Analytics Story: Suspicious Cisco Adaptive Security Appliance Activity
Description
This analytic story provides a suite of detections built to analyze telemetry and syslog generated by Cisco Adaptive Security Appliance (ASA) devices. It focuses on identifying suspicious and potentially malicious activity such as logging suppression, unauthorized configuration changes, anomalous connection patterns, unexpected drops in core syslog message volume, and potential command-and-control (C2) behaviors. These detections help defenders surface behavior on security edge devices that may indicate defense evasion, exploitation attempts, or device tampering.
Why it matters
Cisco ASA/FTD appliances are commonly deployed at network boundaries to enforce security policies, inspect traffic, and provide remote access. As critical control-plane devices, their logs and operational telemetry can reveal adversary behavior ranging from configuration tampering and logging suppression to exploitation and C2.
Monitoring activity from Cisco ASA and FTD devices is critical because these appliances serve as key security controls at the network perimeter. Analyzing their telemetry and syslog data helps organizations maintain visibility into device health, policy enforcement, and potential threats. Regular monitoring enables early detection of unusual or unauthorized activity, supports compliance requirements, and strengthens the overall security posture by ensuring that any deviations from expected behavior are promptly investigated.
Detections
| Name | Technique | Type |
|---|---|---|
| Cisco ASA - Logging Disabled via CLI | Impair Defenses | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco ASA Logs | N/A | cisco:asa |
cisco:asa |
References
- https://www.cisco.com/site/us/en/products/security/firewalls/adaptive-security-appliance-asa-software/index.html
- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Source: GitHub | Version: 1