From 8601a2174a488458eed239268d09fb6cf076c167 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 10 Jul 2025 13:39:55 +0200 Subject: [PATCH 1/8] Cisco Duo Detections --- data_sources/cisco_duo_activity.yml | 14 ++++ data_sources/cisco_duo_administrator.yml | 14 ++++ .../cisco_duo_admin_login_unusual_browser.yml | 68 +++++++++++++++++ .../cisco_duo_admin_login_unusual_country.yml | 68 +++++++++++++++++ .../cisco_duo_admin_login_unusual_os.yml | 67 +++++++++++++++++ .../cisco_duo_bulk_policy_deletion.yml | 69 +++++++++++++++++ .../cisco_duo_bypass_code_generation.yml | 67 +++++++++++++++++ ...licy_allow_devices_without_screen_lock.yml | 66 ++++++++++++++++ ...co_duo_policy_allow_network_bypass_2fa.yml | 68 +++++++++++++++++ .../cisco_duo_policy_allow_old_flash.yml | 66 ++++++++++++++++ .../cisco_duo_policy_allow_old_java.yml | 67 +++++++++++++++++ ...isco_duo_policy_allow_tampered_devices.yml | 68 +++++++++++++++++ .../cisco_duo_policy_bypass_2fa.yml | 66 ++++++++++++++++ .../cisco_duo_policy_deny_access.yml | 66 ++++++++++++++++ ...uo_policy_skip_2fa_for_other_countries.yml | 69 +++++++++++++++++ ...isco_duo_set_user_status_to_bypass_2fa.yml | 75 +++++++++++++++++++ stories/duo_suspicious_activity.yml | 24 ++++++ 17 files changed, 1002 insertions(+) create mode 100644 data_sources/cisco_duo_activity.yml create mode 100644 data_sources/cisco_duo_administrator.yml create mode 100644 detections/application/cisco_duo_admin_login_unusual_browser.yml create mode 100644 detections/application/cisco_duo_admin_login_unusual_country.yml create mode 100644 detections/application/cisco_duo_admin_login_unusual_os.yml create mode 100644 detections/application/cisco_duo_bulk_policy_deletion.yml create mode 100644 detections/application/cisco_duo_bypass_code_generation.yml create mode 100644 detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml create mode 100644 detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml create mode 100644 detections/application/cisco_duo_policy_allow_old_flash.yml create mode 100644 detections/application/cisco_duo_policy_allow_old_java.yml create mode 100644 detections/application/cisco_duo_policy_allow_tampered_devices.yml create mode 100644 detections/application/cisco_duo_policy_bypass_2fa.yml create mode 100644 detections/application/cisco_duo_policy_deny_access.yml create mode 100644 detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml create mode 100644 detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml create mode 100644 stories/duo_suspicious_activity.yml diff --git a/data_sources/cisco_duo_activity.yml b/data_sources/cisco_duo_activity.yml new file mode 100644 index 0000000000..583d99587c --- /dev/null +++ b/data_sources/cisco_duo_activity.yml @@ -0,0 +1,14 @@ +name: Cisco Duo Activity +id: 83f727f6-8754-41f8-b9f7-8226886a659e +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +description: Data source object for Cisco Duo Activity +source: cisco_duo +sourcetype: cisco:duo:activity +separator: null +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.2.3 +fields: null diff --git a/data_sources/cisco_duo_administrator.yml b/data_sources/cisco_duo_administrator.yml new file mode 100644 index 0000000000..97af290e0c --- /dev/null +++ b/data_sources/cisco_duo_administrator.yml @@ -0,0 +1,14 @@ +name: Cisco Duo Administrator +id: 38e22de6-8b6b-449c-ae26-a640c88ff7f9 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +description: Data source object for Cisco Duo Administrator +source: cisco_duo +sourcetype: cisco:duo:administrator +separator: null +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.2.3 +fields: null diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml new file mode 100644 index 0000000000..9590cf97b1 --- /dev/null +++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml @@ -0,0 +1,68 @@ +name: Cisco Duo Admin Login Unusual Browser +id: b38932ad-e663-4e90-bfdf-8446ee5b3f34 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Activity +type: TTP +status: production +description: The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual + based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco + Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, + browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is + significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized + devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege + escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized + changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture. +search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.browser IN (Chrome) + | rename actor.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + actor.details actor.type outcome.result user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_admin_login_unusual_browser_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has logged in using an unusual browser" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml new file mode 100644 index 0000000000..e24f0bc15a --- /dev/null +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -0,0 +1,68 @@ +name: Cisco Duo Admin Login Unusual Country +id: 1bf631d1-44a0-472b-98c4-2975b8b281df +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Activity +type: TTP +status: production +description: The following analytic detects instances where a Duo admin login originates from a country outside of the United States, + which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs + for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, + browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because + admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, + or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, + or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, + alter configurations, or exfiltrate sensitive information. +search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.location.country IN ("United States") + | rename actor.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + actor.details actor.type outcome.result user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`< + | `duo_admin_login_unusual_country_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has logged in using an unusual country" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml new file mode 100644 index 0000000000..d77bd10199 --- /dev/null +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -0,0 +1,67 @@ +name: Cisco Duo Admin Login Unusual Os +id: c4824cc6-d644-458e-a39a-67cd67da75e3 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Activity +type: TTP +status: production +description: The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly + used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins + from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. + Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or + attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the + Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage + to organizational security controls. +search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.os IN ("Mac OS X") + | rename actor.