Techniques
Sample rules
Cisco ASA - Core Syslog Message Volume Drop
- source: splunk
- technicques:
- T1562
Description
Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
Detection logic
`cisco_asa`
| rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"
| search message_id IN (302013,302014,609002,710005)
| eval msg_desc=case(
message_id="302013","Built inbound TCP connection",
message_id="302014","Teardown TCP connection",
message_id="609002","Teardown local-host management",
message_id="710005","TCP request discarded"
)
| bin _time span=15m
| stats count values(msg_desc) as message_description values(host) as host by _time message_id
| xyseries _time message_id count
| `cisco_asa___core_syslog_message_volume_drop_filter`