Name:Cisco Duo Policy Allow Old Flash id:f36c0d3f-d57f-4b88-a5d4-0a4c9a0752f6 version:1 date:2025-07-09 author:Patrick Bareiss, Splunk status:production type:TTP Description:The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity. Data_source:
-Cisco Duo Administrator
search:`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search flash_remediation="no remediation" | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_allow_old_flash_filter`
how_to_implement:The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives:unknown References: -https://splunkbase.splunk.com/app/7404 drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Duo Suspicious Activity' asset_type:Identity mitre_attack_id: - 'T1556' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
