This detection rule identifies attempts to disable logging on Cisco devices. Disabling logging is a common tactic used by attackers to evade detection by stopping the recording of security events, making it crucial to monitor for such configurations. The primary keywords to watch for include commands like 'no logging' or 'no aaa new-model'. This rule inspects command line inputs on Cisco devices and flags any occurrences of these keywords which could indicate a potential security threat. Being able to detect changes in logging configurations helps ensure that security teams can respond promptly to configuration changes that may affect the visibility of network activities. The rule is applicable to environments that employ Cisco networking products and necessitates log analysis from Cisco's AAA service. Constant vigilance is required, especially given the high level of risk associated with disabling logging.