
Summary
The Duo User Auth Denied For Anomalous Push rule operates as a security measure to enforce authentication integrity by monitoring Duo's two-factor authentication (2FA) push notifications. It primarily focuses on recognizing and responding to unauthorized or suspicious authentication requests that are characterized as anomalous pushes. When the rule is triggered, it indicates that a Duo authentication attempt was denied due to patterns deemed unusual, such as multiple quick succession push notifications from the same user or device, which may suggest potential tampering or unauthorized access attempts. In such events, the rule generates logs that document the relevant details of the incident, including the user's details, the application in use, and the reason for denial. When anomalies are detected, it is recommended for security personnel to follow up with the affected user to confirm their intent regarding the rapid push notifications, thereby taking necessary action to mitigate any security risks.
Categories
- Cloud
- Identity Management
Data Sources
- User Account
- Application Log
- Cloud Service
Created: 2022-12-14