Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Duo Security

Duo Security
Duo Security icon

Coralogix Extension For Duo Security Includes:

Alerts - 13

Stay on top of Duo Security key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

User Authentication Reported as Fraudulent

This alert detects when an authentication attempt is reported as fraud. When a Duo user denies and marks a Duo Push authentication as suspicious, a fraudulent authentication report is sent to Duo Administrators configured in the Lockout and Fraud section of the Duo Admin Panel. Impact Authentication with the status 'fraud' could trigger due to an unsolicited MFA request which could indicate malicious activity. Mitigation Check with the user if they are aware of this activity and the reasoning behind it. If they are not aware of the activity, investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078

Bypass Code Used

This alert detects if a Duo user's bypass code was used to authenticate. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems. Impact A threat actor can use bypass codes to authenticate into an account and thus can bypass other MFA restrictions enabled by the admins. Mitigation Follow up with the user to confirm they used the bypass code themselves. If not, investigate further. MITRE Tactic: TA0006 MITRE Technique: T1556

A Policy Was Updated

This alert detects if a Duo admin updated a configured policy. Impact An adversary may attempt to change a policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user was authorized to perform the deactivate action. MITRE Tactic: TA0004 MITRE Technique: T1484

MFA Bypass Enabled

This alert detects when a Duo admin enables a user to authenticate without MFA. Impact An adversary may attempt to modify the MFA policy of the organization to easily infiltrate the organization with existing credentials while circumventing the need to authenticate with MFA. Mitigation Immediately re-enable the MFA policy and inspect the user who performed the actions and their past activities. Further, inspect all users' logins and activities while MFA was disabled if the action wasn't approved. MITRE Tactic: TA0004 MITRE Technique: T1078

Admin Locked out of the Account

This alert detects when a Duo admin is locked out of their account. Impact An account lock-out could indicate that the account is being brute-forced. Mitigation check if the user is aware of this event. If not, investigate it further for any malicious activities. Also, follow up on the reason for the account lockout. MITRE Tactic: TA0006 MITRE Technique: T1110

A New Admin Was Created

This alert detects when a new Duo administrator is created. Impact A threat actor can create a new admin account in an environment after gaining initial access to remain persistent in the network. Mitigation Check if the new admin creation is legitimate. If not, investigate further for any malicious activities in the network. MITRE Tactic: TA0005 MITRE Technique: T1578

Admin MFA Restrictions Updated

This alert detects attempts to update MFA restrictions. Impact An adversary may disable MFA enforcement in order to weaken an organization's security controls. Mitigation Re-enable MFA and investigate the user who disabled the service and all actions performed by users in the given time when MFA was disabled. MITRE Tactic: TA0004 MITRE Technique: T1078

Admin SSO SAML Requirement Disabled

This alert detects when SAML authentication for administrators is marked as Disabled or Optional. Impact An adversary may disable SSO SAML requirements in order to weaken an organization's security controls. Mitigation Re-enforce SSO SAML and investigate the user who disabled the service and all actions performed by users in the given time when SSO SAML was disabled. MITRE Tactic: TA0004 MITRE Technique: T1078

Multiple Failed Login Attempts

This alert is triggered when more than 3 failed login attempts are observed in a 5-minute interval from a specific source. This might be an indication of a brute-force attempt. Impact Many failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify the root cause of the more-than-usual login failures. It might be an indicator of compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

Authentication Failed Due to Endpoint Error

This alert detects failed authentication attempts due to suspicious errors observed on the endpoint. The errors can be an indication that a device is invalid or it can not be trusted or it is not part of a management system etc. Impact Failed login attempts due to endpoint errors could indicate that the endpoint was removed or is outside of the organizational policy and a threat actor could carry out brute-force attacks against the relevant account. Mitigation Verify with the endpoint owner to check the device status. Follow up with the user to verify login attempts. MITRE Tactic: TA0006 MITRE Technique: T1110

User Authentication Denied For Anomalous Push

This alert detects when a Duo authentication is denied due to an anomalous 2-Factor authentication push. Please see the below link for more details: https://help.duo.com/s/article/2217?language=en_US Impact Several pushes in quick succession could be an indication of a brute-force attack. Mitigation Check with the user if they intended several pushes in quick succession. If not, investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078

Login from an unfamiliar country

This alert monitors a login from a new country based on the geolocation of previous logins. This might be an indication of an external actor attempting to gain access. Impact Login attempts from an unfamiliar country might be an indicator of compromise. Mitigation Check for the origin country and consider blocking it if you do not except getting authorization requests from that country. MITRE Tactic: TA0001 MITRE Technique: T1078

No logs from Duo Security

This rule detects if there are no logs in the last 4 hours for Duo Security in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with Duo Security in our documentation.

Read More
Schedule Demo