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + actor.details actor.type outcome.result user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`< + | `duo_admin_login_unusual_os_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has logged in using an unusual OS" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml new file mode 100644 index 0000000000..88a36ab8d2 --- /dev/null +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -0,0 +1,69 @@ +name: Cisco Duo Bulk Policy Deletion +id: 983be012-e408-4cb0-b87f-6756bb5f7047 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. + It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting + them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of + security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, + potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could + include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure + that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain + compliance. +search: '`cisco_duo_administrator` action=policy_bulk_delete + | rename object as user + | spath input=description + | rex field=policies max_match=0 "(?[^:,]+):\s+" + | eval policy_count=mvcount(policy_name) + | where policy_count > 3 + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email policy_count + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_bulk_policy_deletion_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has deleted more than 3 policies" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml new file mode 100644 index 0000000000..44e7d440c3 --- /dev/null +++ b/detections/application/cisco_duo_bypass_code_generation.yml @@ -0,0 +1,67 @@ +name: Cisco Duo Bypass Code Generation +id: 446e81ff-ce06-4925-9c7d-4073f9b5abf5 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections. + It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify + instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable + attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor. + Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is + critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent + unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication + standards and reduces the risk of credential-based attacks. +search: '`cisco_duo_administrator` action=bypass_create + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_bypass_code_generation_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has generated a bypass code" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml new file mode 100644 index 0000000000..c3ca1d2dc0 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Allow Devices Without Screen Lock +id: 114c616b-c793-465d-a80d-758c9fe8a704 +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior + by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate + a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations + Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate + unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the + environment due to reduced device security requirements. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search require_lock=false + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_allow_devices_without_screen_lock_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml new file mode 100644 index 0000000000..7b02e1a789 --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -0,0 +1,68 @@ +name: Cisco Duo Policy Allow Network Bypass 2FA +id: 2593f641-6192-4f3d-b96c-2bd1c706215f +version: 1 +date: '2025-07-09' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA). + It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present, + indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and + filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical + for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially + enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy + change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection + enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search networks_allow=* + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email networks_allow + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_allow_network_bypass_2fa_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml new file mode 100644 index 0000000000..ce0b2f3b8f --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_old_flash.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Allow Old Flash +id: f36c0d3f-d57f-4b88-a5d4-0a4c9a0752f6 +version: 1 +date: '2025-07-09' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, + specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security + Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior + is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer + supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting + and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. + Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search flash_remediation="no remediation" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_allow_old_flash_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml new file mode 100644 index 0000000000..85efbb24be --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_old_java.yml @@ -0,0 +1,67 @@ +name: Cisco Duo Policy Allow Old Java +id: ff56d843-57de-4a87-b726-13b145f6bf96 +version: 1 +date: '2025-07-09' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant + security risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets + 'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details + such as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center + (SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious + insiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection + enables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search java_remediation="no remediation" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_allow_old_java_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml new file mode 100644 index 0000000000..884e8b627a --- /dev/null +++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml @@ -0,0 +1,68 @@ +name: Cisco Duo Policy Allow Tampered Devices +id: 6b813efd-8859-406f-b677-719458387fac +version: 1 +date: '2025-07-10' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones, + to access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices + setting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration. + Allowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more + susceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a + misconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with + compromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment, + making prompt detection and response essential to maintaining organizational security. