Cisco Asa
Description
Generated generic dataset for multiple logs generated by Cisco ASA
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1562 | Impair Defenses | Defense Evasion |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | cisco_asa |
| Test Date | 2025-10-30 |
Datasets
The following datasets were collected during this attack simulation:
Cisco_asa_generic_logs
- Path:
/datasets/cisco_asa/generic/cisco_asa_generic_logs.log - Sourcetype:
cisco:asa - Source:
not_applicable
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Cisco ASA - Device File Copy to Remote Location | Anomaly |
Application | T1005, T1041, T1048.003 | Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor |
| Cisco ASA - Logging Disabled via CLI | TTP |
Application | T1562 | Suspicious Cisco Adaptive Security Appliance Activity |
| Cisco ASA - New Local User Account Created | Anomaly |
Application | T1136.001, T1078.003 | Suspicious Cisco Adaptive Security Appliance Activity |
| Cisco ASA - User Privilege Level Change | Anomaly |
Application | T1078.003, T1098 | Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor |
| Cisco ASA - User Account Deleted From Local Database | Anomaly |
Application | T1531, T1070.008 | Suspicious Cisco Adaptive Security Appliance Activity |
| Cisco ASA - AAA Policy Tampering | Anomaly |
Application | T1556.004 | Suspicious Cisco Adaptive Security Appliance Activity |
| Cisco ASA - Logging Message Suppression | Anomaly |
Application | T1562.002, T1070 | Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor |
| Cisco ASA - Reconnaissance Command Activity | Anomaly |
Application | T1082, T1590.001, T1590.005 | Suspicious Cisco Adaptive Security Appliance Activity |
| Cisco ASA - Packet Capture Activity | Anomaly |
Application | T1040, T1557 | Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor |
| Cisco ASA - Logging Filters Configuration Tampering | Anomaly |
Application | T1562 | Suspicious Cisco Adaptive Security Appliance Activity |
| Cisco ASA - Device File Copy Activity | Anomaly |
Application | T1005, T1530 | Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor |
| Cisco ASA - User Account Lockout Threshold Exceeded | Anomaly |
Application | T1110.001, T1110.003 | Suspicious Cisco Adaptive Security Appliance Activity |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/cisco_asa/generic/cisco_asa_generic_logs.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0