Splunk

Cisco Duo Policy Skip 2FA for Other Countries

Last updated 2 days ago on 2026-07-17

About

The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy creation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations. This is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.' This behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens the organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit such policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or lateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond before attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search user_locations_default_action="Allow access without 2FA" | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime BY action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_skip_2fa_for_other_countries_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).