Merge branch 'develop' into promptlock

Author: patel-bhavin

contentctl.yml

@@ -10,5 +10,5 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.0
+  version: 3.4.1
 fields: null

data_sources/cisco_ai_defense_alerts.yml

@@ -0,0 +1,131 @@
+name: Cisco ASA Logs
+id: 3f2a9b6d-1c8e-4f7b-a2d3-8b7f1c2a9d4e
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Splunk
+description: >
+  Data source object for Cisco ASA system logs. Cisco ASA logs provide firewall
+  operational and security telemetry (connection events, ACL denies, VPN events,
+  NAT translations, and device health). Deploy the Splunk Add-on for Cisco ASA
+  (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search
+  heads for best parsing, CIM mapping, and dashboards. This data is ingested via SYSLOG. You must be ingesting Cisco ASA syslog data into your Splunk environment. To ensure all detections work, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. A few analytics are designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. 
+source: cisco:asa
+sourcetype: cisco:asa 
+separator: null
+supported_TA:
+  - name: Cisco Security Cloud
+    url: https://splunkbase.splunk.com/app/7404
+    version: 3.4.1
+fields:
+- Cisco_ASA_action
+- Cisco_ASA_message_id
+- Cisco_ASA_user
+- Cisco_ASA_vendor_action
+- IP
+- Username
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+- acl
+- action
+- app
+- assigned_ip
+- bytes
+- category
+- command
+- communication_protocol
+- connections_in_use
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_host
+- dest_interface
+- dest_ip
+- dest_nt_domain
+- dest_port
+- dest_public_port
+- dest_translated_host
+- dest_translated_ip
+- dest_translated_port
+- dest_user
+- dest_zone
+- direction
+- duration
+- duration_day
+- duration_hour
+- duration_minute
+- duration_second
+- dvc
+- eventtype
+- group
+- host
+- ids_type
+- index
+- laction
+- linecount
+- most_used_connections
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_version
+- punct
+- reason
+- result
+- rule
+- rule_name
+- session_id
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_host
+- src_interface
+- src_ip
+- src_nt_domain
+- src_port
+- src_public_port
+- src_translated_host
+- src_translated_ip
+- src_translated_port
+- src_user
+- src_zone
+- ssl_is_valid
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- teardown_initiator
+- timeendpos
+- timestartpos
+- transport
+- type
+- user
+- vendor
+- vendor_action
+- vendor_product
+- vendor_severity
+- zone
+example_log: >
+  Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002: Teardown local-host management:54.245.234.201 duration 0:02:01
+  Sep 23 18:07:00 18.144.133.67 :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508 to management:172.31.12.229/443

data_sources/cisco_asa_logs.yml

@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.0
+  version: 3.4.1
 fields:
 - access_device.browser
 - access_device.browser_version

data_sources/cisco_duo_activity.yml

@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.0
+  version: 3.4.1
 fields:
 - action
 - actionlabel

data_sources/cisco_duo_administrator.yml

@@ -3,14 +3,22 @@ id: 9e4c8d7b-6f5e-4a3d-b2c1-0a9b8c7d6e5f
 version: 1
 date: '2025-08-21'
 author: Michael Haag, Splunk
-description: Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.
+description: Data source object for Cisco IOS system logs. Cisco IOS logs provide
+  operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS
+  XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes
+  these events by setting proper sourcetypes and extracting fields for switches, routers,
+  controllers, and access points; deploy the TA on indexers/HFs and search heads,
+  and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include
+  Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent
+  investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This
+  data is ingested via SYSLOG.
 source: cisco:ios
 sourcetype: cisco:ios
 separator: null
 supported_TA:
 - name: Cisco Networks Add-on
   url: https://splunkbase.splunk.com/app/1467
-  version: 2.7.8
+  version: 2.7.9
 fields:
 - _time
 - aci_message_text
@@ -81,7 +89,8 @@ fields:
 output_fields:
 - user
 - dest
-example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured
-  Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15
-  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret *
-  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'
+example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username:
+  attacker configured Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username:
+  attacker privilege updated with priv-15 Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD:
+  User:ec2-user logged command:username attacker privilege 15 secret * Aug 20 17:10:21.665:
+  %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'

data_sources/cisco_ios_logs.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.0
+  version: 3.4.1
 fields:
 - AC_RuleAction
 - action

data_sources/cisco_secure_firewall_threat_defense_connection_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.0
+  version: 3.4.1
 fields:
 - app
 - Application

data_sources/cisco_secure_firewall_threat_defense_file_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.0
+  version: 3.4.1
 fields:
 - Application
 - Classification

data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml

@@ -9,4 +9,4 @@ sourcetype: not_applicable
 supported_TA:
 - name: Splunk Common Information Model (CIM)
   url: https://splunkbase.splunk.com/app/1621
-  version: 6.1.0
+  version: 6.2.0