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search allow_rooted_devices=true + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_allow_tampered_devices_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml new file mode 100644 index 0000000000..72814f062c --- /dev/null +++ b/detections/application/cisco_duo_policy_bypass_2fa.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Bypass 2FA +id: 65862e8a-799a-4509-ae1c-4602aa139580 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). + It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to "Allow access without 2FA." + By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of + malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture + of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy + changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search auth_status="Allow access without 2FA" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_bypass_2fa_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml new file mode 100644 index 0000000000..dd460a6ef8 --- /dev/null +++ b/detections/application/cisco_duo_policy_deny_access.yml @@ -0,0 +1,66 @@ +name: Cisco Duo Policy Deny Access +id: abf39464-ed43-4d69-a56c-02750032a3fb +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within + the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication + status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes + to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, + account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, + disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection + enables rapid investigation and remediation to maintain organizational security and availability. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search auth_status="Deny access" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_deny_access_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to deny access by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml new file mode 100644 index 0000000000..27d2061f6d --- /dev/null +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -0,0 +1,69 @@ +name: Cisco Duo Policy Skip 2FA for Other Countries +id: ab59d5ee-8694-4832-a332-cefcf66a9057 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA) + for users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy + creation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations. + This is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.' + This behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens + the organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit + such policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or + lateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond + before attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack. +search: '`cisco_duo_administrator` action=policy_update OR action=policy_create + | spath input=description + | search user_locations_default_action="Allow access without 2FA" + | rename object as user + | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_policy_skip_2fa_for_other_countries_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + source: duo + sourcetype: cisco:duo:administrator diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml new file mode 100644 index 0000000000..70d3f95313 --- /dev/null +++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml @@ -0,0 +1,75 @@ +name: Cisco Duo Set User Status to Bypass 2FA +id: 8728d224-9cd5-4aa7-b75f-f8520a569979 +version: 1 +date: '2025-07-08' +author: Patrick Bareiss, Splunk +data_source: +- Cisco Duo Administrator +type: TTP +status: production +description: | + The following analytic detects instances where a Duo user's status is changed to "Bypass" for 2FA, specifically when the + previous status was "Active." This behavior is identified by analyzing Duo activity logs for user update actions, extracting + the status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical + event for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may + indicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to + disable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection + of such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of + credential-based attacks. +search: '`cisco_duo_activity` action.name=user_update + | spath input=target.details path=status output=status + | spath input=old_target.details path=status output=old_status + | search status=Bypass old_status=Active + | rename target.name as user access_device.ip.address as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser + access_device.browser_version src_ip access_device.location.city + access_device.location.country access_device.location.state access_device.os access_device.os_version + action.name actor.details actor.name actor.type old_target.details target.details status old_status user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `duo_set_user_status_to_bypass_2FA_filter`' +how_to_implement: The analytic leverages Duo activity logs to be ingested using the + Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). +known_false_positives: unknown +references: +- https://splunkbase.splunk.com/app/7404 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: src_ip + type: ip_address +tags: + analytic_story: + - Duo Suspicious Activity + asset_type: Duo + mitre_attack_id: + - T1556 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json + source: duo + sourcetype: cisco:duo:activity diff --git a/stories/duo_suspicious_activity.yml b/stories/duo_suspicious_activity.yml new file mode 100644 index 0000000000..d8d59801ef --- /dev/null +++ b/stories/duo_suspicious_activity.yml @@ -0,0 +1,24 @@ +name: Duo Suspicious Activity +id: f2f0713d-2aa3-47c7-b773-ec1e9935e35a +version: 1 +date: '2024-07-08' +author: Patrick Bareiss, Splunk +status: