Splunk

Cisco ASA - Logging Disabled via CLI

Last updated 2 days ago on 2026-07-17

About

This analytic detects the disabling of logging functionality on a Cisco ASA device through CLI commands. Adversaries or malicious insiders may attempt to disable logging to evade detection and hide malicious activity. The detection looks for specific ASA syslog message IDs (111010, 111008) associated with command execution, combined with suspicious commands such as `no logging`, `logging disable`, `clear logging`, or `no logging host`. Disabling logging on a firewall or security device is a strong indicator of defense evasion.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/site/us/en/products/security/firewalls/adaptive-security-appliance-asa-software/index.html(external, opens in a new tab or window)https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks(external, opens in a new tab or window)
False Positives
Administrators may intentionally disable or modify logging during maintenance, troubleshooting, or device reconfiguration. These events should be verified against approved change management activities.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111008, 111010) command IN ( "*no logging*", "*logging disable*", "*clear logging*", "*no logging host*", "*no logging trap*" ) | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(src_ip) as src_ip values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___logging_disabled_via_cli_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).