket.
Resolved an issue where a product was not displayed in the Status table on the Data Integrity page.
Updated card link based on demo feedback.
Improved CIM mapping - this includes normalization of the action disposition outputs of estreamer/ftd IDS events to land on a common
disposition for the action field, previously mixed outputs contain similar but not exact dispositions, this new set of mappings provides a
consistent output for "Allow/Block" actions detailed in the IDS Action field.
Added a new dashboard.
Included application data on the Data Integrity page.
Added application information to the Resource Utilization page.
Verified updates to the Splunk Cloud Vetting policy.
Integrated Cisco Secure Client NVM into the application.
CIM Compliance Note (6.x) - This TA aims to map all Cisco product fields to the latest CIM standards, but some fields or values may remain unmapped. If you encounter such cases, please open a TAC ticket.
v3.2.5 - Contains a hotfix for the ETD integration
AI Defense:
End-to-end testing for AI Defense with Enterprise Security, including support for promotion to notables/findings
XDR:
Corrected truncated incident summary issue, fixed issues with promotion to notable events.
Firewall:
Fixed issues with configuration page
Added Configurable additional logging for IDS/Malware events
Hot Fix v3.2.3
Fixed/Identified performance issues in event counting logs presented in 3.2 on the estreamer integration.
v3.2.2 Updates --
Cisco Secure Email Threat Defense
Mapped all 4xx errors to 429 (daily quota exceeded).
Updated ETD module; discussed version release.
Cisco Secure Firewall
Resolved escalation issues, Splunk CIM normalization, and Estreamer Firewall gaps.
Updated malware tags, "communicate" tag, and data model constraints.
Cisco XDR
Added user name retrieval from IDs.
CII
Fixed a failure in Cloud Compliance validation related to CII http/https requests
CVM
Included MITRE field in CVI Dashboard.
Shell App
Improved error handling, pagination, and KV Store checks.
Test Automation
Fixed test issues in resource utilization analytics.
Several housekeeping updates are included in this version including:
AI Defense UI aesthetic updates
API rate limiting for ETD and XDR
Duo input form enhancements
CII module updates
Note: v3.2 is currently not compatible with Splunk Cloud, please use v3.1.1 until the new cloud validated version v3.2.1 is available
Update v3.1.1
Added Support for AI Defense integration
Added additional telemetry for Firewall eStreamer packet data events
Added additional failsafes for loss of access to the K/V store for bookmarking event streams
Added ability to use proxy inputs for Email Threat Defense
Modified labels in Firewall data to reflect proper naming conventions
Modified CVI filters and dashboard to provide better UX experience
*Enhanced CIM mapping for numerous models and product definitions
Modified XDR API to support multiple tenant/orgs
Added Cisco Identity Intelligence Integration
Added Alerts Dashboard based on product specific CIM Alerting models
Added ASA dashboard
Added - Field dvc/sensor fields to eStreamer feed
Fixed Duplicate events and missing tokens on Cisco Security Cloud Firewall eStreamer client
Added EStreamer input rate limit
CVI general bug updates and enhancements
Bug fixes to SNA and SMA implementations
v2.0.1 - Updates
Improvements to user action validation scripts
Corrected issues in ETD Status inputs
Corrected issues with ASA/FTD log normalization
Built in support for RBA alerting to SNA configuration page
Implemented additional support for field extraction in FTD sysLog sources
Enhanced failure reporting when creating/editing SNA INputs
Failed to create an Input when creating/editing SNA Input with invalid Manager Address field
Corrected bugs with data integrity page and feed connectivity
The incident url point to XDR US tenant event instead of XDR APJC tenant
Additional Support for SNA Alarm Data
Change Error text when killed by signal 9 is shown in Network
Enhanced SNA Dashboard elmiinating duplicative metrics
Corrected Errors in the ASA input form
This update includes additional security product integrations along with several query optimizations and enhanced CIM modeling to leverage accelerated data models. This is a significant update and a removal of all past older versions with a clean re-install is highly recommended.
Two (2) additional products included are as follows:
Email Threat Defense
Secure Network Analytics
Additional Updates include the following:
Corrected Invalid data/query for "WAF Attack Types" graph in Multicloud Defense.
