Splunk

Cisco Duo Policy Allow Old Java

Last updated 2 days ago on 2026-07-17

About

The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant security risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets 'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details such as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center (SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious insiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection enables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/7404(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_duo_administrator` action=policy_update OR action=policy_create | spath input=description | search java_remediation="no remediation" | rename object as user | stats count min(_time) as firstTime max(_time) as lastTime BY action actionlabel description user admin_email | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_policy_allow_old_java_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).