This analytic detection rule monitors Cisco Duo administrator logs to identify instances where policies are created or modified to permit devices without a screen lock. Specifically, it tracks events with the 'require_lock' setting adjusted to false, which raises concerns regarding the security posture of devices connected to the network. Such policy changes could potentially increase risks associated with credential theft, unauthorized access, or data breaches, especially if devices are lost or stolen. With attackers often looking for ways to lower security standards, detecting these changes is vital for a Security Operations Center (SOC) to respond promptly and mitigate potential threats. Through this rule, organizations can enhance oversight and protection of device access policies, thereby maintaining stringent security controls during user authentication processes.