Managed Sentinel – Alert 151

Alert IDMS-A151
Alert NameAdmin authentication failure detected on firewall - Cisco ASA
DescriptionThis alert triggers when an administrator fails to successfully login into the firewall admin console; either via GUI or command shell.
Severity LevelLow
Threat IndicatorRoot Access
MITRE ATT&CK TacticsCredential Access
Lateral Movement
Log sourcesFirewall Status/Health Logs
False PositivesPenetration Tests
Recommendations1. Change admin/root/administrator account password
2. Login into the firewall console and review change history
3. Block IP address which requested the console access
4. Consider to disable management access from the untrust zones (best practices)