Quick Start Security for Duo Security
Thank you!
We got your information.
Coralogix Extension For Duo Security Includes:
Alerts - 12
Stay on top of Duo Security key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
User Authentication Reported as Fraudulent
This alert detects when an authentication attempt is reported as fraud. When a Duo user denies and marks a Duo Push authentication as suspicious, a fraudulent authentication report is sent to Duo Administrators configured in the Lockout and Fraud section of the Duo Admin Panel. Impact Authentication with the status 'fraud' could trigger due to an unsolicited MFA request which could indicate malicious activity. Mitigation Check with the user if they are aware of this activity and the reasoning behind it. If they are not aware of the activity, investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078
Bypass Code Used
This alert detects if a Duo user's bypass code was used to authenticate. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems. Impact A threat actor can use bypass codes to authenticate into an account and thus can bypass other MFA restrictions enabled by the admins. Mitigation Follow up with the user to confirm they used the bypass code themselves. If not, investigate further. MITRE Tactic: TA0006 MITRE Technique: T1556
A Policy Was Updated
This alert detects if a Duo admin updated a configured policy. Impact An adversary may attempt to change a policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user was authorized to perform the deactivate action. MITRE Tactic: TA0004 MITRE Technique: T1484
MFA Bypass Enabled
This alert detects when a Duo admin enables a user to authenticate without MFA. Impact An adversary may attempt to modify the MFA policy of the organization to easily infiltrate the organization with existing credentials while circumventing the need to authenticate with MFA. Mitigation Immediately re-enable the MFA policy and inspect the user who performed the actions and their past activities. Further, inspect all users' logins and activities while MFA was disabled if the action wasn't approved. MITRE Tactic: TA0004 MITRE Technique: T1078
Admin Locked out of the Account
This alert detects when a Duo admin is locked out of their account. Impact An account lock-out could indicate that the account is being brute-forced. Mitigation check if the user is aware of this event. If not, investigate it further for any malicious activities. Also, follow up on the reason for the account lockout. MITRE Tactic: TA0006 MITRE Technique: T1110
A New Admin Was Created
This alert detects when a new Duo administrator is created. Impact A threat actor can create a new admin account in an environment after gaining initial access to remain persistent in the network. Mitigation Check if the new admin creation is legitimate. If not, investigate further for any malicious activities in the network. MITRE Tactic: TA0005 MITRE Technique: T1578
Admin MFA Restrictions Updated
This alert detects attempts to update MFA restrictions. Impact An adversary may disable MFA enforcement in order to weaken an organization's security controls. Mitigation Re-enable MFA and investigate the user who disabled the service and all actions performed by users in the given time when MFA was disabled. MITRE Tactic: TA0004 MITRE Technique: T1078
Admin SSO SAML Requirement Disabled
This alert detects when SAML authentication for administrators is marked as Disabled or Optional. Impact An adversary may disable SSO SAML requirements in order to weaken an organization's security controls. Mitigation Re-enforce SSO SAML and investigate the user who disabled the service and all actions performed by users in the given time when SSO SAML was disabled. MITRE Tactic: TA0004 MITRE Technique: T1078
Multiple Failed Login Attempts
This alert is triggered when more than 3 failed login attempts are observed in a 5-minute interval from a specific source. This might be an indication of a brute-force attempt. Impact Many failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify the root cause of the more-than-usual login failures. It might be an indicator of compromise. MITRE Tactic: TA0006 MITRE Technique: T1110
Authentication Failed Due to Endpoint Error
This alert detects failed authentication attempts due to suspicious errors observed on the endpoint. The errors can be an indication that a device is invalid or it can not be trusted or it is not part of a management system etc. Impact Failed login attempts due to endpoint errors could indicate that the endpoint was removed or is outside of the organizational policy and a threat actor could carry out brute-force attacks against the relevant account. Mitigation Verify with the endpoint owner to check the device status. Follow up with the user to verify login attempts. MITRE Tactic: TA0006 MITRE Technique: T1110
User Authentication Denied For Anomalous Push
This alert detects when a Duo authentication is denied due to an anomalous 2-Factor authentication push. Please see the below link for more details: https://help.duo.com/s/article/2217?language=en_US Impact Several pushes in quick succession could be an indication of a brute-force attack. Mitigation Check with the user if they intended several pushes in quick succession. If not, investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078
Login from an unfamiliar country
This alert monitors a login from a new country based on the geolocation of previous logins. This might be an indication of an external actor attempting to gain access. Impact Login attempts from an unfamiliar country might be an indicator of compromise. Mitigation Check for the origin country and consider blocking it if you do not except getting authorization requests from that country. MITRE Tactic: TA0001 MITRE Technique: T1078
Integration
Learn more about Coralogix's out-of-the-box integration with Duo Security in our documentation.