move ASA to public - post release

data_sources/cisco_asa_logs.yml

@@ -0,0 +1,131 @@
+name: Cisco ASA Logs
+id: 3f2a9b6d-1c8e-4f7b-a2d3-8b7f1c2a9d4e
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Splunk
+description: >
+  Data source object for Cisco ASA system logs. Cisco ASA logs provide firewall
+  operational and security telemetry (connection events, ACL denies, VPN events,
+  NAT translations, and device health). Deploy the Splunk Add-on for Cisco ASA
+  (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search
+  heads for best parsing, CIM mapping, and dashboards. This data is ingested via SYSLOG. You must be ingesting Cisco ASA syslog data into your Splunk environment. To ensure all detections work, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. A few analytics are designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. 
+source: cisco:asa
+sourcetype: cisco:asa 
+separator: null
+supported_TA:
+  - name: Cisco Security Cloud
+    url: https://splunkbase.splunk.com/app/7404
+    version: 3.4.1
+fields:
+- Cisco_ASA_action
+- Cisco_ASA_message_id
+- Cisco_ASA_user
+- Cisco_ASA_vendor_action
+- IP
+- Username
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+- acl
+- action
+- app
+- assigned_ip
+- bytes
+- category
+- command
+- communication_protocol
+- connections_in_use
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_host
+- dest_interface
+- dest_ip
+- dest_nt_domain
+- dest_port
+- dest_public_port
+- dest_translated_host
+- dest_translated_ip
+- dest_translated_port
+- dest_user
+- dest_zone
+- direction
+- duration
+- duration_day
+- duration_hour
+- duration_minute
+- duration_second
+- dvc
+- eventtype
+- group
+- host
+- ids_type
+- index
+- laction
+- linecount
+- most_used_connections
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_version
+- punct
+- reason
+- result
+- rule
+- rule_name
+- session_id
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_host
+- src_interface
+- src_ip
+- src_nt_domain
+- src_port
+- src_public_port
+- src_translated_host
+- src_translated_ip
+- src_translated_port
+- src_user
+- src_zone
+- ssl_is_valid
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- teardown_initiator
+- timeendpos
+- timestartpos
+- transport
+- type
+- user
+- vendor
+- vendor_action
+- vendor_product
+- vendor_severity
+- zone
+example_log: >
+  Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002: Teardown local-host management:54.245.234.201 duration 0:02:01
+  Sep 23 18:07:00 18.144.133.67 :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508 to management:172.31.12.229/443

detections/application/cisco_asa___core_syslog_message_volume_drop.yml

@@ -0,0 +1,60 @@
+name: Cisco ASA - Core Syslog Message Volume Drop
+id: 4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4
+version: 2
+date: '2025-09-25'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+type: Hunting
+description: |
+  Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
+data_source:
+  - Cisco ASA Logs
+search: |
+  `cisco_asa`
+  | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"
+  | search message_id IN (302013,302014,609002,710005)
+  | eval msg_desc=case(
+    message_id="302013","Built inbound TCP connection",
+    message_id="302014","Teardown TCP connection",
+    message_id="609002","Teardown local-host management",
+    message_id="710005","TCP request discarded"
+  )
+  | bin _time span=15m
+  | stats count values(msg_desc) as message_description values(host) as host by _time message_id
+  | xyseries _time message_id count
+  | `cisco_asa___core_syslog_message_volume_drop_filter`
+how_to_implement: |
+  This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. The search produces a time-series suitable for dashboards to visualize drops across message IDs 302013, 302014, 609002, and 710005.
+known_false_positives: |
+  Planned maintenance, network outages, routing changes, or benign configuration
+  updates may reduce log volume temporarily. Validate against change management
+  records and corroborate with device health metrics.
+references:
+- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
+- https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
+tags:
+  analytic_story:
+    - ArcaneDoor
+  asset_type: Network
+  mitre_attack_id:
+    - T1562
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: network
+  cve:
+    - CVE-2025-20333
+    - CVE-2025-20362
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log
+        source: syslog
+        sourcetype: cisco:asa

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -0,0 +1,79 @@
+name: Cisco ASA - Logging Disabled via CLI
+id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
+version: 2
+date: '2025-09-25'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+type: TTP
+description: |
+  This analytic detects the disabling of logging functionality on a Cisco ASA device
+  through CLI commands. Adversaries or malicious insiders may attempt to disable logging
+  to evade detection and hide malicious activity. The detection looks for specific ASA
+  syslog message IDs (111009, 111010, 111008) associated with command execution,
+  combined with suspicious commands such as `no logging`, `logging disable`,
+  `clear logging`, or `no logging host`. Disabling logging on a firewall or security device
+  is a strong indicator of defense evasion.
+data_source:
+  - Cisco ASA Logs
+search: |
+  `cisco_asa`
+  | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):" 
+  | search message_id IN (111009,111010,111008) 
+  | rex field=_raw "executed (?:the command )?(?<asa_command>.+)$" 
+  | search asa_command IN ("*no logging*","*logging disable*","*clear logging*","*no logging host*","*no logging trap*") 
+  | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(asa_command) as commands values(src_ip) as src_ip values(process_name) as process_name by host 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`  
+  | `cisco_asa___logging_disabled_via_cli_filter`
+how_to_implement: |
+    This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. 
+known_false_positives: |
+  Administrators may intentionally disable or modify logging during maintenance,
+  troubleshooting, or device reconfiguration. These events should be verified
+  against approved change management activities.
+references:
+- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
+- https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
+drilldown_searches:
+- name: View the detection results for $host$
+  search: '%original_detection_search% | search  host = $host$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for $host$
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: User $user$ from executed commands to disable logging on the Cisco ASA host $host$.
+  risk_objects:
+    - field: host
+      type: system
+      score: 80
+  threat_objects:
+    - field: src_ip
+      type: ip_address
+tags:
+  analytic_story:
+    - ArcaneDoor
+  asset_type: Network
+  mitre_attack_id:
+    - T1562.002
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+  security_domain: network
+  cve:
+    - CVE-2025-20333
+    - CVE-2025-20362
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log
+        source: syslog
+        sourcetype: cisco:asa

macros/cisco_asa.yml

@@ -0,0 +1,4 @@
+definition: sourcetype=cisco:asa
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: cisco_asa

stories/arcanedoor.yml

@@ -1,6 +1,6 @@
 name: ArcaneDoor
 id: 7f2b9eac-0df5-4d0c-9e35-2b8fd552c9f1
-version: 1
+version: 2
 date: '2025-09-23'
 author: Bhavin Patel, Micheal Haag, Splunk
 status: production
@@ -14,8 +14,12 @@ narrative: |
 references:
 - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
 - https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
-- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=bd8313cb47a7ea10f61dfa74116d43d8 
-- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=cf28925747636e10f61dfa74116d43d9 
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
+- https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
 tags:
   category:
   - Adversary Tactics