Cisco Duo bypass code is used to authenticate user request

This rule is part of a beta feature. To learn more, contact Support.
cisco-duo

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Duo bypass code is used to authenticate a user request.

Strategy

This rule monitors successful authentication events in Cisco Duo logs where the reason is set to bypass_user.

Triage and Response

  1. Contact the user {{@usr.email}} to confirm they used the bypass code.
  2. If the user is unaware, investigate the authentication event, focusing on the IP address {{@access_device.ip}}, application {{@application.name}}, and user {{@usr.email}} involved.
  3. If the event is deemed malicious, begin your organization’s incident response process to contain the affected account or device.