Analytics Story: Suspicious Cisco Adaptive Security Appliance Activity

Description

This analytic story provides a suite of detections built to analyze telemetry generated by Cisco Adaptive Security Appliance (ASA) devices.

It focuses on identifying anomalous, suspicious or potentially malicious activity such as logging suppression, unauthorized configuration changes, anomalous connection patterns, unexpected drops in core syslog message volume, and potential command-and-control (C2) behaviors.

These detections help defenders surface behavior on security edge devices that may indicate defense evasion, exploitation attempts, or device tampering.

Why it matters

Cisco ASA/FTD appliances are commonly deployed at network boundaries to enforce security policies, inspect traffic, and provide remote access. As critical control-plane devices, their logs and operational telemetry can reveal adversary behavior ranging from configuration tampering and logging suppression to exploitation and C2.

Monitoring activity from Cisco ASA and FTD devices is critical because these appliances serve as key security controls at the network perimeter. Analyzing their telemetry and syslog data helps organizations maintain visibility into device health, policy enforcement, and potential threats.

Regular monitoring enables early detection of unusual or unauthorized activity, supports compliance requirements, and strengthens the overall security posture by ensuring that any deviations from expected behavior are promptly investigated.

Detections

Data Sources

References

• https://www.cisco.com/site/us/en/products/security/firewalls/adaptive-security-appliance-asa-software/index.html
• https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Source: GitHub | Version: 2