Tag
Cisco Duo Bulk Policy Deletion Detected
2 rules 1 TTPDetection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.
Unusual Country for Cisco Duo Admin Login
2 rules 1 TTP 1 IOCDetection of Cisco Duo admin logins originating from outside the United States indicates potential account compromise or unauthorized access.
Cisco Duo User 2FA Bypass
2 rules 1 TTPDetection of Cisco Duo user status being changed to 'Bypass' after being 'Active', indicating potential malicious activity to weaken account security.
Cisco Duo Policy Modification to Bypass 2FA for Specific Countries
2 rules 1 TTPA Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default, potentially weakening the organization's security posture and increasing the risk of unauthorized access.
Cisco Duo Policy Bypass via 2FA Disablement
2 rules 1 TTPAn attacker modifies Cisco Duo policies to allow access without two-factor authentication (2FA), potentially gaining unauthorized access to systems and data.
Cisco Duo Policy Allowing Outdated Java Usage
2 rules 1 TTPA threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.
Cisco Duo Admin Login from Unusual Operating System
2 rules 1 TTP 2 IOCsDetection of Cisco Duo admin login attempts originating from operating systems not typically used in the environment, potentially indicating account compromise or unauthorized access.
Cisco Duo Admin Login from Unusual Browser
2 rules 1 TTPDetects Cisco Duo admin logins from browsers other than Chrome, potentially indicating compromised credentials, session hijacking, or unauthorized device usage.
Cisco Duo Policy Change to Allow Devices Without Screen Lock
2 rules 1 TTPA Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.