Added Lookups to Secure Firewall queries, introduced new data modeling to enhance performance of the Firewall dashboard.
Corrected process termination (killed by signal 9) Error in Network when trying to save DUO inputs
Changed promote to notable section from Severity to Priority score in XDR configuration page.
Updated Multicloud Defense and XDR logos
Provided enhanced error reporting across all product lines
Added Event types to the Firewall Syslog config
v1.2.4
v1.2.3 - Bug Fixes
Updated notable events from XDR with correct title and owner
Fix Connection errors for eStreamer inputs
Extend BE error handling and logging for eStreamer inputs
Improve query performance on the Firewall dashboard
v1.2.2
Fixed an issue with XDR Incident Ingest which was using incorrect titles when promoting XDR events to Splunk Notables in ES
Version 1.2.1 - Updates
Modified Index filter search, fixing a bug that limited the result options in the dashboard(s) filters.
Renamed Incorrect label "Incident data" to "Firewall Event Data" on the eStreamer config page.
Modified Firewall Syslog Input to include Host Ip (Optional)
Fixed 'Not Connected' status in Application Setup table for SMA Input
Fixed issue where proxy settings were not applied for SMA/SNA inputs
Added additional error handling to show errors when trying to save two inputs with the same name.
Fixed display issues on Data Integrity Page
Optimized Query Performance
v1.2.0 Updates
Added support for Firewall CIM mappings, eStreamer and syslog data
Added initial support for XDR Incident Management
-- Users can now add and promote incidents to ES notables directly from XDR
-- Dashboards to depict XDR incident flow data into Splunk
*Resource/Utilizations Pages updated with additional data sources
The Cisco Cloud Security application offers a seamless integration experience for connecting your Cisco devices with Splunk, providing a rich and uniform interface. The application is equipped with detailed instructions to facilitate every step of the setup process and assists with monitoring to ensure that your data pipelines maintain their operational integrity.
The Cisco Cloud Security app combines the concept of both TA and Splunk App into a single offering to help improve the efficiency and effectiveness of your data analysis within Splunk, providing a more powerful monitoring solution
As of July 3rd, 2024, the application has been released as a BETA version and will receive ongoing updates, including new Cisco integrations and feature sets as the current Cisco Splunk integrations approach their end of life (EOL). The present version supports the following core Cisco Integrations:
Cisco Secure Firewall (eStreamer/FTD/ASA), Cisco Multicloud Defense, Security Malware Analytics, Duo.
The Cisco Cloud Security application offers a seamless integration experience for connecting your Cisco devices with Splunk, providing a rich and uniform interface. The application is equipped with detailed instructions to facilitate every step of the setup process and assists with monitoring to ensure that your data pipelines maintain their operational integrity.
The Cisco Cloud Security app combines the concept of both TA and Splunk App into a single offering to help improve the efficiency and effectiveness of your data analysis within Splunk, providing a more powerful and comprehensive solution for your monitoring and analytics needs.
As of June 4th, 2024, the application has been released as a BETA version and will receive ongoing updates, including new Cisco integrations and feature sets as the current Cisco Splunk integrations approach their end of life (EOL). The present version supports the following core application features:
Baseline Core Application Features
- Performance Monitoring and Error Handling
- Data Integrity and Observability
- Rich Application UX Configuration
Product(s) Enabled:
Cisco Secure Malware Analytics (SMA)
- SMA Submissions API Integration and Health Monitoring
- Dashboard Overview for SMA Submissions
Cisco Duo
- Duo API Integration and Health Monitoring
- Duo Authenication Anomaly Dashbard and Login Statistics
Cisco Secure Firewall
- Firewall Summary Analytics (requires existing TA - https://splunkbase.splunk.com/app/3662 to be installed)
In the upcoming months, our support will expand to include the following products in this order: Secure Firewall, Multicloud Defense, XDR Incident Management, Secure Network Analytics, Cisco SSE, Secure Endpoint, and XDR Relay Modules. We will also introduce an array of new features, such as all-encompassing alerting capabilities across Cisco applications, consistent enhancements to performance analytics, refined application error management, and enhanced CIM normalization for incoming data streams.
We invite your feedback throughout this BETA phase. Stay tuned for regular updates about the official release status. For feedback and queries, please reach out to [contact information].
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.