Analytics Story: Cisco Duo Suspicious Activity

Date: 2024-07-08 ID: f2f0713d-2aa3-47c7-b773-ec1e9935e35a Author: Patrick Bareiss, Splunk Product: Splunk Enterprise Security

Description

This analytics story focuses on identifying suspicious activities and potential account compromise events within environments protected by Duo multi-factor authentication (MFA). It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as bypassing MFA, unauthorized access attempts, and other behaviors indicative of account takeover or credential abuse.

Why it matters

Multi-factor authentication (MFA) solutions like Duo are critical for protecting user accounts and sensitive resources from unauthorized access. However, attackers continue to develop techniques to circumvent or exploit MFA controls, including social engineering, phishing, and exploiting misconfigurations. This story brings together detections that highlight suspicious activity patterns in Duo-protected environments, such as users being set to bypass MFA, anomalous login attempts, and other indicators of account compromise. By leveraging these detections, security teams can quickly identify and respond to threats targeting authentication mechanisms, reducing the risk of successful account takeover and subsequent malicious activity.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Cisco Duo Admin Login Unusual Browser	Modify Authentication Process	TTP
Cisco Duo Admin Login Unusual Country	Modify Authentication Process	TTP
Cisco Duo Admin Login Unusual Os	Modify Authentication Process	TTP
Cisco Duo Bulk Policy Deletion	Modify Authentication Process	TTP
Cisco Duo Bypass Code Generation	Modify Authentication Process	TTP
Cisco Duo Policy Allow Devices Without Screen Lock	Modify Authentication Process	TTP
Cisco Duo Policy Allow Network Bypass 2FA	Modify Authentication Process	TTP
Cisco Duo Policy Allow Old Flash	Modify Authentication Process	TTP
Cisco Duo Policy Allow Old Java	Modify Authentication Process	TTP
Cisco Duo Policy Allow Tampered Devices	Modify Authentication Process	TTP
Cisco Duo Policy Bypass 2FA	Modify Authentication Process	TTP
Cisco Duo Policy Deny Access	Modify Authentication Process	TTP
Cisco Duo Policy Skip 2FA for Other Countries	Modify Authentication Process	TTP
Cisco Duo Set User Status to Bypass 2FA	Modify Authentication Process	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Cisco Duo Activity	N/A	`cisco:duo:activity`	`cisco_duo`
Cisco Duo Administrator	N/A	`cisco:duo:administrator`	`cisco_duo`

References

Source: GitHub | Version: 1