Splunk

Cisco ASA - Reconnaissance Command Activity

Last updated 2 days ago on 2026-07-17

About

This analytic detects potential reconnaissance activities on Cisco ASA devices by identifying execution of multiple information-gathering "show" commands within a short timeframe. Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions. The detection monitors for command execution events (message ID 111009) containing reconnaissance-oriented "show" commands (such as show running-config, show version, show interface, show crypto, show conn, etc.) and triggers when 7 or more distinct reconnaissance commands are executed within a 5-minute window by the same user. Investigate reconnaissance bursts from non-administrative accounts, unusual source IP addresses, activity during off-hours, methodical command sequences suggesting automated enumeration, or reconnaissance activity correlated with other suspicious behaviors. We recommend adapting the detection filters to exclude known legitimate administrative activities.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/sa-shov-commands.html(external, opens in a new tab or window)
False Positives
Legitimate sequences occur during troubleshooting, health checks, upgrades, audits, or automation scripts. Verify against change management. Filter known admin accounts, trusted management stations, or adjust threshold based on baseline.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111009) command IN ( "show access-list*", "show capture*", "show conn*", "show cpu*", "show crypto*", "show eigrp*", "show failover*", "show flow*", "show interface*", "show inventory*", "show ip*", "show license*", "show memory*", "show nat*", "show ospf*", "show process*", "show running-config*", "show startup-config*", "show version*", "show vpn-sessiondb*", "show xlate*" ) | fillnull ``` Normalize command variations to base command types to count distinct reconnaissance categories. For example, "show running-config", "show running-config | include username", and "show running-config interface" all count as one command type. This prevents adversaries from evading detection by adding arguments or using multiple variations of the same command. ``` | eval command_type=case( match(command, "^show access-list"), "show access-list", match(command, "^show conn"), "show conn", match(command, "^show cpu"), "show cpu", match(command, "^show crypto"), "show crypto", match(command, "^show eigrp"), "show eigrp", match(command, "^show failover"), "show failover", match(command, "^show flow"), "show flow", match(command, "^show interface"), "show interface", match(command, "^show inventory"), "show inventory", match(command, "^show ip"), "show ip", match(command, "^show license"), "show license", match(command, "^show memory"), "show memory", match(command, "^show nat"), "show nat", match(command, "^show ospf"), "show ospf", match(command, "^show process"), "show process", match(command, "^show running-config"), "show running-config", match(command, "^show startup-config"), "show startup-config", match(command, "^show version"), "show version", match(command, "^show vpn-sessiondb"), "show vpn-sessiondb", match(command, "^show xlate"), "show xlate", true(), command) | bin _time span=5m | stats count earliest(_time) as firstTime latest(_time) as lastTime dc(command_type) as unique_recon_commands values(command_type) as command_types values(command) as commands values(src_ip) as src_ip values(message_id) as message_id values(action) as action by _time host user | where unique_recon_commands >= 7 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___reconnaissance_command_activity_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).