Cisco Duo bypass code is used to authenticate user request

This rule is part of a beta feature. To learn more, contact Support.



Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect when a Duo bypass code is used to authenticate a user request.


This rule monitors successful authentication events in Cisco Duo logs where the reason is set to bypass_user.

Triage and Response

  1. Contact the user {{}} to confirm they used the bypass code.
  2. If the user is unaware, investigate the authentication event, focusing on the IP address {{@access_device.ip}}, application {{}}, and user {{}} involved.
  3. If the event is deemed malicious, begin your organization’s incident response process to contain the affected account or device.