LoFP LoFP / planned maintenance, network outages, routing changes, or benign configuration updates may reduce log volume temporarily. validate against change management records and corroborate with device health metrics.

Techniques

Sample rules

Cisco ASA - Core Syslog Message Volume Drop

Description

Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.

Detection logic

`cisco_asa`

| rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"

| search message_id IN (302013,302014,609002,710005)

| eval msg_desc=case(
  message_id="302013","Built inbound TCP connection",
  message_id="302014","Teardown TCP connection",
  message_id="609002","Teardown local-host management",
  message_id="710005","TCP request discarded"
)

| bin _time span=15m

| stats count values(msg_desc) as message_description values(host) as host by _time message_id

| xyseries _time message_id count

| `cisco_asa___core_syslog_message_volume_drop_filter`