Splunk

Cisco ASA - Logging Filters Configuration Tampering

Last updated 2 days ago on 2026-07-17

About

This analytic detects tampering with logging filter configurations on Cisco ASA devices via CLI or ASDM. Adversaries may reduce logging levels or disable specific log categories to evade detection, hide their activities, or prevent security monitoring systems from capturing evidence of their actions. By lowering logging verbosity, attackers can operate with reduced visibility to security teams. The detection monitors for logging configuration commands (message ID 111008 or 111010) that modify logging destinations (asdm, console, history, mail, monitor, trap) without setting them to higher severity levels (5-notifications, 6-informational, 7-debugging), which may indicate an attempt to reduce logging verbosity. Investigate unauthorized logging configuration changes that reduce verbosity, especially changes performed by non-administrative accounts, during unusual hours, or without corresponding change management approval.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_log-lz.html(external, opens in a new tab or window)
False Positives
Admins may modify logging levels during maintenance or troubleshooting to reduce log volume. Verify against change management tickets. Filter known admin accounts during maintenance windows.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111008, 111010) command = "logging *" command IN ( "*asdm*", "*console*", "*history*", "*mail*", "*monitor*", "*trap*" ) NOT command IN ( "*notifications*", "*informational*", "*debugging*", "* 5*", "* 6*", "* 7*" ) | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(src_ip) as src_ip values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___logging_filters_configuration_tampering_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).