This analytic detection rule identifies when logging functionality on a Cisco ASA device is disabled through CLI commands. The disabling of logging is a tactic often used by adversaries or malicious insiders as a method of defense evasion, allowing them to hide unauthorized actions and activities. The rule monitors specific ASA syslog message IDs, namely 111009, 111010, and 111008, which are associated with command executions that may indicate logging commands being disabled. The detection focuses on suspicious commands such as 'no logging', 'logging disable', 'clear logging', or 'no logging host'. Such actions are strong indicators of potential attempts to evade detection by obscuring log entries relating to security events.