Splunk

Cisco Duo Set User Status to Bypass 2FA

Last updated 2 days ago on 2026-07-17

About

The following analytic detects instances where a Duo user's status is changed to "Bypass" for 2FA, specifically when the previous status was "Active." This behavior is identified by analyzing Duo activity logs for user update actions, extracting the status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical event for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may indicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to disable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection of such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of credential-based attacks.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_activity` action.name=user_update | spath input=target.details path=status output=status | spath input=old_target.details path=status output=old_status | search status=Bypass old_status=Active | rename target.name as user access_device.ip.address as src_ip | stats count min(_time) as firstTime max(_time) as lastTime BY access_device.browser access_device.browser_version src_ip access_device.location.city access_device.location.country access_device.location.state access_device.os access_device.os_version action.name actor.details actor.name actor.type old_target.details target.details status old_status user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_set_user_status_to_bypass_2fa_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).