Cisco ASA - User Account Deleted From Local Database
Last updated 2 days ago on 2026-07-17
About
This analytic detects deletion of user accounts from Cisco ASA devices via CLI or ASDM.
Adversaries may delete local accounts to cover their tracks, remove evidence of their activities, disrupt incident response efforts, or deny legitimate administrator access during an attack. Account deletion can also indicate an attempt to hide the creation of temporary accounts used during compromise.
The detection monitors for ASA message ID 502102, which is generated whenever a local user account is deleted from the device, capturing details including the deleted username, privilege level, and the administrator who performed the deletion.
Investigate unexpected account deletions, especially those involving privileged accounts (level 15), deletions performed outside business hours, deletions by non-administrative users, or deletions that coincide with other suspicious activities.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Legitimate deletions occur during employee offboarding, contractor removal, account cleanup, or service account decommissioning. Verify against HR records and change management tickets.
Filter known admin accounts during business hours.
✄𐘗`cisco_asa`
message_id IN (502102)
| fillnull
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(result) as result
values(privilege_level) as privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_account_deleted_from_local_database_filter`