This detection rule targets the deletion of user accounts from Cisco ASA devices through CLI or ASDM interfaces. It recognizes an anomaly where adversaries might delete local accounts to obscure their activities, impede incident responses, or invalidate legitimate access during an attack. The core of the detection relies on identifying ASA message ID 502102, which logs when a local user account is removed, noting the username, privilege level, and the admin responsible for the deletion. This rule is critical for alerting on suspicious deletions, especially for privileged users (level 15), or deletions occurring outside of standard operational hours. Analysts should carefully review any unexpected deletions, particularly those that align with other suspicious behaviors such as unauthorized access attempts or changes to sensitive configurations.