Cisco Duo Policy Allow Devices Without Screen Lock: identityIdentity2025-07-10version:1
The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior
by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate
a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations
Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate
unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the
environment due to reduced device security requirements.
Cisco Duo Admin Login Unusual Country: identityIdentity2025-07-10version:1
The following analytic detects instances where a Duo admin login originates from a country outside of the United States, which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information.
Cisco Duo Policy Allow Network Bypass 2FA: identityIdentity2025-07-09version:1
The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA).
It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present,
indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and
filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical
for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially
enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy
change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection
enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes.
Cisco Duo Bypass Code Generation: identityIdentity2025-07-08version:1
The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections.
It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify
instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable
attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor.
Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is
critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent
unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication
standards and reduces the risk of credential-based attacks.
Cisco Duo Policy Bypass 2FA: identityIdentity2025-07-08version:1
The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to "Allow access without 2FA." By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches.
Cisco Duo Policy Allow Tampered Devices: identityIdentity2025-07-10version:1
The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones,
to access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices
setting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration.
Allowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more
susceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a
misconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with
compromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment,
making prompt detection and response essential to maintaining organizational security.
Cisco Duo Set User Status to Bypass 2FA: identityIdentity2025-07-08version:1
The following analytic detects instances where a Duo user's status is changed to "Bypass" for 2FA, specifically when the
previous status was "Active." This behavior is identified by analyzing Duo activity logs for user update actions, extracting
the status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical
event for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may
indicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to
disable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection
of such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of
credential-based attacks.
Cisco Duo Bulk Policy Deletion: identityIdentity2025-07-10version:1
The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain compliance.
Cisco Duo Policy Skip 2FA for Other Countries: identityIdentity2025-07-08version:1
The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA)
for users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy
creation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations.
This is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.'
This behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens
the organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit
such policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or
lateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond
before attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack.
Cisco Duo Policy Deny Access: identityIdentity2025-07-08version:1
The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection enables rapid investigation and remediation to maintain organizational security and availability.
Cisco Duo Admin Login Unusual Browser: identityIdentity2025-07-10version:1
The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture.
Cisco Duo Admin Login Unusual Os: identityIdentity2025-07-10version:1
The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage to organizational security controls.
Cisco Duo Policy Allow Old Flash: identityIdentity2025-07-09version:1
The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity.
Cisco Duo Policy Allow Old Java: identityIdentity2025-07-09version:1
The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant
security risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets
'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details
such as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center
(SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious
insiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection
enables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited.
