Techniques
Sample rules
Cisco ASA - Logging Disabled via CLI
- source: splunk
- technicques:
- T1562
Description
This analytic detects the disabling of logging functionality on a Cisco ASA device
through CLI commands. Adversaries or malicious insiders may attempt to disable logging
to evade detection and hide malicious activity. The detection looks for specific ASA
syslog message IDs (111010, 111008) associated with command execution,
combined with suspicious commands such as no logging, logging disable,
clear logging, or no logging host. Disabling logging on a firewall or security device
is a strong indicator of defense evasion.
Detection logic
`cisco_asa`
message_id IN (111008, 111010)
command IN (
"*no logging*",
"*logging disable*",
"*clear logging*",
"*no logging host*",
"*no logging trap*"
)
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___logging_disabled_via_cli_filter`