Splunk

Cisco ASA - User Account Deleted From Local Database

Last updated 2 days ago on 2026-07-17

About

This analytic detects deletion of user accounts from Cisco ASA devices via CLI or ASDM. Adversaries may delete local accounts to cover their tracks, remove evidence of their activities, disrupt incident response efforts, or deny legitimate administrator access during an attack. Account deletion can also indicate an attempt to hide the creation of temporary accounts used during compromise. The detection monitors for ASA message ID 502102, which is generated whenever a local user account is deleted from the device, capturing details including the deleted username, privilege level, and the administrator who performed the deletion. Investigate unexpected account deletions, especially those involving privileged accounts (level 15), deletions performed outside business hours, deletions by non-administrative users, or deletions that coincide with other suspicious activities.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog/syslog-messages-500000-to-520025.html#con_4773969(external, opens in a new tab or window)
False Positives
Legitimate deletions occur during employee offboarding, contractor removal, account cleanup, or service account decommissioning. Verify against HR records and change management tickets. Filter known admin accounts during business hours.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (502102) | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime values(action) as action values(message_id) as message_id values(result) as result values(privilege_level) as privilege_level by host user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___user_account_deleted_from_local_database_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).