production +description: This analytics story focuses on identifying suspicious activities and potential account compromise events within environments protected by Duo multi-factor authentication (MFA). It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as bypassing MFA, unauthorized access attempts, and other behaviors indicative of account takeover or credential abuse. +narrative: | + Multi-factor authentication (MFA) solutions like Duo are critical for protecting user accounts and sensitive resources from unauthorized access. However, attackers continue to develop techniques to circumvent or exploit MFA controls, including social engineering, phishing, and exploiting misconfigurations. This story brings together detections that highlight suspicious activity patterns in Duo-protected environments, such as users being set to bypass MFA, anomalous login attempts, and other indicators of account compromise. By leveraging these detections, security teams can quickly identify and respond to threats targeting authentication mechanisms, reducing the risk of successful account takeover and subsequent malicious activity. +references: +- https://attack.mitre.org/techniques/T1586/ +- https://www.imperva.com/learn/application-security/account-takeover-ato/ +- https://www.barracuda.com/glossary/account-takeover +- https://www.okta.com/customer-identity/ +tags: + category: + - Adversary Tactics + - Account Compromise + - Cloud Security + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 036eb92f17cc42793d2ca0282c19849bcc0821d4 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 10 Jul 2025 13:54:00 +0200 Subject: [PATCH 2/8] update filter macro name --- .../application/cisco_duo_admin_login_unusual_browser.yml | 2 +- .../application/cisco_duo_admin_login_unusual_country.yml | 2 +- detections/application/cisco_duo_admin_login_unusual_os.yml | 2 +- detections/application/cisco_duo_bulk_policy_deletion.yml | 2 +- detections/application/cisco_duo_bypass_code_generation.yml | 2 +- .../cisco_duo_policy_allow_devices_without_screen_lock.yml | 2 +- .../application/cisco_duo_policy_allow_network_bypass_2fa.yml | 2 +- detections/application/cisco_duo_policy_allow_old_flash.yml | 2 +- detections/application/cisco_duo_policy_allow_old_java.yml | 2 +- .../application/cisco_duo_policy_allow_tampered_devices.yml | 2 +- detections/application/cisco_duo_policy_bypass_2fa.yml | 2 +- detections/application/cisco_duo_policy_deny_access.yml | 2 +- .../cisco_duo_policy_skip_2fa_for_other_countries.yml | 2 +- .../application/cisco_duo_set_user_status_to_bypass_2fa.yml | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml index 9590cf97b1..574e614afc 100644 --- a/detections/application/cisco_duo_admin_login_unusual_browser.yml +++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml @@ -22,7 +22,7 @@ search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.browse access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_admin_login_unusual_browser_filter`' + | `cisco_duo_admin_login_unusual_browser_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml index e24f0bc15a..8bc5381106 100644 --- a/detections/application/cisco_duo_admin_login_unusual_country.yml +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -22,7 +22,7 @@ search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.locati access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`< - | `duo_admin_login_unusual_country_filter`' + | `cisco_duo_admin_login_unusual_country_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml index d77bd10199..96dba2db14 100644 --- a/detections/application/cisco_duo_admin_login_unusual_os.yml +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -21,7 +21,7 @@ search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.os IN access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`< - | `duo_admin_login_unusual_os_filter`' + | `cisco_duo_admin_login_unusual_os_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml index 88a36ab8d2..72e50bd776 100644 --- a/detections/application/cisco_duo_bulk_policy_deletion.yml +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -23,7 +23,7 @@ search: '`cisco_duo_administrator` action=policy_bulk_delete | where policy_count > 3 | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email policy_count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_bulk_policy_deletion_filter`' + | `cisco_duo_bulk_policy_deletion_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml index 44e7d440c3..ddd8a6a5f7 100644 --- a/detections/application/cisco_duo_bypass_code_generation.yml +++ b/detections/application/cisco_duo_bypass_code_generation.yml @@ -20,7 +20,7 @@ search: '`cisco_duo_administrator` action=bypass_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_bypass_code_generation_filter`' + | `cisco_duo_bypass_code_generation_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml index c3ca1d2dc0..2d551f3350 100644 --- a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml +++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -20,7 +20,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_allow_devices_without_screen_lock_filter`' + | `cisco_duo_policy_allow_devices_without_screen_lock_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml index 7b02e1a789..9edb34e695 100644 --- a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -22,7 +22,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email networks_allow | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_allow_network_bypass_2fa_filter`' + | `cisco_duo_policy_allow_network_bypass_2fa_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml index ce0b2f3b8f..c9b4eb02b3 100644 --- a/detections/application/cisco_duo_policy_allow_old_flash.yml +++ b/detections/application/cisco_duo_policy_allow_old_flash.yml @@ -20,7 +20,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_allow_old_flash_filter`' + | `cisco_duo_policy_allow_old_flash_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml index 85efbb24be..f67b9030d9 100644 --- a/detections/application/cisco_duo_policy_allow_old_java.yml +++ b/detections/application/cisco_duo_policy_allow_old_java.yml @@ -21,7 +21,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_allow_old_java_filter`' + | `cisco_duo_policy_allow_old_java_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml index 884e8b627a..e2d98371a0 100644 --- a/detections/application/cisco_duo_policy_allow_tampered_devices.yml +++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml @@ -22,7 +22,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_allow_tampered_devices_filter`' + | `cisco_duo_policy_allow_tampered_devices_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml index 72814f062c..201ca66d2e 100644 --- a/detections/application/cisco_duo_policy_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_bypass_2fa.yml @@ -19,7 +19,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_bypass_2fa_filter`' + | `cisco_duo_policy_bypass_2fa_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml index dd460a6ef8..9a3e516f91 100644 --- a/detections/application/cisco_duo_policy_deny_access.yml +++ b/detections/application/cisco_duo_policy_deny_access.yml @@ -20,7 +20,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_deny_access_filter`' + | `cisco_duo_policy_deny_access_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml index 27d2061f6d..2f74a1e795 100644 --- a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -23,7 +23,7 @@ search: '`cisco_duo_administrator` action=policy_update OR action=policy_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_policy_skip_2fa_for_other_countries_filter`' + | `cisco_duo_policy_skip_2fa_for_other_countries_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml index 70d3f95313..89f785074a 100644 --- a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml +++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml @@ -26,7 +26,7 @@ search: '`cisco_duo_activity` action.name=user_update access_device.location.country access_device.location.state access_device.os access_device.os_version action.name actor.details actor.name actor.type old_target.details target.details status old_status user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `duo_set_user_status_to_bypass_2FA_filter`' + | `cisco_duo_set_user_status_to_bypass_2FA_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown From 2b388b09c4c379b693416291b382e5d8d1473695 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 10 Jul 2025 14:03:01 +0200 Subject: [PATCH 3/8] bug fix --- .../application/cisco_duo_admin_login_unusual_browser.yml | 2 +- .../application/cisco_duo_admin_login_unusual_country.yml | 2 +- detections/application/cisco_duo_admin_login_unusual_os.yml | 2 +- detections/application/cisco_duo_bulk_policy_deletion.yml | 2 +- detections/application/cisco_duo_bypass_code_generation.yml | 2 +- .../cisco_duo_policy_allow_devices_without_screen_lock.yml | 2 +- .../application/cisco_duo_policy_allow_network_bypass_2fa.yml | 2 +- detections/application/cisco_duo_policy_allow_old_flash.yml | 2 +- detections/application/cisco_duo_policy_allow_old_java.yml | 2 +- .../application/cisco_duo_policy_allow_tampered_devices.yml | 2 +- detections/application/cisco_duo_policy_bypass_2fa.yml | 2 +- detections/application/cisco_duo_policy_deny_access.yml | 2 +- .../cisco_duo_policy_skip_2fa_for_other_countries.yml | 2 +- .../application/cisco_duo_set_user_status_to_bypass_2fa.yml | 4 ++-- 14 files changed, 15 insertions(+), 15 deletions(-) diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml index 574e614afc..7dafe6e061 100644 --- a/detections/application/cisco_duo_admin_login_unusual_browser.yml +++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml @@ -52,7 +52,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml index 8bc5381106..e83135f085 100644 --- a/detections/application/cisco_duo_admin_login_unusual_country.yml +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -52,7 +52,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml index 96dba2db14..bdbf1c64d7 100644 --- a/detections/application/cisco_duo_admin_login_unusual_os.yml +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -51,7 +51,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml index 72e50bd776..80900b2ab8 100644 --- a/detections/application/cisco_duo_bulk_policy_deletion.yml +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -53,7 +53,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml index ddd8a6a5f7..64795fbf96 100644 --- a/detections/application/cisco_duo_bypass_code_generation.yml +++ b/detections/application/cisco_duo_bypass_code_generation.yml @@ -50,7 +50,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml index 2d551f3350..b073f61e4c 100644 --- a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml +++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -50,7 +50,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml index 9edb34e695..9706dd5308 100644 --- a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -52,7 +52,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml index c9b4eb02b3..b531c6c801 100644 --- a/detections/application/cisco_duo_policy_allow_old_flash.yml +++ b/detections/application/cisco_duo_policy_allow_old_flash.yml @@ -50,7 +50,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml index f67b9030d9..1c738f43f4 100644 --- a/detections/application/cisco_duo_policy_allow_old_java.yml +++ b/detections/application/cisco_duo_policy_allow_old_java.yml @@ -51,7 +51,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml index e2d98371a0..72ced181d6 100644 --- a/detections/application/cisco_duo_policy_allow_tampered_devices.yml +++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml @@ -52,7 +52,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml index 201ca66d2e..ac5348ed95 100644 --- a/detections/application/cisco_duo_policy_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_bypass_2fa.yml @@ -49,7 +49,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml index 9a3e516f91..e35557e608 100644 --- a/detections/application/cisco_duo_policy_deny_access.yml +++ b/detections/application/cisco_duo_policy_deny_access.yml @@ -50,7 +50,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml index 2f74a1e795..294e2faab9 100644 --- a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -53,7 +53,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml index 89f785074a..3440032b94 100644 --- a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml +++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml @@ -26,7 +26,7 @@ search: '`cisco_duo_activity` action.name=user_update access_device.location.country access_device.location.state access_device.os access_device.os_version action.name actor.details actor.name actor.type old_target.details target.details status old_status user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_duo_set_user_status_to_bypass_2FA_filter`' + | `cisco_duo_set_user_status_to_bypass_2fa_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). known_false_positives: unknown @@ -58,7 +58,7 @@ rba: tags: analytic_story: - Duo Suspicious Activity - asset_type: Duo + asset_type: Identity mitre_attack_id: - T1556 product: From 7da4b85353e6705629b9400296161964b4b2b77d Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 10 Jul 2025 15:45:40 +0200 Subject: [PATCH 4/8] add macros --- macros/cisco_duo_activity.yml | 4 ++++ macros/cisco_duo_administrator.yml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 macros/cisco_duo_activity.yml create mode 100644 macros/cisco_duo_administrator.yml diff --git a/macros/cisco_duo_activity.yml b/macros/cisco_duo_activity.yml new file mode 100644 index 0000000000..72ee282256 --- /dev/null +++ b/macros/cisco_duo_activity.