GitHub Repo

Data Source: Cisco ASA Logs

Date: 2025-10-27

ID: 3f2a9b6d-1c8e-4f7b-a2d3-8b7f1c2a9d4e

Author: Bhavin Patel, Splunk

Description

Data source object for Cisco ASA system logs. Cisco ASA logs provide firewall operational and security telemetry (connection events, ACL denies, VPN events, NAT translations, and device health). Deploy the Splunk Add-on for Cisco ASA (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search heads for best parsing, CIM mapping, and dashboards. This data is ingested via SYSLOG. You must be ingesting Cisco ASA syslog data into your Splunk environment. To ensure all detections work, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. A few analytics are designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880.

Details

Property Value
Source not_applicable
Sourcetype cisco:asa
Name ▲▼ Technique ▲▼ Type ▲▼
Cisco ASA - AAA Policy Tampering Network Device Authentication Anomaly
Cisco ASA - Core Syslog Message Volume Drop Impair Defenses Hunting
Cisco ASA - Device File Copy Activity Data from Local System, Data from Cloud Storage Anomaly
Cisco ASA - Device File Copy to Remote Location Data from Local System, Exfiltration Over C2 Channel, Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Cisco ASA - Logging Disabled via CLI Impair Defenses TTP
Cisco ASA - Logging Filters Configuration Tampering Impair Defenses Anomaly
Cisco ASA - Logging Message Suppression Disable Windows Event Logging, Indicator Removal Anomaly
Cisco ASA - New Local User Account Created Local Account, Local Accounts Anomaly
Cisco ASA - Packet Capture Activity Network Sniffing, Adversary-in-the-Middle Anomaly
Cisco ASA - Reconnaissance Command Activity System Information Discovery, Domain Properties, IP Addresses Anomaly
Cisco ASA - User Account Deleted From Local Database Account Access Removal, Clear Mailbox Data Anomaly
Cisco ASA - User Account Lockout Threshold Exceeded Password Guessing, Password Spraying Anomaly
Cisco ASA - User Privilege Level Change Local Accounts, Account Manipulation Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">Cisco_ASA_action</span>
  
  <span class="pill kill-chain">Cisco_ASA_message_id</span>
  
  <span class="pill kill-chain">Cisco_ASA_user</span>
  
  <span class="pill kill-chain">Cisco_ASA_vendor_action</span>
  
  <span class="pill kill-chain">IP</span>
  
  <span class="pill kill-chain">Username</span>
  
  <span class="pill kill-chain">_bkt</span>
  
  <span class="pill kill-chain">_cd</span>
  
  <span class="pill kill-chain">_eventtype_color</span>
  
  <span class="pill kill-chain">_indextime</span>
  
  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_serial</span>
  
  <span class="pill kill-chain">_si</span>
  
  <span class="pill kill-chain">_sourcetype</span>
  
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">acl</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">assigned_ip</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">communication_protocol</span>
  
  <span class="pill kill-chain">connections_in_use</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_host</span>
  
  <span class="pill kill-chain">dest_interface</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_nt_domain</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">dest_public_port</span>
  
  <span class="pill kill-chain">dest_translated_host</span>
  
  <span class="pill kill-chain">dest_translated_ip</span>
  
  <span class="pill kill-chain">dest_translated_port</span>
  
  <span class="pill kill-chain">dest_user</span>
  
  <span class="pill kill-chain">dest_zone</span>
  
  <span class="pill kill-chain">direction</span>
  
  <span class="pill kill-chain">duration</span>
  
  <span class="pill kill-chain">duration_day</span>
  
  <span class="pill kill-chain">duration_hour</span>
  
  <span class="pill kill-chain">duration_minute</span>
  
  <span class="pill kill-chain">duration_second</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">group</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">ids_type</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">laction</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">most_used_connections</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">protocol</span>
  
  <span class="pill kill-chain">protocol_version</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">reason</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">rule</span>
  
  <span class="pill kill-chain">rule_name</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_host</span>
  
  <span class="pill kill-chain">src_interface</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_nt_domain</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">src_public_port</span>
  
  <span class="pill kill-chain">src_translated_host</span>
  
  <span class="pill kill-chain">src_translated_ip</span>
  
  <span class="pill kill-chain">src_translated_port</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">src_zone</span>
  
  <span class="pill kill-chain">ssl_is_valid</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">teardown_initiator</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_action</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_severity</span>
  
  <span class="pill kill-chain">zone</span>
  
</div>

Example Log

1Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002: Teardown local-host management:54.245.234.201 duration 0:02:01 Sep 23 18:07:00 18.144.133.67 :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508 to management:172.31.12.229/443

Source: GitHub | Version: 2