Splunk

Cisco ASA - AAA Policy Tampering

Last updated 2 days ago on 2026-07-17

About

This analytic detects modifications to authentication and authorization (AAA) security policies on Cisco ASA devices via CLI or ASDM. AAA policies control critical security mechanisms including authentication attempts, lockout thresholds, password policies, and access control settings that protect administrative access to network infrastructure. Adversaries or malicious insiders may weaken authentication policies to facilitate brute force attacks, disable account lockouts to enable unlimited password attempts, reduce password complexity requirements, or modify authorization settings to elevate privileges and maintain persistent access. The detection monitors for command execution events containing AAA-related commands such as `aaa authentication`, `aaa authorization`, or `aaa local authentication`, focusing on changes to authentication attempts, lockout policies, and access control configurations. Investigate any unauthorized modifications to AAA policies, especially changes that weaken security posture (increasing max-fail attempts, disabling lockouts, reducing password requirements), and verify these changes against approved change management processes and security policies.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html(external, opens in a new tab or window)
False Positives
Legitimate AAA configuration modifications may occur during normal administrative activities such as implementing new security policies, adjusting lockout thresholds or troubleshooting authentication issues. These events should be verified and investigated. Consider filtering modifications performed by known administrative accounts where necessary.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111008, 111010) command IN ( "aaa authentication*", "aaa authorization*", "aaa local authentication*", "aaa-server*", "no aaa*" ) | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(src_ip) as src_ip values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___aaa_policy_tampering_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).