| ID | Technique | Tactic |
|---|---|---|
| T1562 | Impair Defenses | Defense Evasion |
Detection: Cisco ASA - Core Syslog Message Volume Drop
Description
Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
Search
1`cisco_asa`
2
3| rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"
4
5| search message_id IN (302013,302014,609002,710005)
6
7| eval msg_desc=case(
8 message_id="302013","Built inbound TCP connection",
9 message_id="302014","Teardown TCP connection",
10 message_id="609002","Teardown local-host management",
11 message_id="710005","TCP request discarded"
12)
13
14| bin _time span=15m
15
16| stats count values(msg_desc) as message_description values(host) as host by _time message_id
17
18| xyseries _time message_id count
19
20| `cisco_asa___core_syslog_message_volume_drop_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco ASA Logs | N/A | 'cisco:asa' |
'cisco:asa' |
Macros Used
| Name | Value |
|---|---|
| cisco_asa | sourcetype=cisco:asa |
| cisco_asa___core_syslog_message_volume_drop_filter | search * |
cisco_asa___core_syslog_message_volume_drop_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. The search produces a time-series suitable for dashboards to visualize drops across message IDs 302013, 302014, 609002, and 710005.
Known False Positives
Planned maintenance, network outages, routing changes, or benign configuration updates may reduce log volume temporarily. Validate against change management records and corroborate with device health metrics.
Associated Analytic Story
References
-
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
-
https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | syslog |
cisco:asa |
| Integration | ✅ Passing | Dataset | syslog |
cisco:asa |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2