Splunk

Cisco Duo Admin Login Unusual Country

Last updated 2 days ago on 2026-07-17

About

The following analytic detects instances where a Duo admin login originates from a country outside of the United States, which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_activity` "action.name"=admin_login NOT access_device.location.country IN ("United States") | rename actor.name as user access_device.ip.address as src_ip | stats count min(_time) as firstTime max(_time) as lastTime BY access_device.browser access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version actor.details actor.type outcome.result user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_admin_login_unusual_country_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).