text code block:`cisco_duo_activity` action.name=user_update | spath input=target.details path=status output=status | spath input=old_target.details path=status output=old_status | search status=Bypass old_status=Active | rename target.name as user access_device.ip.address as src_ip | stats count min(_time) as firstTime max(_time) as lastTime BY access_device.browser access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version action.name actor.details actor.name actor.type old_target.details target.details status old_status user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_set_user_status_to_bypass_2fa_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).