Splunk

Cisco Duo Policy Allow Network Bypass 2FA

Last updated 2 days ago on 2026-07-17

About

The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA). It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present, indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search networks_allow=* | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime BY action actionlabel description user admin_email networks_allow | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_allow_network_bypass_2fa_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).