Product
Cisco Duo Bulk Policy Deletion Detected
2 rules 1 TTPDetection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.
Unusual Country for Cisco Duo Admin Login
2 rules 1 TTP 1 IOCDetection of Cisco Duo admin logins originating from outside the United States indicates potential account compromise or unauthorized access.
Cisco Duo User 2FA Bypass
2 rules 1 TTPDetection of Cisco Duo user status being changed to 'Bypass' after being 'Active', indicating potential malicious activity to weaken account security.
Cisco Duo Policy Modification to Bypass 2FA for Specific Countries
2 rules 1 TTPA Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default, potentially weakening the organization's security posture and increasing the risk of unauthorized access.
Cisco Duo Policy Bypass via 2FA Disablement
2 rules 1 TTPAn attacker modifies Cisco Duo policies to allow access without two-factor authentication (2FA), potentially gaining unauthorized access to systems and data.
Cisco Duo Policy Allowing Tampered Devices
2 rules 1 TTPA threat actor modifies or creates a Cisco Duo policy to allow tampered or rooted devices to access protected resources, potentially bypassing security controls and enabling unauthorized access.
Cisco Duo Policy Allowing Outdated Java Usage
2 rules 1 TTPA threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.
Cisco Duo Policy Change to Allow Devices Without Screen Lock
2 rules 1 TTPA Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.