| ID | Technique | Tactic |
|---|---|---|
| T1556 | Modify Authentication Process | Credential Access |
Detection: Cisco Duo Policy Allow Devices Without Screen Lock
Description
The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the environment due to reduced device security requirements.
Search
1`cisco_duo_administrator` action=policy_update OR action=policy_create
2| spath input=description
3| search require_lock=false
4| rename object as user
5| stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `cisco_duo_policy_allow_devices_without_screen_lock_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Duo Administrator | N/A | 'cisco:duo:administrator' |
'cisco_duo' |
Macros Used
| Name | Value |
|---|---|
| cisco_duo_administrator | sourcetype=cisco:duo:administrator |
| cisco_duo_policy_allow_devices_without_screen_lock_filter | search * |
cisco_duo_policy_allow_devices_without_screen_lock_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
Known False Positives
unknown
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 48 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | duo |
cisco:duo:administrator |
| Integration | ✅ Passing | Dataset | duo |
cisco:duo:administrator |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1