heroui logo

Duo Admin Bypass Code Viewed

Panther Rules

View Source
Summary
This detection rule identifies when a Duo administrator views a Multi-Factor Authentication (MFA) bypass code for a user. The rule captures logs of bypass code views alongside the relevant administrator actions, including usernames, timestamps, and associated descriptions. An example capture would be when an administrator, Homer Simpson, viewed the bypass code for user D1234, which corresponds to action logs that include specifics of the bypass interaction. The rule emphasizes the importance of secure handling of bypass codes, given their sensitivity and potential for misuse if exposed to unauthorized individuals. The rule operates under the premise that such actions should be monitored, confirmed as authorized, and managed correctly to ensure the integrity of MFA settings within the Duo application. All logged actions categorized as `bypass_view` will trigger notifications if they reach the defined threshold of activity within the deduplication period of 60 minutes. It is vital to ensure these processes remain secure, as sharing or mishandling of bypass codes can pose significant security risks.
Categories
  • Identity Management
  • Cloud
Data Sources
  • User Account
  • Application Log
Created: 2022-12-21