What Changed
ASIM parser for Cisco Umbrella Web Session logs moved variable declarations for src_or_any and dest_or_any from global scope into the parser function. Version incremented from 0.1.0 to 0.1.1.
Parser Impact
The variables src_or_any and dest_or_any combine IP prefix filters (srcipaddr_has_any_prefix and ipaddr_has_any_prefix) for matching source and destination IPs. Previously declared outside the parser function, these variables were computed once with potentially stale parameter values rather than being evaluated with each parser invocation.
This is a data fidelity fix — queries using this parser with different IP filter parameters may have experienced incorrect filtering behavior where the wrong set of IPs was matched. The parser now correctly evaluates these variables within the function scope, ensuring IP filtering works as intended for each query execution.
No change to normalised field names or filter logic beyond the scope correction — safe for existing detections using this parser.
Affected Files
Parsers/ASimWebSession/ARM/vimWebSessionCiscoUmbrella/vimWebSessionCiscoUmbrella.json
Parsers/ASimWebSession/CHANGELOG/vimWebSessionCiscoUmbrella.md
Parsers/ASimWebSession/Parsers/vimWebSessionCiscoUmbrella.yaml