Name:Cisco Duo Policy Allow Devices Without Screen Lock id:114c616b-c793-465d-a80d-758c9fe8a704 version:1 date:2025-07-10 author:Patrick Bareiss, Splunk status:production type:TTP Description:The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior
by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate
a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations
Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate
unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the
environment due to reduced device security requirements.
Data_source:
-Cisco Duo Administrator
search:`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search require_lock=false | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_allow_devices_without_screen_lock_filter`
how_to_implement:The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives:unknown References: -https://splunkbase.splunk.com/app/7404 drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Duo Suspicious Activity' asset_type:Identity mitre_attack_id: - 'T1556' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
