Cisco Duo bypass code is used to authenticate user request

Classification:

attack

Tactic:

Technique:

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Duo bypass code is used to authenticate a user request.

This rule monitors successful authentication events in Cisco Duo logs where the reason is set to bypass_user.

Contact the user {{@usr.email}} to confirm they used the bypass code.
If the user is unaware, investigate the authentication event, focusing on the IP address {{@access_device.ip}}, application {{@application.name}}, and user {{@usr.email}} involved.
If the event is deemed malicious, begin your organization’s incident response process to contain the affected account or device.