diff --git a/data_sources/cisco_duo_activity.yml b/data_sources/cisco_duo_activity.yml new file mode 100644 index 0000000000..8a264171c9 --- /dev/null +++ b/data_sources/cisco_duo_activity.yml @@ -0,0 +1,45 @@ +name: Cisco Duo Activity +id: 83f727f6-8754-41f8-b9f7-8226886a659e +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +description: Data source object for Cisco Duo Activity +source: cisco_duo +sourcetype: cisco:duo:activity +separator: null +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.2.3 +fields: +- access_device.browser +- access_device.browser_version +- access_device.ip.address +- access_device.location.city +- access_device.location.country +- access_device.location.state +- access_device.os +- access_device.os_version +- action.details +- action.name +- activity_id +- actor.details +- actor.key +- actor.name +- actor.type +- akey +- application +- ctime +- eventtype +- extracted_eventtype +- old_target +- outcome.result +- target.details +- target.key +- target.name +- target.type +- ts +output_fields: +- user +- src_ip +example_log: '{"ctime": "Thu Jul 10 07:37:49 2025", "access_device": {"browser": "Chrome", "browser_version": "137.0.0.0", "ip": {"address": "1.2.3.4"}, "location": {"city": "San Jose", "country": "United States", "state": "California"}, "os": "Windows", "os_version": "11"}, "action": {"details": "{\"auth_method\": \"Password\", \"auth_device\": \"WAPF4P9AJ344ZX3DGPNO\", \"factor\": \"webauthn\", \"role\": \"Owner\"}", "name": "admin_login"}, "activity_id": "e9b8d7eb-f274-4250-8f52-d0bee46b8abc", "actor": {"details": "{\"created\": \"2025-07-02T09:18:46.000000+00:00\", \"last_login\": \"2025-07-10T07:37:33.000000+00:00\", \"email\": \"test@test.com\", \"status\": null, \"groups\": null}", "key": "DEKXVXLFZBK5U0C9F1ST", "name": "Test Test", "type": "admin"}, "akey": "DAYQ46XVNT0NKTYQ5L5O", "application": null, "old_target": null, "outcome": {"result": "SUCCESS"}, "target": {"details": null, "key": null, "name": null, "type": "admin_login"}, "ts": "2025-07-10T07:37:49.616714+00:00", "timestamp": 1752133069, "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "activity"}' diff --git a/data_sources/cisco_duo_administrator.yml b/data_sources/cisco_duo_administrator.yml new file mode 100644 index 0000000000..48da62be32 --- /dev/null +++ b/data_sources/cisco_duo_administrator.yml @@ -0,0 +1,27 @@ +name: Cisco Duo Administrator +id: 38e22de6-8b6b-449c-ae26-a640c88ff7f9 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +description: Data source object for Cisco Duo Administrator +source: cisco_duo +sourcetype: cisco:duo:administrator +separator: null +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.2.3 +fields: +- action +- actionlabel +- ctime +- description +- eventtype +- extracted_eventtype +- isotimestamp +- object +- timestamp +- username +output_fields: +- user +example_log: '{"ctime": "Tue Jul 8 12:28:47 2025", "action": "policy_create", "description": "{\"enroll_policy\": \"Allow Access\", \"name\": \"test4\", \"pretty_trusted_devices\": \"\", \"admin_email\": \"test@test.com\"}", "isotimestamp": "2025-07-08T12:28:47+00:00", "object": "test4", "timestamp": 1751977727, "username": "Test Test", "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "administrator", "actionlabel": "Added policy"}' \ No newline at end of file diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml new file mode 100644 index 0000000000..d41093dce6 --- /dev/null +++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml @@ -0,0 +1,72 @@ +name: Cisco Duo Admin Login Unusual Browser +id: b38932ad-e663-4e90-bfdf-8446ee5b3f34 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Activity +type: TTP +status: production +description: The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual + based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco + Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, + browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is + significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized + devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege + escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized + changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture. +search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.browser IN (Chrome) + | rename actor.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + actor.details actor.type outcome.result user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_admin_login_unusual_browser_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has logged in using an unusual browser $access_device.browser$ from $src_ip$. + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: access_device.browser + type: http_user_agent + - field: src_ip + type: ip_address +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml new file mode 100644 index 0000000000..99f55f8689 --- /dev/null +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -0,0 +1,72 @@ +name: Cisco Duo Admin Login Unusual Country +id: 1bf631d1-44a0-472b-98c4-2975b8b281df +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Activity +type: TTP +status: production +description: The following analytic detects instances where a Duo admin login originates from a country outside of the United States, + which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs + for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, + browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because + admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, + or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, + or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, + alter configurations, or exfiltrate sensitive information. +search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.location.country IN ("United States") + | rename actor.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + actor.details actor.type outcome.result user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_admin_login_unusual_country_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has logged in using an unusual country using browser $access_device.browser$ from $src_ip$. + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: access_device.browser + type: http_user_agent + - field: src_ip + type: ip_address +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml new file mode 100644 index 0000000000..fad8d6731c --- /dev/null +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -0,0 +1,71 @@ +name: Cisco Duo Admin Login Unusual Os +id: c4824cc6-d644-458e-a39a-67cd67da75e3 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Activity +type: TTP +status: production +description: The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly + used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins + from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. + Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or + attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the + Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage + to organizational security controls. +search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.os IN ("Mac OS X") + | rename actor.