Cisco Duo Bypass Code Generation

name: Cisco Duo Bypass Code Generation
id: 446e81ff-ce06-4925-9c7d-4073f9b5abf5
version: 4
date: '2026-03-10'
author: Patrick Bareiss, Splunk
data_source:
    - Cisco Duo Administrator
type: TTP
status: production
description: |
    The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections.
    It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify
    instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable
    attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor.
    Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is
    critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent
    unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication
    standards and reduces the risk of credential-based attacks.
search: |-
    `cisco_duo_administrator` action=bypass_create
      | rename object as user
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY action actionlabel description
           user
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `cisco_duo_bypass_code_generation_filter`
how_to_implement: The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
known_false_positives: No false positives have been identified at this time.
references:
    - https://splunkbase.splunk.com/app/7404
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A user $user$ has generated a bypass code
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Cisco Duo Suspicious Activity
    asset_type: Identity
    mitre_attack_id:
        - T1556
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json
          source: duo
          sourcetype: cisco:duo:administrator