Cisco ASA - Logging Disabled via CLI: networkNetwork2025-09-25version:2
This analytic detects the disabling of logging functionality on a Cisco ASA device
through CLI commands. Adversaries or malicious insiders may attempt to disable logging
to evade detection and hide malicious activity. The detection looks for specific ASA
syslog message IDs (111009, 111010, 111008) associated with command execution,
combined with suspicious commands such as `no logging`, `logging disable`,
`clear logging`, or `no logging host`. Disabling logging on a firewall or security device
is a strong indicator of defense evasion.
