Cisco Duo user marked authentication request as fraudulent

This rule is part of a beta feature. To learn more, contact Support.
cisco-duo

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user has marked a Duo push as fraudulent.

Strategy

This rule monitors Cisco Duo logs for when a user marks a Duo push as fraudulent. If a user suspects that a Duo push is suspicious, such as an unusual location or application name, they will mark the push as fraudulent.

Triage and Response

  1. Contact the user {{@usr.email}} to confirm why they thought the push was suspicious.
  2. Investigate the push event, focusing on the IP address {{@access_device.ip}} and application {{@application.name}}.
  3. If the event is deemed malicious, begin your organization’s incident response process to contain the affected account or device.