Cisco Duo Policy Allow Network Bypass 2FA

name: Cisco Duo Policy Allow Network Bypass 2FA
id: 2593f641-6192-4f3d-b96c-2bd1c706215f
version: 6
creation_date: '2025-07-10'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: |
    The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA).
    It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present,
    indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and
    filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical
    for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially
    enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy
    change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection
    enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes.
data_source:
    - Cisco Duo Administrator
search: |-
    `cisco_duo_administrator` action=policy_update OR action=policy_create
      | spath input=description
      | search networks_allow=*
      | rename object as user
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY action actionlabel description
           user admin_email networks_allow
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `cisco_duo_policy_allow_network_bypass_2fa_filter`
how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
known_false_positives: No false positives have been identified at this time.
references:
    - https://splunkbase.splunk.com/app/7404
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$
    entity:
        field: user
        type: user
        score: 50
analytic_story:
    - Cisco Duo Suspicious Activity
asset_type: Identity
mitre_attack_id:
    - T1556
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json
          source: duo
          sourcetype: cisco:duo:administrator
      test_type: unit