Name:Cisco Duo Policy Deny Access id:abf39464-ed43-4d69-a56c-02750032a3fb version:1 date:2025-07-08 author:Patrick Bareiss, Splunk status:production type:TTP Description:The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection enables rapid investigation and remediation to maintain organizational security and availability. Data_source:
-Cisco Duo Administrator
search:`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search auth_status="Deny access" | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_deny_access_filter`
how_to_implement:The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives:unknown References: -https://splunkbase.splunk.com/app/7404 drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Duo Suspicious Activity' asset_type:Identity mitre_attack_id: - 'T1556' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