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:duo:activity +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_duo_activity diff --git a/macros/cisco_duo_administrator.yml b/macros/cisco_duo_administrator.yml new file mode 100644 index 0000000000..3064fb0280 --- /dev/null +++ b/macros/cisco_duo_administrator.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:duo:administrator +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_duo_administrator From f63c5d26ea1a43cc385665b5f726d947b850174e Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 10 Jul 2025 15:50:47 +0200 Subject: [PATCH 5/8] bug fix --- .../application/cisco_duo_admin_login_unusual_browser.yml | 2 +- .../application/cisco_duo_admin_login_unusual_country.yml | 2 +- detections/application/cisco_duo_admin_login_unusual_os.yml | 2 +- .../cisco_duo_policy_skip_2fa_for_other_countries.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml index 7dafe6e061..ac60189889 100644 --- a/detections/application/cisco_duo_admin_login_unusual_browser.yml +++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml @@ -15,7 +15,7 @@ description: The following analytic identifies instances where a Duo admin logs devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture. -search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.browser IN (Chrome) +search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.browser IN (Chrome) | rename actor.name as user access_device.ip.address as src_ip | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser access_device.browser_version src_ip access_device.location.city diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml index e83135f085..286a4d98ea 100644 --- a/detections/application/cisco_duo_admin_login_unusual_country.yml +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -15,7 +15,7 @@ description: The following analytic detects instances where a Duo admin login or or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information. -search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.location.country IN ("United States") +search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.location.country IN ("United States") | rename actor.name as user access_device.ip.address as src_ip | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser access_device.browser_version src_ip access_device.location.city diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml index bdbf1c64d7..2ae90cd48a 100644 --- a/detections/application/cisco_duo_admin_login_unusual_os.yml +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -14,7 +14,7 @@ description: The following analytic identifies Duo admin login attempts from ope attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage to organizational security controls. -search: '`cisco:duo:activity` "action.name"=admin_login NOT access_device.os IN ("Mac OS X") +search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.os IN ("Mac OS X") | rename actor.name as user access_device.ip.address as src_ip | stats count min(_time) as firstTime max(_time) as lastTime by access_device.browser access_device.browser_version src_ip access_device.location.city diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml index 294e2faab9..43e0f21fb2 100644 --- a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -64,6 +64,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json source: duo sourcetype: cisco:duo:administrator From fb59e54ffeb6f4e7812f78f821b4b2857f569ac3 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 10 Jul 2025 16:45:20 +0200 Subject: [PATCH 6/8] bug fix --- .../application/cisco_duo_admin_login_unusual_country.yml | 2 +- detections/application/cisco_duo_admin_login_unusual_os.yml | 2 +- detections/application/cisco_duo_bulk_policy_deletion.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml index 286a4d98ea..d3d7596d7e 100644 --- a/detections/application/cisco_duo_admin_login_unusual_country.yml +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -21,7 +21,7 @@ search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.locati access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`< + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_admin_login_unusual_country_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml index 2ae90cd48a..92fa64fcdc 100644 --- a/detections/application/cisco_duo_admin_login_unusual_os.yml +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -20,7 +20,7 @@ search: '`cisco_duo_activity` "action.name"=admin_login NOT access_device.os IN access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`< + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_admin_login_unusual_os_filter`' how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml index 80900b2ab8..ad9526a5fb 100644 --- a/detections/application/cisco_duo_bulk_policy_deletion.yml +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -16,7 +16,7 @@ description: The following analytic detects instances where a Duo administrator that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain compliance. search: '`cisco_duo_administrator` action=policy_bulk_delete - | rename object as user + | rename username as user | spath input=description | rex field=policies max_match=0 "(?