Detection: Cisco Duo Admin Login Unusual Browser

Updated Date: 2025-07-10 ID: b38932ad-e663-4e90-bfdf-8446ee5b3f34 Author: Patrick Bareiss, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture.

Search

1`cisco_duo_activity` "action.name"=admin_login NOT access_device.browser IN (Chrome) 
2| rename actor.name as user access_device.ip.address as src_ip 
3| stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `cisco_duo_admin_login_unusual_browser_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco Duo Activity	N/A	`'cisco:duo:activity'`	`'cisco_duo'`

Macros Used

Name	Value
cisco_duo_activity	`sourcetype=cisco:duo:activity`
cisco_duo_admin_login_unusual_browser_filter	`search *`

cisco_duo_admin_login_unusual_browser_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1556	Modify Authentication Process	Credential Access

Exploitation

Installation

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).

Known False Positives

unknown

Associated Analytic Story

Cisco Duo Suspicious Activity

Risk Based Analytics (RBA)

Risk Message:

A user $user$ has logged in using an unusual browser $access_device.browser$ from $src_ip$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	48	src_ip, access_device.browser

References

https://splunkbase.splunk.com/app/7404

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`duo`	`cisco:duo:activity`
Integration	✅ Passing	Dataset	`duo`	`cisco:duo:activity`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1