Splunk

Cisco Duo Policy Allow Tampered Devices

Last updated 2 days ago on 2026-07-17

About

The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones, to access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices setting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration. Allowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more susceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a misconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with compromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment, making prompt detection and response essential to maintaining organizational security.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search allow_rooted_devices=true | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime BY action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_allow_tampered_devices_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).