Detection: Cisco Duo Admin Login Unusual Country

Updated Date: 2025-07-10 ID: 1bf631d1-44a0-472b-98c4-2975b8b281df Author: Patrick Bareiss, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects instances where a Duo admin login originates from a country outside of the United States, which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information.

Search

1`cisco_duo_activity` "action.name"=admin_login NOT access_device.location.country IN ("United States") 
2| rename actor.name as user access_device.ip.address as src_ip 
3| stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `cisco_duo_admin_login_unusual_country_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco Duo Activity	N/A	`'cisco:duo:activity'`	`'cisco_duo'`

Macros Used

Name	Value
cisco_duo_activity	`sourcetype=cisco:duo:activity`
cisco_duo_admin_login_unusual_country_filter	`search *`

cisco_duo_admin_login_unusual_country_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1556	Modify Authentication Process	Credential Access

Exploitation

Installation

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).

Known False Positives

unknown

Associated Analytic Story

Cisco Duo Suspicious Activity

Risk Based Analytics (RBA)

Risk Message:

A user $user$ has logged in using an unusual country using browser $access_device.browser$ from $src_ip$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	48	src_ip, access_device.browser

References

https://splunkbase.splunk.com/app/7404

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`duo`	`cisco:duo:activity`
Integration	✅ Passing	Dataset	`duo`	`cisco:duo:activity`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1