Add New ASA Analytics

[nasbench]

This PR introduces new analytics covering ASA data source. Below is a breakdown of what's being introduced

New Analytics [11]

• Cisco ASA - AAA Policy Tampering
• Cisco ASA - Device File Copy Activity
• Cisco ASA - Device File Copy to Remote Location
• Cisco ASA - Logging Filters Configuration Tampering
• Cisco ASA - Logging Message Suppression
• Cisco ASA - New Local User Account Created
• Cisco ASA - Packet Capture Activity
• Cisco ASA - Reconnaissance Command Activity
• Cisco ASA - User Account Deleted From Local Database
• Cisco ASA - User Account Lockout Threshold Exceeded
• Cisco ASA - User Privilege Level Change

Updated Analytics [6]

• Cisco ASA - Core Syslog Message Volume Drop - Update the search to use the already extracted field by the CSC TA command as well as other metadata fields.
• Cisco ASA - Logging Disabled via CLI - Removed message id 111009 as its only related to show commands, as well as updated the search to use extracted fields by the CSC TA, along with other metadata updates.
• Cobalt Strike Named Pipes - Fixed typo in search by removing unnecessary comma.
• Upgraded the following analytics to production as they were put to experimental by mistake
  • Windows NirSoft Tool Bundle File Created
  • Windows PowerShell Process Implementing Manual Base64 Decoder
  • Windows PsTools Recon Usage

Data Source Update [1]

• Cisco ASA Logs - Update source to not_applicable to reflect how logs are ingested. Since most of the time it will be a udp port.

Analytic Story Update [1]

• Suspicious Cisco Adaptive Security Appliance Activity - Updated description and narrative

[Copilot]

Pull Request Overview

This pull request significantly expands Cisco ASA security analytics by introducing 11 new detections focused on reconnaissance, privilege escalation, logging evasion, and data exfiltration activities. The PR also updates two existing ASA analytics to use extracted fields from the Cisco Security Cloud TA, upgrades three Windows endpoint analytics from experimental to production status, fixes a syntax error in Cobalt Strike detection, and updates the ASA data source configuration.

Key Changes

• Added 11 new Cisco ASA analytics covering user account management, privilege changes, reconnaissance, packet capture, logging manipulation, file copy activities, and AAA policy tampering
• Refactored two existing ASA analytics to leverage pre-extracted fields and improved search efficiency
• Upgraded three Windows analytics (NirSoft, PowerShell Base64 Decoder, PsTools) from experimental to production status

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
stories/suspicious_cisco_adaptive_security_appliance_activity.yml	Updated story version, date, author list, reformatted description and narrative for better readability
detections/endpoint/windows_pstools_recon_usage.yml	Upgraded status from experimental to production
detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml	Upgraded status from experimental to production
detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml	Upgraded status from experimental to production
detections/endpoint/cobalt_strike_named_pipes.yml	Fixed trailing comma syntax error in named pipes list
detections/application/cisco_asa___user_privilege_level_change.yml	New analytic detecting privilege level modifications on ASA devices
detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml	New analytic detecting account lockouts from failed authentication attempts
detections/application/cisco_asa___user_account_deleted_from_local_database.yml	New analytic detecting local account deletions
detections/application/cisco_asa___reconnaissance_command_activity.yml	New analytic detecting multiple reconnaissance "show" commands within short timeframes
detections/application/cisco_asa___packet_capture_activity.yml	New analytic detecting packet capture command execution
detections/application/cisco_asa___new_local_user_account_created.yml	New analytic detecting creation of new local user accounts
detections/application/cisco_asa___logging_message_suppression.yml	New analytic detecting suppression of specific log message IDs
detections/application/cisco_asa___logging_filters_configuration_tampering.yml	New analytic detecting modifications to logging filter configurations
detections/application/cisco_asa___logging_disabled_via_cli.yml	Updated search to use extracted command field, removed message ID 111009, improved formatting
detections/application/cisco_asa___device_file_copy_to_remote_location.yml	New analytic detecting file copies to remote locations via various protocols
detections/application/cisco_asa___device_file_copy_activity.yml	New analytic detecting general file copy operations on ASA devices
detections/application/cisco_asa___core_syslog_message_volume_drop.yml	Updated to use extracted message_id field and improved formatting
detections/application/cisco_asa___aaa_policy_tampering.yml	New analytic detecting modifications to AAA security policies
data_sources/cisco_asa_logs.yml	Changed source field from cisco:asa to not_applicable to reflect UDP ingestion method

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.