
Summary
This detection rule monitors Cisco Duo Administrator activity for changes in policies that permit access from tampered or rooted devices. Such devices, which may include jailbroken smartphones, pose a significant security risk as they can bypass standard security measures, potentially allowing unauthorized software installations and increasing susceptibility to compromise. By analyzing the Duo administrator logs, the detection identifies policy creation or update actions specifically targeting the 'allow_rooted_devices' setting. The rule captures relevant data such as the administrator's email, alongside timestamps of the policy changes, to ascertain when these settings were modified. This proactive approach is vital for Security Operations Centers (SOCs) to unveil misconfigurations or malicious actions that could weaken authentication protocols and enable attackers to infiltrate sensitive organizational systems. The potential repercussions of unauthorized access stemming from such policy changes include data breaches and significant lateral movement risks within the enterprise, underscoring the need for prompt detection and response mechanisms.
Categories
- Identity Management
- Cloud
- Application
Data Sources
- Domain Name
ATT&CK Techniques
- T1556
Created: 2025-07-10