Splunk

Cisco ASA - User Privilege Level Change

Last updated 2 days ago on 2026-07-17

About

This analytic detects privilege level changes for user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may escalate account privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. Privilege levels on Cisco ASA range from 0 (lowest) to 15 (full administrative access), with level 15 providing complete device control. The detection monitors for ASA message ID 502103, which is generated whenever a user account's privilege level is modified, capturing both the old and new privilege levels along with the username and administrator who made the change. Investigate unexpected privilege changes, especially escalations to level 15, substantial privilege increases (e.g., from level 1 to 15), changes performed outside business hours, changes by non-administrative users, or changes without corresponding change management tickets.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog/syslog-messages-500000-to-520025.html#con_4773975(external, opens in a new tab or window)https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf(external, opens in a new tab or window)
False Positives
Legitimate changes occur during role changes, temporary escalation for maintenance, or security policy adjustments. Verify against change management. Filter known admin accounts during maintenance windows.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (502103) | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime values(action) as action values(message_id) as message_id values(old_privilege_level) as old_privilege_level values(new_privilege_level) as new_privilege_level by host user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___user_privilege_level_change_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).