Splunk

Cisco ASA - Core Syslog Message Volume Drop

Last updated 2 days ago on 2026-07-17

About

Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/(external, opens in a new tab or window)https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks(external, opens in a new tab or window)https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB(external, opens in a new tab or window)https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O(external, opens in a new tab or window)https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW(external, opens in a new tab or window)https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O(external, opens in a new tab or window)https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices(external, opens in a new tab or window)https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices(external, opens in a new tab or window)
False Positives
Planned maintenance, network outages, routing changes, or benign configuration updates may reduce log volume temporarily. Validate against change management records and corroborate with device health metrics.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (302013, 302014, 609002, 710005) | eval msg_desc=case( message_id="302013","Built inbound TCP connection", message_id="302014","Teardown TCP connection", message_id="609002","Teardown local-host management", message_id="710005","TCP request discarded" ) | bin _time span=15m | stats count values(msg_desc) as message_description values(dest) as dest by _time message_id | xyseries _time message_id count | `cisco_asa___core_syslog_message_volume_drop_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).