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + actor.details actor.type outcome.result user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_admin_login_unusual_os_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has logged in using an unusual OS $access_device.os$ using browser $access_device.browser$ from $src_ip$. + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: access_device.browser + type: http_user_agent + - field: src_ip + type: ip_address +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml new file mode 100644 index 0000000000..cdbbc9d303 --- /dev/null +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -0,0 +1,69 @@ +name: Cisco Duo Bulk Policy Deletion +id: 983be012-e408-4cb0-b87f-6756bb5f7047 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. + It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting + them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of + security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, + potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could + include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure + that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain + compliance. +search: '`cisco_duo_administrator` action=policy_bulk_delete + | rename username as user + | spath input=description + | rex field=policies max_match=0 "(?[^:,]+):\s+" + | eval policy_count=mvcount(policy_name) + | where policy_count > 3 + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email policy_count + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_bulk_policy_deletion_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has deleted more than 3 policies + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml new file mode 100644 index 0000000000..ead9e145ce --- /dev/null +++ b/detections/application/cisco_duo_bypass_code_generation.yml @@ -0,0 +1,67 @@ +name: Cisco Duo Bypass Code Generation +id: 446e81ff-ce06-4925-9c7d-4073f9b5abf5 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections. + It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify + instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable + attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor. + Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is + critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent + unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication + standards and reduces the risk of credential-based attacks. +search: '`cisco_duo_administrator` action=bypass_create + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_bypass_code_generation_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has generated a bypass code + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml new file mode 100644 index 0000000000..d5ee03a992 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Allow Devices Without Screen Lock +id: 114c616b-c793-465d-a80d-758c9fe8a704 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior + by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate + a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations + Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate + unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the + environment due to reduced device security requirements. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search require_lock=false + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_allow_devices_without_screen_lock_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml new file mode 100644 index 0000000000..30246b3266 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -0,0 +1,68 @@ +name: Cisco Duo Policy Allow Network Bypass 2FA +id: 2593f641-6192-4f3d-b96c-2bd1c706215f +version: 1 +date: '2025-07-09' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA). + It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present, + indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and + filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical + for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially + enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy + change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection + enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search networks_allow=* + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email networks_allow + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_allow_network_bypass_2fa_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml new file mode 100644 index 0000000000..0938ce88c2 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_old_flash.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Allow Old Flash +id: f36c0d3f-d57f-4b88-a5d4-0a4c9a0752f6 +version: 1 +date: '2025-07-09' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, + specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security + Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior + is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer + supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting + and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. + Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search flash_remediation="no remediation" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_allow_old_flash_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml new file mode 100644 index 0000000000..cbca837f13 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_old_java.yml @@ -0,0 +1,67 @@ +name: Cisco Duo Policy Allow Old Java +id: ff56d843-57de-4a87-b726-13b145f6bf96 +version: 1 +date: '2025-07-09' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant + security risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets + 'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details + such as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center + (SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious + insiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection + enables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search java_remediation="no remediation" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_allow_old_java_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml new file mode 100644 index 0000000000..6ada6bb629 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml @@ -0,0 +1,68 @@ +name: Cisco Duo Policy Allow Tampered Devices +id: 6b813efd-8859-406f-b677-719458387fac +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones, + to access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices + setting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration. + Allowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more + susceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a + misconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with + compromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment, + making prompt detection and response essential to maintaining organizational security. