This analytic rule is designed to detect unauthorized file copy activity on Cisco ASA devices, either through the Command Line Interface (CLI) or the Adaptive Security Device Manager (ASDM). The detection focuses on monitoring command execution events associated with specific message IDs (111008 and 111010), which indicate file copy commands targeting sensitive files such as the running-config, startup-config, and packet capture files located on various storage areas like disk0:, flash:, and system:. While legitimate file operations may occur during regular maintenance or backups, unauthorized copying of these files by non-administrative users or during suspicious times can suggest malicious activity. Investigations should be prompted by unexpected file copies and the presence of other anomalous activities. Proper configuration and logging settings are crucial for this detection to function effectively, and it aims to improve security for network infrastructure by identifying potentially harmful actions.