---
title: Cisco Duo RBA multi-vector attack with a successful authentication
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Cisco Duo RBA multi-vector attack with
  a successful authentication
---

# Cisco Duo RBA multi-vector attack with a successful authentication
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detects when Cisco Duo's Risk-Based Authentication (RBA) engine flags attack patterns for a user and that user subsequently completes a successful authentication, indicating a potential account takeover.

## Strategy{% #strategy %}

This rule monitors Cisco Duo authentication logs for events where Duo's built-in RBA engine has detected one or more of the following attack indicators: `CREDENTIAL_STUFFING`, `UNREALISTIC_TRAVEL`, `DEVICE_DISTANCE`, `NOVEL_ASN`, or `PREVIOUSLY_MARKED_FRAUD`. The rule detects any authentication event where one of these detectors fired, followed by a successful authentication from the same user within a one-hour window. A success event following any RBA-flagged authentication is a strong indicator that an attacker is using or probing credentials against an account that Duo's risk engine has already identified as under attack.

## Triage and Response{% #triage-and-response %}

- Verify whether `{{@usr.name}}` had a legitimate reason to authenticate at the time of the event, particularly from the devices and locations recorded in the authentication log.
- Review the specific RBA detector that triggered to understand the nature of the detected attack (for example, `UNREALISTIC_TRAVEL` suggests geographically impossible access, `CREDENTIAL_STUFFING` suggests bulk credential replay).
- Examine all denied authentication attempts preceding the successful login to identify the source IPs, ASNs, and device fingerprints associated with the attack.
- Determine if the successful authentication used a weaker factor (for example, `sms_passcode` or `phone_call`) compared to the user's typical factor, which could indicate an MFA downgrade.
- Check for any downstream activity following the successful authentication in applications protected by Duo to assess what resources the attacker may have accessed.
- Review the trusted endpoint status of the device used for the successful login to determine if it is a known-good device or a new, unrecognized endpoint.
