Cisco Security Cloud

The Cisco Security Cloud application offers seamless integration for connecting your Cisco devices with Splunk. It features a modular UX input design, built-in health checks, and constant monitoring to ensure operational integrity. Product(s) Enabled: Cisco AI Defense Cisco Duo Cisco Email Threat Defense (ETD) Cisco Endpoint Visibility Module (EVM) CIM Mappings (Beta) Cisco Identity Intelligence (CII) Cisco Multicloud Defense Cisco NVM Cisco Secure Endpoint Cisco Secure Firewall (FTD/eStreamer/ASA) Cisco Secure Workload Cisco Isovalent Cisco Isovalent Edge Processor **Alpha Cisco Secure Malware Analytics (SMA) Cisco Secure Network Analytics (SNA) Cisco Vulnerability Intelligence Cisco XDR (Incident Import & Promote to ES Notable) Here’s the revised version with the sourcetype list and stronger 3.x transition language. **MAJOR VERSION CHANGE: CiscoSecurityCloud 4.0.0 Release Notes** CiscoSecurityCloud 4.0.0 introduces expanded Cisco Secure Firewall / FTD syslog and Advanced Logging support, with improved parsing, event routing, CIM/data model alignment, dashboard visibility, and ingestion reliability. This release adds a new FTD sourcetype routing model that separates FTD events by event family instead of keeping all events under a single generic `cisco:ftd:syslog` sourcetype. This improves field extraction accuracy, dashboard filtering, data model mapping, and long-term supportability for FTD syslog and Advanced Logging data. Because this changes how FTD events are categorized, **4.0.0 may be a breaking change for customers with custom Splunk content**. Content that may require review includes: - Saved searches, alerts, reports, and dashboards that filter only on `sourcetype="cisco:ftd:syslog"` - Custom macros, eventtypes, tags, and CIM/data model constraints - Custom props/transforms or routing assumptions for FTD syslog - Data model acceleration searches scoped to the previous FTD sourcetype - External integrations or correlation searches that expect all FTD events in one sourcetype Customers should update broad FTD searches from "cisco:ftd:syslog" to ```text cisco:ftd:intrusion cisco:ftd:connection cisco:ftd:connection:security cisco:ftd:file cisco:ftd:malware cisco:ftd:discovery cisco:ftd:useractivity cisco:ftd:correlation cisco:ftd:intrusionpacket cisco:ftd:adv:http cisco:ftd:adv:ftp cisco:ftd:adv:conn cisco:ftd:adv:dns cisco:ftd:adv:weird cisco:ftd:adv:notice ``` CiscoSecurityCloud 4.0.0 is intended for customers who want the new FTD Advanced Logging model and are ready to validate custom content against the expanded sourcetypes. To ease the transition, the CiscoSecurityCloud 3.x branch will be actively maintained and should remain the recommended stable branch for customers who require the existing FTD sourcetype behavior. Customers can continue using 3.x while they assess 4.0.0, update custom SPL, and validate dashboards, alerts, and data model acceleration.