Merge pull request #3602 from splunk/duo_detections_1

Cisco Duo Detections

Author: patel-bhavin

data_sources/cisco_duo_activity.yml

@@ -0,0 +1,45 @@
+name: Cisco Duo Activity
+id: 83f727f6-8754-41f8-b9f7-8226886a659e
+version: 1
+date: '2025-07-10'
+author: Patrick Bareiss, Splunk
+description: Data source object for Cisco Duo Activity
+source: cisco_duo
+sourcetype: cisco:duo:activity
+separator: null
+supported_TA:
+- name: Cisco Security Cloud
+  url: https://splunkbase.splunk.com/app/7404
+  version: 3.2.3
+fields: 
+- access_device.browser
+- access_device.browser_version
+- access_device.ip.address
+- access_device.location.city
+- access_device.location.country
+- access_device.location.state
+- access_device.os
+- access_device.os_version
+- action.details
+- action.name
+- activity_id
+- actor.details
+- actor.key
+- actor.name
+- actor.type
+- akey
+- application
+- ctime
+- eventtype
+- extracted_eventtype
+- old_target
+- outcome.result
+- target.details
+- target.key
+- target.name
+- target.type
+- ts
+output_fields:
+- user
+- src_ip
+example_log: '{"ctime": "Thu Jul 10 07:37:49 2025", "access_device": {"browser": "Chrome", "browser_version": "137.0.0.0", "ip": {"address": "1.2.3.4"}, "location": {"city": "San Jose", "country": "United States", "state": "California"}, "os": "Windows", "os_version": "11"}, "action": {"details": "{\"auth_method\": \"Password\", \"auth_device\": \"WAPF4P9AJ344ZX3DGPNO\", \"factor\": \"webauthn\", \"role\": \"Owner\"}", "name": "admin_login"}, "activity_id": "e9b8d7eb-f274-4250-8f52-d0bee46b8abc", "actor": {"details": "{\"created\": \"2025-07-02T09:18:46.000000+00:00\", \"last_login\": \"2025-07-10T07:37:33.000000+00:00\", \"email\": \"[email protected]\", \"status\": null, \"groups\": null}", "key": "DEKXVXLFZBK5U0C9F1ST", "name": "Test Test", "type": "admin"}, "akey": "DAYQ46XVNT0NKTYQ5L5O", "application": null, "old_target": null, "outcome": {"result": "SUCCESS"}, "target": {"details": null, "key": null, "name": null, "type": "admin_login"}, "ts": "2025-07-10T07:37:49.616714+00:00", "timestamp": 1752133069, "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "activity"}'

data_sources/cisco_duo_administrator.yml

@@ -0,0 +1,27 @@
+name: Cisco Duo Administrator
+id: 38e22de6-8b6b-449c-ae26-a640c88ff7f9
+version: 1
+date: '2025-07-10'
+author: Patrick Bareiss, Splunk
+description: Data source object for Cisco Duo Administrator
+source: cisco_duo
+sourcetype: cisco:duo:administrator
+separator: null
+supported_TA:
+- name: Cisco Security Cloud
+  url: https://splunkbase.splunk.com/app/7404
+  version: 3.2.3
+fields: 
+- action
+- actionlabel
+- ctime
+- description
+- eventtype
+- extracted_eventtype
+- isotimestamp
+- object
+- timestamp
+- username
+output_fields:
+- user
+example_log: '{"ctime": "Tue Jul  8 12:28:47 2025", "action": "policy_create", "description": "{\"enroll_policy\": \"Allow Access\", \"name\": \"test4\", \"pretty_trusted_devices\": \"\", \"admin_email\": \"[email protected]\"}", "isotimestamp": "2025-07-08T12:28:47+00:00", "object": "test4", "timestamp": 1751977727, "username": "Test Test", "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "administrator", "actionlabel": "Added policy"}'

detections/application/cisco_duo_admin_login_unusual_browser.yml

@@ -0,0 +1,72 @@
+name: Cisco Duo Admin Login Unusual Browser
+id: b38932ad-e663-4e90-bfdf-8446ee5b3f34
+version: 1
+date: '2025-07-10'
+author: Patrick Bareiss, Splunk
+data_source:
+- Cisco Duo Activity
+type: TTP
+status: production
+description: The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual 
+  based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco 
+  Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, 
+  browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is 
+  significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized 
+  devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege 
+  escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized 
+  changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture.
+search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.browser IN (Chrome)
+  | rename actor.name as user access_device.ip.address as src_ip
+  | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser 
+  access_device.browser_version src_ip access_device.location.city 
+  access_device.location.country access_device.location.state access_device.os access_device.os_version 
+  actor.details actor.type outcome.result user
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `cisco_duo_admin_login_unusual_browser_filter`'
+how_to_implement: The analytic leverages Duo activity logs to be ingested using the
+  Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
+known_false_positives: unknown
+references:
+- https://splunkbase.splunk.com/app/7404
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A user $user$ has logged in using an unusual browser $access_device.browser$ from $src_ip$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 48
+  threat_objects: 
+  - field: access_device.browser
+    type: http_user_agent
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - Cisco Duo Suspicious Activity
+  asset_type: Identity
+  mitre_attack_id:
+  - T1556
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json
+    source: duo
+    sourcetype: cisco:duo:activity

