Cisco Duo bypass code created by administrator
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a Duo bypass code is created by an administrator.
Strategy
This rule monitors Cisco Duo activity logs for the creation of bypass codes by administrators. A bypass code is a temporary passcode created by an administrator for a specific user. These are generally used as “backup codes” to grant enrolled users access to their Duo-protected systems when they have problems with their mobile device, or when they’re temporarily unable to access their enrolled device.
Triage and Response
- Investigate the nature of the bypass code creation:
- Verify if the bypass code creation generated by user
{{@usr.email}}
from device IP {{@access_device.ip.address}}
was authorized and legitimate. - Identify the administrator responsible for the action.
- If unauthorized or suspicious activity is detected:
- Disable or review the administrator’s account.
- Reset any affected user accounts associated with the bypass codes.
- Initiate an investigation into potential security breaches.