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search allow_rooted_devices=true + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_allow_tampered_devices_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml new file mode 100644 index 0000000000..e9e77f91cf --- /dev/null +++ b/detections/application/cisco_duo_policy_bypass_2fa.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Bypass 2FA +id: 65862e8a-799a-4509-ae1c-4602aa139580 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). + It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to "Allow access without 2FA." + By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of + malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture + of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy + changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search auth_status="Allow access without 2FA" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_bypass_2fa_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml new file mode 100644 index 0000000000..be1439906d --- /dev/null +++ b/detections/application/cisco_duo_policy_deny_access.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Deny Access +id: abf39464-ed43-4d69-a56c-02750032a3fb +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within + the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication + status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes + to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, + account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, + disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection + enables rapid investigation and remediation to maintain organizational security and availability. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search auth_status="Deny access" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_deny_access_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to deny access by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml new file mode 100644 index 0000000000..932611685b --- /dev/null +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -0,0 +1,69 @@ +name: Cisco Duo Policy Skip 2FA for Other Countries +id: ab59d5ee-8694-4832-a332-cefcf66a9057 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA) + for users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy + creation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations. + This is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.' + This behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens + the organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit + such policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or + lateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond + before attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search user_locations_default_action="Allow access without 2FA" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_policy_skip_2fa_for_other_countries_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml new file mode 100644 index 0000000000..344add90de --- /dev/null +++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml @@ -0,0 +1,75 @@ +name: Cisco Duo Set User Status to Bypass 2FA +id: 8728d224-9cd5-4aa7-b75f-f8520a569979 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects instances where a Duo user's status is changed to "Bypass" for 2FA, specifically when the + previous status was "Active." This behavior is identified by analyzing Duo activity logs for user update actions, extracting + the status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical + event for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may + indicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to + disable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection + of such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of + credential-based attacks. +search: '`cisco_duo_activity` action.name=user_update + | spath input=target.details path=status output=status + | spath input=old_target.details path=status output=old_status + | search status=Bypass old_status=Active + | rename target.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + action.name actor.details actor.name actor.type old_target.details target.details status old_status user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `cisco_duo_set_user_status_to_bypass_2fa_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: src_ip + type: ip_address +tags: + analytic_story: + - Cisco Duo Suspicious Activity + asset_type: Identity + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/macros/cisco_duo_activity.yml b/macros/cisco_duo_activity.yml new file mode 100644 index 0000000000..72ee282256 --- /dev/null +++ b/macros/cisco_duo_activity.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:duo:activity +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_duo_activity diff --git a/macros/cisco_duo_administrator.yml b/macros/cisco_duo_administrator.yml new file mode 100644 index 0000000000..3064fb0280 --- /dev/null +++ b/macros/cisco_duo_administrator.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:duo:administrator +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_duo_administrator diff --git a/stories/cisco_duo_suspicious_activity.yml b/stories/cisco_duo_suspicious_activity.yml new file mode 100644 index 0000000000..541674b247 --- /dev/null +++ b/stories/cisco_duo_suspicious_activity.yml @@ -0,0 +1,24 @@ +name: Cisco Duo Suspicious Activity +id: f2f0713d-2aa3-47c7-b773-ec1e9935e35a +version: 1 +date: '2024-07-08' +author: Patrick Bareiss, Splunk +status: production +description: This analytics story focuses on identifying suspicious activities and potential account compromise events within environments protected by Duo multi-factor authentication (MFA). It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as bypassing MFA, unauthorized access attempts, and other behaviors indicative of account takeover or credential abuse. +narrative: | + Multi-factor authentication (MFA) solutions like Duo are critical for protecting user accounts and sensitive resources from unauthorized access. However, attackers continue to develop techniques to circumvent or exploit MFA controls, including social engineering, phishing, and exploiting misconfigurations. This story brings together detections that highlight suspicious activity patterns in Duo-protected environments, such as users being set to bypass MFA, anomalous login attempts, and other indicators of account compromise. By leveraging these detections, security teams can quickly identify and respond to threats targeting authentication mechanisms, reducing the risk of successful account takeover and subsequent malicious activity. +references: +- https://attack.mitre.org/techniques/T1586/ +- https://www.imperva.com/learn/application-security/account-takeover-ato/ +- https://www.barracuda.com/glossary/account-takeover +- https://www.okta.com/customer-identity/ +tags: + category: + - Adversary Tactics + - Account Compromise + - Cloud Security + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file