-
Notifications
You must be signed in to change notification settings - Fork 165
/
duo_admin_user_mfa_bypass_enabled.yml
49 lines (49 loc) · 1.48 KB
/
duo_admin_user_mfa_bypass_enabled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
AnalysisType: rule
Description: An Administrator enabled a user to authenticate without MFA.
DisplayName: "Duo Admin User MFA Bypass Enabled"
Enabled: true
Filename: duo_admin_user_mfa_bypass_enabled.py
Reference: https://duo.com/docs/policy#authentication-policy
Severity: Medium
Tests:
- ExpectedResult: false
Log:
action: user_update
description: '{"status": "Active"}'
isotimestamp: "2021-10-05 22:45:33"
object: bart.simpson@simpsons.com
timestamp: "2021-10-05 22:45:33"
username: Homer Simpson
Name: Account Active
- ExpectedResult: false
Log:
action: user_update
description: '{"status": "Disabled"}'
isotimestamp: "2021-10-05 22:45:33"
object: bart.simpson@simpsons.com
timestamp: "2021-10-05 22:45:33"
username: Homer Simpson
Name: Account Disabled
- ExpectedResult: true
Log:
action: user_update
description: '{"status": "Bypass"}'
isotimestamp: "2021-10-05 22:45:33"
object: bart.simpson@simpsons.com
timestamp: "2021-10-05 22:45:33"
username: Homer Simpson
Name: Bypass Enabled
- ExpectedResult: false
Log:
action: user_update
description: '{"phones": ""}'
isotimestamp: "2021-07-02 19:06:40"
object: homer.simpson@simpsons.com
timestamp: "2021-07-02 19:06:40"
username: Homer Simpson
Name: Phones Update
DedupPeriodMinutes: 60
LogTypes:
- Duo.Administrator
RuleID: "Duo.Admin.User.MFA.Bypass.Enabled"
Threshold: 1