text code block:`cisco_asa` message_id IN (111008, 111010) command = "copy *" command IN ( "*running-config*", "*startup-config*", "*/pcap capture:*", "* disk0:*", "* flash:*", "* system:*" ) command IN ( "*ftp:*", "*http:*", "*https:*", "*smb:*", "*scp:*" ) | eval remote_protocol = mvappend( if(match(command, "tftp:"), "TFTP", null()), if(match(command, "ftp:"), "FTP", null()), if(match(command, "http:"), "HTTP", null()), if(match(command, "https:"), "HTTPS", null()), if(match(command, "smb:"), "SMB", null()), if(match(command, "scp:"), "SCP", null()) ) | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(remote_protocol) as remote_protocol values(src_ip) as src_ip values(dest) as dest values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___device_file_copy_to_remote_location_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).