detections/application/cisco_duo_admin_login_unusual_country.yml

@@ -0,0 +1,72 @@
+name: Cisco Duo Admin Login Unusual Country
+id: 1bf631d1-44a0-472b-98c4-2975b8b281df
+version: 1
+date: '2025-07-10'
+author: Patrick Bareiss, Splunk
+data_source:
+- Cisco Duo Activity
+type: TTP
+status: production
+description: The following analytic detects instances where a Duo admin login originates from a country outside of the United States, 
+  which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs 
+  for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, 
+  browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because 
+  admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, 
+  or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, 
+  or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, 
+  alter configurations, or exfiltrate sensitive information.
+search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.location.country IN ("United States")
+  | rename actor.name as user access_device.ip.address as src_ip
+  | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser 
+  access_device.browser_version src_ip access_device.location.city 
+  access_device.location.country access_device.location.state access_device.os access_device.os_version 
+  actor.details actor.type outcome.result user
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `cisco_duo_admin_login_unusual_country_filter`'
+how_to_implement: The analytic leverages Duo activity logs to be ingested using the
+  Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
+known_false_positives: unknown
+references:
+- https://splunkbase.splunk.com/app/7404
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A user $user$ has logged in using an unusual country using browser $access_device.browser$ from $src_ip$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 48
+  threat_objects: 
+  - field: access_device.browser
+    type: http_user_agent
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - Cisco Duo Suspicious Activity
+  asset_type: Identity
+  mitre_attack_id:
+  - T1556
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json
+    source: duo
+    sourcetype: cisco:duo:activity

detections/application/cisco_duo_admin_login_unusual_os.yml

@@ -0,0 +1,71 @@
+name: Cisco Duo Admin Login Unusual Os
+id: c4824cc6-d644-458e-a39a-67cd67da75e3
+version: 1
+date: '2025-07-10'
+author: Patrick Bareiss, Splunk
+data_source:
+- Cisco Duo Activity
+type: TTP
+status: production
+description: The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly 
+  used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins 
+  from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. 
+  Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or 
+  attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the 
+  Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage 
+  to organizational security controls.
+search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.os IN ("Mac OS X")
+  | rename actor.name as user access_device.ip.address as src_ip
+  | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser 
+  access_device.browser_version src_ip access_device.location.city 
+  access_device.location.country access_device.location.state access_device.os access_device.os_version 
+  actor.details actor.type outcome.result user
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `cisco_duo_admin_login_unusual_os_filter`'
+how_to_implement: The analytic leverages Duo activity logs to be ingested using the
+  Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
+known_false_positives: unknown
+references:
+- https://splunkbase.splunk.com/app/7404
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A user $user$ has logged in using an unusual OS $access_device.os$ using browser $access_device.browser$ from $src_ip$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 48
+  threat_objects: 
+  - field: access_device.browser
+    type: http_user_agent
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - Cisco Duo Suspicious Activity
+  asset_type: Identity
+  mitre_attack_id:
+  - T1556
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json
+    source: duo
+    sourcetype: cisco:duo:activity

detections/application/cisco_duo_bulk_policy_deletion.yml

@@ -0,0 +1,69 @@
+name: Cisco Duo Bulk Policy Deletion
+id: 983be012-e408-4cb0-b87f-6756bb5f7047
+version: 1
+date: '2025-07-10'
+author: Patrick Bareiss, Splunk
+data_source:
+- Cisco Duo Administrator
+type: TTP
+status: production
+description: The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. 
+  It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting 
+  them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of 
+  security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, 
+  potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could 
+  include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure 
+  that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain 
+  compliance.
+search: '`cisco_duo_administrator` action=policy_bulk_delete
+  | rename username as user
+  | spath input=description
+  | rex field=policies max_match=0 "(?<policy_name>[^:,]+):\s+"
+  | eval policy_count=mvcount(policy_name)
+  | where policy_count > 3
+  | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email policy_count
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `cisco_duo_bulk_policy_deletion_filter`'
+how_to_implement: The analytic leverages Duo activity logs to be ingested using the
+  Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
+known_false_positives: unknown
+references:
+- https://splunkbase.splunk.com/app/7404
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A user $user$ has deleted more than 3 policies
+  risk_objects:
+  - field: user
+    type: user
+    score: 48
+  threat_objects: []
+tags:
+  analytic_story:
+  - Cisco Duo Suspicious Activity
+  asset_type: Identity
+  mitre_attack_id:
+  - T1556
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json
+    source: duo
+    sourcetype: cisco:duo:administrator