splApache-2.0from splunk/security_content

Cisco ASA - Logging Disabled via CLI

This analytic detects the disabling of logging functionality on a Cisco ASA device through CLI commands. Adversaries or malicious insiders may attempt to disable logging to evade detection and hide malicious activity. The detection looks for specific ASA syslog message IDs (111010, 111008) associated with command execution, combined with suspicious commands such as `no logging`, `logging disable`, `clear logging`, or `no logging host`. Disabling logging on a firewall or security device is a strong indicator of defense evasion.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.