| ID | Technique | Tactic |
|---|---|---|
| T1562 | Impair Defenses | Defense Evasion |
Detection: Cisco ASA - Logging Disabled via CLI
Description
This analytic detects the disabling of logging functionality on a Cisco ASA device
through CLI commands. Adversaries or malicious insiders may attempt to disable logging
to evade detection and hide malicious activity. The detection looks for specific ASA
syslog message IDs (111009, 111010, 111008) associated with command execution,
combined with suspicious commands such as no logging, logging disable,
clear logging, or no logging host. Disabling logging on a firewall or security device
is a strong indicator of defense evasion.
Search
1`cisco_asa`
2
3| rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"
4
5| search message_id IN (111009,111010,111008)
6
7| rex field=_raw "executed (?:the command )?(?<asa_command>.+)$"
8
9| search asa_command IN ("*no logging*","*logging disable*","*clear logging*","*no logging host*","*no logging trap*")
10
11| stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(asa_command) as commands values(src_ip) as src_ip values(process_name) as process_name by host
12
13| `security_content_ctime(firstTime)`
14
15| `security_content_ctime(lastTime)`
16
17| `cisco_asa___logging_disabled_via_cli_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco ASA Logs | N/A | 'cisco:asa' |
'cisco:asa' |
Macros Used
| Name | Value |
|---|---|
| cisco_asa | sourcetype=cisco:asa |
| cisco_asa___logging_disabled_via_cli_filter | search * |
cisco_asa___logging_disabled_via_cli_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880.
Known False Positives
Administrators may intentionally disable or modify logging during maintenance, troubleshooting, or device reconfiguration. These events should be verified against approved change management activities.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
User $user$ from executed commands to disable logging on the Cisco ASA host $host$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| host | system | 80 | src_ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | syslog |
cisco:asa |
| Integration | ✅ Passing | Dataset | syslog |
cisco:asa |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2