Splunk

Cisco Duo Bypass Code Generation

Last updated 2 days ago on 2026-07-17

About

The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections. It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor. Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication standards and reduces the risk of credential-based attacks.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_administrator` action=bypass_create | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime BY action actionlabel description user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_bypass_code_generation_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).