[^:,]+):\s+" | eval policy_count=mvcount(policy_name) From 034c2a7bf69123d708d2fbff31502b7185baa32f Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 21 Jul 2025 09:47:20 +0200 Subject: [PATCH 7/8] feedback review --- data_sources/cisco_duo_activity.yml | 33 ++++++++++++++++++- data_sources/cisco_duo_administrator.yml | 15 ++++++++- .../cisco_duo_admin_login_unusual_browser.yml | 10 ++++-- .../cisco_duo_admin_login_unusual_country.yml | 10 ++++-- .../cisco_duo_admin_login_unusual_os.yml | 10 ++++-- .../cisco_duo_bulk_policy_deletion.yml | 2 +- .../cisco_duo_bypass_code_generation.yml | 2 +- ...licy_allow_devices_without_screen_lock.yml | 2 +- ...co_duo_policy_allow_network_bypass_2fa.yml | 2 +- .../cisco_duo_policy_allow_old_flash.yml | 2 +- .../cisco_duo_policy_allow_old_java.yml | 2 +- ...isco_duo_policy_allow_tampered_devices.yml | 2 +- .../cisco_duo_policy_bypass_2fa.yml | 2 +- .../cisco_duo_policy_deny_access.yml | 2 +- ...uo_policy_skip_2fa_for_other_countries.yml | 2 +- ...isco_duo_set_user_status_to_bypass_2fa.yml | 2 +- ....yml => cisco_duo_suspicious_activity.yml} | 2 +- 17 files changed, 79 insertions(+), 23 deletions(-) rename stories/{duo_suspicious_activity.yml => cisco_duo_suspicious_activity.yml} (97%) diff --git a/data_sources/cisco_duo_activity.yml b/data_sources/cisco_duo_activity.yml index 583d99587c..8a264171c9 100644 --- a/data_sources/cisco_duo_activity.yml +++ b/data_sources/cisco_duo_activity.yml @@ -11,4 +11,35 @@ supported_TA: - name: Cisco Security Cloud url: https://splunkbase.splunk.com/app/7404 version: 3.2.3 -fields: null +fields: +- access_device.browser +- access_device.browser_version +- access_device.ip.address +- access_device.location.city +- access_device.location.country +- access_device.location.state +- access_device.os +- access_device.os_version +- action.details +- action.name +- activity_id +- actor.details +- actor.key +- actor.name +- actor.type +- akey +- application +- ctime +- eventtype +- extracted_eventtype +- old_target +- outcome.result +- target.details +- target.key +- target.name +- target.type +- ts +output_fields: +- user +- src_ip +example_log: '{"ctime": "Thu Jul 10 07:37:49 2025", "access_device": {"browser": "Chrome", "browser_version": "137.0.0.0", "ip": {"address": "1.2.3.4"}, "location": {"city": "San Jose", "country": "United States", "state": "California"}, "os": "Windows", "os_version": "11"}, "action": {"details": "{\"auth_method\": \"Password\", \"auth_device\": \"WAPF4P9AJ344ZX3DGPNO\", \"factor\": \"webauthn\", \"role\": \"Owner\"}", "name": "admin_login"}, "activity_id": "e9b8d7eb-f274-4250-8f52-d0bee46b8abc", "actor": {"details": "{\"created\": \"2025-07-02T09:18:46.000000+00:00\", \"last_login\": \"2025-07-10T07:37:33.000000+00:00\", \"email\": \"test@test.com\", \"status\": null, \"groups\": null}", "key": "DEKXVXLFZBK5U0C9F1ST", "name": "Test Test", "type": "admin"}, "akey": "DAYQ46XVNT0NKTYQ5L5O", "application": null, "old_target": null, "outcome": {"result": "SUCCESS"}, "target": {"details": null, "key": null, "name": null, "type": "admin_login"}, "ts": "2025-07-10T07:37:49.616714+00:00", "timestamp": 1752133069, "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "activity"}' diff --git a/data_sources/cisco_duo_administrator.yml b/data_sources/cisco_duo_administrator.yml index 97af290e0c..48da62be32 100644 --- a/data_sources/cisco_duo_administrator.yml +++ b/data_sources/cisco_duo_administrator.yml @@ -11,4 +11,17 @@ supported_TA: - name: Cisco Security Cloud url: https://splunkbase.splunk.com/app/7404 version: 3.2.3 -fields: null +fields: +- action +- actionlabel +- ctime +- description +- eventtype +- extracted_eventtype +- isotimestamp +- object +- timestamp +- username +output_fields: +- user +example_log: '{"ctime": "Tue Jul 8 12:28:47 2025", "action": "policy_create", "description": "{\"enroll_policy\": \"Allow Access\", \"name\": \"test4\", \"pretty_trusted_devices\": \"\", \"admin_email\": \"test@test.com\"}", "isotimestamp": "2025-07-08T12:28:47+00:00", "object": "test4", "timestamp": 1751977727, "username": "Test Test", "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "administrator", "actionlabel": "Added policy"}' \ No newline at end of file diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml index ac60189889..d41093dce6 100644 --- a/detections/application/cisco_duo_admin_login_unusual_browser.yml +++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml @@ -43,15 +43,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has logged in using an unusual browser" + message: A user $user$ has logged in using an unusual browser $access_device.browser$ from $src_ip$. risk_objects: - field: user type: user score: 48 - threat_objects: [] + threat_objects: + - field: access_device.browser + type: http_user_agent + - field: src_ip + type: ip_address tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml index d3d7596d7e..99f55f8689 100644 --- a/detections/application/cisco_duo_admin_login_unusual_country.yml +++ b/detections/application/cisco_duo_admin_login_unusual_country.yml @@ -43,15 +43,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has logged in using an unusual country" + message: A user $user$ has logged in using an unusual country using browser $access_device.browser$ from $src_ip$. risk_objects: - field: user type: user score: 48 - threat_objects: [] + threat_objects: + - field: access_device.browser + type: http_user_agent + - field: src_ip + type: ip_address tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml index 92fa64fcdc..f40c850fa3 100644 --- a/detections/application/cisco_duo_admin_login_unusual_os.yml +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -42,15 +42,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has logged in using an unusual OS" + message: A user $user$ has logged in using an unusual OS using browser $access_device.browser$ from $src_ip$. risk_objects: - field: user type: user score: 48 - threat_objects: [] + threat_objects: + - field: access_device.browser + type: http_user_agent + - field: src_ip + type: ip_address tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml index ad9526a5fb..c0f40d7af3 100644 --- a/detections/application/cisco_duo_bulk_policy_deletion.yml +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -52,7 +52,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml index 64795fbf96..65a601d9dc 100644 --- a/detections/application/cisco_duo_bypass_code_generation.yml +++ b/detections/application/cisco_duo_bypass_code_generation.yml @@ -49,7 +49,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml index b073f61e4c..e505f17751 100644 --- a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml +++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -49,7 +49,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml index 9706dd5308..bbb4c133f1 100644 --- a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -51,7 +51,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml index b531c6c801..2d0828cd02 100644 --- a/detections/application/cisco_duo_policy_allow_old_flash.yml +++ b/detections/application/cisco_duo_policy_allow_old_flash.yml @@ -49,7 +49,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml index 1c738f43f4..3fa78366ba 100644 --- a/detections/application/cisco_duo_policy_allow_old_java.yml +++ b/detections/application/cisco_duo_policy_allow_old_java.yml @@ -50,7 +50,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml index 72ced181d6..f95676a32c 100644 --- a/detections/application/cisco_duo_policy_allow_tampered_devices.yml +++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml @@ -51,7 +51,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml index ac5348ed95..720fa673fe 100644 --- a/detections/application/cisco_duo_policy_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_bypass_2fa.yml @@ -48,7 +48,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml index e35557e608..0da0f7ec75 100644 --- a/detections/application/cisco_duo_policy_deny_access.yml +++ b/detections/application/cisco_duo_policy_deny_access.yml @@ -49,7 +49,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml index 43e0f21fb2..39d7a44aba 100644 --- a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -52,7 +52,7 @@ rba: threat_objects: [] tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml index 3440032b94..3e7780e130 100644 --- a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml +++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml @@ -57,7 +57,7 @@ rba: type: ip_address tags: analytic_story: - - Duo Suspicious Activity + - Cisco Duo Suspicious Activity asset_type: Identity mitre_attack_id: - T1556 diff --git a/stories/duo_suspicious_activity.yml b/stories/cisco_duo_suspicious_activity.yml similarity index 97% rename from stories/duo_suspicious_activity.yml rename to stories/cisco_duo_suspicious_activity.yml index d8d59801ef..541674b247 100644 --- a/stories/duo_suspicious_activity.yml +++ b/stories/cisco_duo_suspicious_activity.yml @@ -1,4 +1,4 @@ -name: Duo Suspicious Activity +name: Cisco Duo Suspicious Activity id: f2f0713d-2aa3-47c7-b773-ec1e9935e35a version: 1 date: '2024-07-08' From e434b1ac3ffc73e4cb6671eb84568aff900bc4fc Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Jul 2025 09:44:10 -0700 Subject: [PATCH 8/8] remove extraquote --- detections/application/cisco_duo_admin_login_unusual_os.yml | 2 +- detections/application/cisco_duo_bulk_policy_deletion.yml | 2 +- detections/application/cisco_duo_bypass_code_generation.yml | 2 +- .../cisco_duo_policy_allow_devices_without_screen_lock.yml | 2 +- .../application/cisco_duo_policy_allow_network_bypass_2fa.yml | 2 +- detections/application/cisco_duo_policy_allow_old_flash.yml | 2 +- detections/application/cisco_duo_policy_allow_old_java.yml | 2 +- .../application/cisco_duo_policy_allow_tampered_devices.yml | 2 +- detections/application/cisco_duo_policy_bypass_2fa.yml | 2 +- detections/application/cisco_duo_policy_deny_access.yml | 2 +- .../cisco_duo_policy_skip_2fa_for_other_countries.yml | 2 +- .../application/cisco_duo_set_user_status_to_bypass_2fa.yml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml index f40c850fa3..fad8d6731c 100644 --- a/detections/application/cisco_duo_admin_login_unusual_os.yml +++ b/detections/application/cisco_duo_admin_login_unusual_os.yml @@ -42,7 +42,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has logged in using an unusual OS using browser $access_device.browser$ from $src_ip$. + message: A user $user$ has logged in using an unusual OS $access_device.os$ using browser $access_device.browser$ from $src_ip$. risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml index c0f40d7af3..cdbbc9d303 100644 --- a/detections/application/cisco_duo_bulk_policy_deletion.yml +++ b/detections/application/cisco_duo_bulk_policy_deletion.yml @@ -44,7 +44,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has deleted more than 3 policies" + message: A user $user$ has deleted more than 3 policies risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml index 65a601d9dc..ead9e145ce 100644 --- a/detections/application/cisco_duo_bypass_code_generation.yml +++ b/detections/application/cisco_duo_bypass_code_generation.yml @@ -41,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has generated a bypass code" + message: A user $user$ has generated a bypass code risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml index e505f17751..d5ee03a992 100644 --- a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml +++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -41,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml index bbb4c133f1..30246b3266 100644 --- a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -43,7 +43,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml index 2d0828cd02..0938ce88c2 100644 --- a/detections/application/cisco_duo_policy_allow_old_flash.yml +++ b/detections/application/cisco_duo_policy_allow_old_flash.yml @@ -41,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml index 3fa78366ba..cbca837f13 100644 --- a/detections/application/cisco_duo_policy_allow_old_java.yml +++ b/detections/application/cisco_duo_policy_allow_old_java.yml @@ -42,7 +42,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml index f95676a32c..6ada6bb629 100644 --- a/detections/application/cisco_duo_policy_allow_tampered_devices.yml +++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml @@ -43,7 +43,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml index 720fa673fe..e9e77f91cf 100644 --- a/detections/application/cisco_duo_policy_bypass_2fa.yml +++ b/detections/application/cisco_duo_policy_bypass_2fa.yml @@ -40,7 +40,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml index 0da0f7ec75..be1439906d 100644 --- a/detections/application/cisco_duo_policy_deny_access.yml +++ b/detections/application/cisco_duo_policy_deny_access.yml @@ -41,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to deny access by user $user$ with email $admin_email$" + message: A policy has been created or updated to deny access by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml index 39d7a44aba..932611685b 100644 --- a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml +++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml @@ -44,7 +44,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$" + message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$ risk_objects: - field: user type: user diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml index 3e7780e130..344add90de 100644 --- a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml +++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml @@ -47,7 +47,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$" + message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$ risk_objects: - field: user type: user