---
title: Cisco Duo bypass code created by administrator
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Cisco Duo bypass code created by
  administrator
---

# Cisco Duo bypass code created by administrator
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1556-modify-authentication-process](https://attack.mitre.org/techniques/T1556) 
## Goal{% #goal %}

Detect when a Duo [bypass code](https://duo.com/docs/administration-users#generating-a-bypass-code) is created by an administrator.

## Strategy{% #strategy %}

This rule monitors Cisco Duo activity logs for the creation of bypass codes by administrators. A bypass code is a temporary passcode created by an administrator for a specific user. These are generally used as "backup codes" to grant enrolled users access to their Duo-protected systems when they have problems with their mobile device, or when they're temporarily unable to access their enrolled device.

## Triage and Response{% #triage-and-response %}

1. Investigate the nature of the bypass code creation:
   - Verify if the bypass code creation generated by user `{{@usr.email}}` from device IP `{{@access_device.ip.address}}` was authorized and legitimate.
   - Identify the administrator responsible for the action.
1. If unauthorized or suspicious activity is detected:
   - Disable or review the administrator's account.
   - Reset any affected user accounts associated with the bypass codes.
   - Initiate an investigation into potential security breaches.