This analytic rule is designed to detect unauthorized file copy operations to remote locations from Cisco ASA devices. Exfiltration can occur when attackers use the command line interface (CLI) or the Adaptive Security Device Manager (ASDM) to send device files such as configurations, logs, packet captures, or other system data to unauthorized remote servers. Common protocols for these operations include TFTP, FTP, HTTP, HTTPS, SMB, and SCP. The rule specifically monitors for command execution events characterized by message IDs 111008 and 111010 that use the copy commands directed to remote protocols. It also recommends investigation of any copying activities to unfamiliar destinations, those initiated by non-administrative user accounts, or occurrences outside of established maintenance windows. The detection can be fine-tuned to exclude known legitimate backup processes, reducing false positives while maintaining security oversight.