The rule "Cisco ASA - New Local User Account Created" is designed to detect the creation of new user accounts on Cisco ASA devices through either the command line interface (CLI) or the Adaptive Security Device Manager (ASDM). It addresses the potential security risks posed by unauthorized user accounts, which can provide attackers with ongoing access to network infrastructure, thereby allowing them to maintain persistence, escalate privileges, or bypass security measures. The detection focuses on ASA message ID 502101 and captures key information such as the username, privilege level, and the administrator responsible for the account creation. The analytic aims to alert security teams to investigate any new accounts that are created unexpectedly, particularly those with high privilege levels (level 15), created outside of normal operational hours, or with non-descriptive or generic usernames. The search criteria involve logging these events in Splunk to provide real-time insights into user account activities on Cisco ASA devices.