| ID | Technique | Tactic |
|---|---|---|
| T1556 | Modify Authentication Process | Credential Access |
Detection: Cisco Duo Policy Deny Access
Description
The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection enables rapid investigation and remediation to maintain organizational security and availability.
Search
1`cisco_duo_administrator` action=policy_update OR action=policy_create
2| spath input=description
3| search auth_status="Deny access"
4| rename object as user
5| stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `cisco_duo_policy_deny_access_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Duo Administrator | N/A | 'cisco:duo:administrator' |
'cisco_duo' |
Macros Used
| Name | Value |
|---|---|
| cisco_duo_administrator | sourcetype=cisco:duo:administrator |
| cisco_duo_policy_deny_access_filter | search * |
cisco_duo_policy_deny_access_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
Known False Positives
unknown
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A policy has been created or updated to deny access by user $user$ with email $admin_email$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 48 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | duo |
cisco:duo:administrator |
| Integration | ✅ Passing | Dataset | duo |
cisco:duo:administrator |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1