
Summary
The rule "Duo Admin User MFA Bypass Enabled" is designed to detect when an administrator enables a user account to authenticate without utilizing multi-factor authentication (MFA). This action poses a security risk as it undermines the protection that MFA provides against unauthorized access. The rule specifically monitors log events related to user updates within the Duo administration framework. It looks for any instances where an account's status is changed to 'Bypass', indicating that MFA requirements have been disabled for that account. The detection is considered active if such a change is logged, which signifies a breach of security policy regarding user authentication. The severity of this rule is classified as medium, reflecting its impact level due to potential misuse of administrative privileges. If an account bypass flag is detected, immediate attention is warranted to assess the implications and remediate any potential exposure or risk.
Categories
- Identity Management
- Cloud
- Web
Data Sources
- User Account
Created: 2023-01-20