move to public

Author: patel-bhavin

data_sources/cisco_asa_logs.yml

@@ -0,0 +1,131 @@
+name: Cisco ASA Logs
+id: 3f2a9b6d-1c8e-4f7b-a2d3-8b7f1c2a9d4e
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Splunk
+description: >
+  Data source object for Cisco ASA system logs. Cisco ASA logs provide firewall
+  operational and security telemetry (connection events, ACL denies, VPN events,
+  NAT translations, and device health). Deploy the Splunk Add-on for Cisco ASA
+  (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search
+  heads for best parsing, CIM mapping, and dashboards. This data is ingested via SYSLOG.
+source: cisco:asa
+sourcetype: cisco:asa
+separator: null
+supported_TA:
+  - name: Cisco Security Cloud
+    url: https://splunkbase.splunk.com/app/7404
+    version: 3.4.1
+fields:
+- Cisco_ASA_action
+- Cisco_ASA_message_id
+- Cisco_ASA_user
+- Cisco_ASA_vendor_action
+- IP
+- Username
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+- acl
+- action
+- app
+- assigned_ip
+- bytes
+- category
+- command
+- communication_protocol
+- connections_in_use
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_host
+- dest_interface
+- dest_ip
+- dest_nt_domain
+- dest_port
+- dest_public_port
+- dest_translated_host
+- dest_translated_ip
+- dest_translated_port
+- dest_user
+- dest_zone
+- direction
+- duration
+- duration_day
+- duration_hour
+- duration_minute
+- duration_second
+- dvc
+- eventtype
+- group
+- host
+- ids_type
+- index
+- laction
+- linecount
+- most_used_connections
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_version
+- punct
+- reason
+- result
+- rule
+- rule_name
+- session_id
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_host
+- src_interface
+- src_ip
+- src_nt_domain
+- src_port
+- src_public_port
+- src_translated_host
+- src_translated_ip
+- src_translated_port
+- src_user
+- src_zone
+- ssl_is_valid
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- teardown_initiator
+- timeendpos
+- timestartpos
+- transport
+- type
+- user
+- vendor
+- vendor_action
+- vendor_product
+- vendor_severity
+- zone
+example_log: >
+  Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002: Teardown local-host management:54.245.234.201 duration 0:02:01
+  Sep 23 18:07:00 18.144.133.67 :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508 to management:172.31.12.229/443

detections/application/cisco_asa___core_syslog_message_volume_drop.yml

@@ -0,0 +1,62 @@
+name: Cisco ASA - Core Syslog Message Volume Drop
+id: 4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+type: Hunting
+description: |
+  Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
+data_source:
+  - Cisco ASA Logs
+search: |
+  `cisco_asa`
+  | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"
+  | search message_id IN (710005)
+  | eval msg_desc=case(
+    message_id="302013","Built inbound TCP connection",
+    message_id="302014","Teardown TCP connection",
+    message_id="609002","Teardown local-host management",
+    message_id="710005","TCP request discarded"
+  )
+  | bin _time span=15m
+  | stats count values(msg_desc) as message_description values(host) as host by _time message_id
+  | xyseries _time message_id count
+  | `cisco_asa___core_syslog_message_volume_drop_filter`
+how_to_implement: |
+  This search requires Cisco ASA syslog data to be ingested into Splunk.
+  Ensure comprehensive syslog collection (including key connection-related messages)
+  is configured for ASA/FTD devices. The search produces a time-series suitable for
+  dashboards to visualize drops across message IDs 302013, 302014, 609002, and 710005.
+  For alerting, consider pairing this with a baseline or anomaly detection approach
+  (e.g., comparing rolling averages or historical medians) to identify statistically
+  significant downward shifts.
+known_false_positives: |
+  Planned maintenance, network outages, routing changes, or benign configuration
+  updates may reduce log volume temporarily. Validate against change management
+  records and corroborate with device health metrics.
+references:
+- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
+- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=bd8313cb47a7ea10f61dfa74116d43d8 
+- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=cf28925747636e10f61dfa74116d43d9 
+tags:
+  analytic_story:
+    - ArcaneDoor
+  asset_type: Network
+  mitre_attack_id:
+    - T1562
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: network
+  cve:
+    - CVE-2025-20333
+    - CVE-2025-20362
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log
+        source: syslog
+        sourcetype: cisco:asa

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -0,0 +1,79 @@
+name: Cisco ASA - Logging Disabled via CLI
+id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+type: TTP
+description: |
+  This analytic detects the disabling of logging functionality on a Cisco ASA device
+  through CLI commands. Adversaries or malicious insiders may attempt to disable logging
+  to evade detection and hide malicious activity. The detection looks for specific ASA
+  syslog message IDs (111009, 111010, 111008) associated with command execution,
+  combined with suspicious commands such as `no logging`, `logging disable`,
+  `clear logging`, or `no logging host`. Disabling logging on a firewall or security device
+  is a strong indicator of defense evasion.
+data_source:
+  - Cisco ASA Logs
+search: |
+  `cisco_asa`
+  | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):" 
+  | search message_id IN (111009,111010,111008) 
+  | rex field=_raw "executed (?:the command )?(?<asa_command>.+)$" 
+  | search asa_command IN ("*no logging*","*logging disable*","*clear logging*","*no logging host*","*no logging trap*") 
+  | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(asa_command) as commands values(src_ip) as src_ip values(process_name) as process_name by host 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`  
+  | `cisco_asa___logging_disabled_via_cli_filter`
+how_to_implement: |
+  This search requires Cisco ASA syslog data to be ingested into Splunk. 
+  Ensure that syslog collection is configured correctly for ASA devices including all the debug logs.
+  The search leverages syslog message IDs 111009, 111010, and 111008,
+  which record executed commands. You may need to tune the search
+  to your environment by updating the list of suspicious logging commands.
+known_false_positives: |
+  Administrators may intentionally disable or modify logging during maintenance,
+  troubleshooting, or device reconfiguration. These events should be verified
+  against approved change management activities.
+references:
+- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
+- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=bd8313cb47a7ea10f61dfa74116d43d8 
+- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=cf28925747636e10f61dfa74116d43d9 
+drilldown_searches:
+- name: View the detection results for $host$
+  search: '%original_detection_search% | search  host = $host$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for $host$
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: User $user$ from executed commands to disable logging on the Cisco ASA host $host$.
+  risk_objects:
+    - field: host
+      type: system
+      score: 80
+  threat_objects:
+    - field: src_ip
+      type: ip_address
+tags:
+  analytic_story:
+    - ArcaneDoor
+  asset_type: Network
+  mitre_attack_id:
+    - T1562.002
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+  security_domain: network
+  cve:
+    - CVE-2025-20333
+    - CVE-2025-20362
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log
+        source: syslog
+        sourcetype: cisco:asa

macros/cisco_asa.yml

@@ -0,0 +1,4 @@
+definition: sourcetype=cisco:asa
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: cisco_asa