Merge pull request #3696 from splunk/asa_story

Suspicious Cisco Adaptive Security Appliance Activity - story file

Author: patel-bhavin

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -32,14 +32,8 @@ known_false_positives: |
   troubleshooting, or device reconfiguration. These events should be verified
   against approved change management activities.
 references:
-- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
-- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
-- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
-- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
-- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
-- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
-- https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
-- https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
+- https://www.cisco.com/site/us/en/products/security/firewalls/adaptive-security-appliance-asa-software/index.html
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
 drilldown_searches:
 - name: View the detection results for $host$
   search: '%original_detection_search% | search  host = $host$'
@@ -60,17 +54,14 @@ rba:
       type: ip_address
 tags:
   analytic_story:
-    - ArcaneDoor
+    - Suspicious Cisco Adaptive Security Appliance Activity
   asset_type: Network
   mitre_attack_id:
-    - T1562.002
+    - T1562
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
   security_domain: network
-  cve:
-    - CVE-2025-20333
-    - CVE-2025-20362
 tests:
   - name: True Positive Test
     attack_data:

stories/suspicious_cisco_adaptive_security_appliance_activity.yml

@@ -0,0 +1,34 @@
+name: Suspicious Cisco Adaptive Security Appliance Activity
+id: 5d9e31a4-64df-4f13-b9da-6b2dc40e0c1e
+version: 1
+date: '2025-09-26'
+author: Bhavin Patel, Splunk
+status: production
+description: |
+  This analytic story provides a suite of detections built to analyze telemetry and syslog
+  generated by Cisco Adaptive Security Appliance (ASA) devices.
+  It focuses on identifying suspicious and potentially malicious activity such as logging
+  suppression, unauthorized configuration changes, anomalous connection patterns, unexpected
+  drops in core syslog message volume, and potential command-and-control (C2) behaviors.
+  These detections help defenders surface behavior on security edge devices that may indicate
+  defense evasion, exploitation attempts, or device tampering.
+narrative: |
+  Cisco ASA/FTD appliances are commonly deployed at network boundaries to enforce security
+  policies, inspect traffic, and provide remote access. As critical control-plane devices,
+  their logs and operational telemetry can reveal adversary behavior ranging from configuration
+  tampering and logging suppression to exploitation and C2.
+
+  Monitoring activity from Cisco ASA and FTD devices is critical because these appliances serve as key security controls at the network perimeter. Analyzing their telemetry and syslog data helps organizations maintain visibility into device health, policy enforcement, and potential threats. Regular monitoring enables early detection of unusual or unauthorized activity, supports compliance requirements, and strengthens the overall security posture by ensuring that any deviations from expected behavior are promptly investigated.
+references:
+- https://www.cisco.com/site/us/en/products/security/firewalls/adaptive-security-appliance-asa-software/index.html
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+
+