text code block:`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search auth_status="Deny access" | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime BY action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_deny_access_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).