Metrics Library

This metric checks a Cisco ASA configuration for SSH traffic that is allowed globally on an outside interface. Management.SSH.Channels[?Source=='0.0.0.0' && (Service=='Outside' || Service=='OUTSIDE' || Service=='outside')] | length(@)

This metric checks a Cisco ASA configuration for HTTP traffic that is allowed globally on an outside interface. Management.HTTP.Channels[?Source=='0.0.0.0' && (Service=='Outside' || Service=='OUTSIDE' || Service=='outside')] | length(@)

Determines if the device is logging to an external syslog server. contains(RunningConfig,'logging host') || contains(RunningConfig,'logging 1')

Determines the ASDM image that is installed on the device. SystemInfo.DeviceManagerVersion

Determines the version of Windows Anyconnect that's installed on the ASA. SystemInfo.AnyConnectClientWindowsVersion

Checks to see if RDP/Port 3389 is listed in an access list. AccessList[?DestinationPort=='3389'] | length(@)

Detect if management has SSH open to the outside. The outside can also be changed to 'inside' as well Management.SSH.Channels[?(Mask == 0.0.0.0 && Source == 0.0.0.0 && Service == outside )]

To check if the above CVE's are present on your Cisco ASA you will need to preform the below steps.First you will need to use the above metric to return a list of your ASA's software versionsIf your ASA version returns a value with parentheses () remove the () and replace with a period . Example: 9.14(4)23 will be 9.14.4.23After you have your ASA Software Version you will use the Cisco Software checker for each CVE and add the software version to check if the device is effected CVE-2024-20353https: //sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2CVE-2024-20359https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4hYou will need to use the Cisco Checker to confirm if the specific versions of your ASA are effected SystemInfo.CiscoAdaptiveSecurityApplianceSoftwareVersion