/
duo_user_anomalous_push.yml
55 lines (55 loc) · 1.77 KB
/
duo_user_anomalous_push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
AnalysisType: rule
Filename: duo_user_anomalous_push.py
RuleID: "DUO.User.Denied.AnomalousPush"
DisplayName: "Duo User Auth Denied For Anomalous Push"
Enabled: true
DedupPeriodMinutes: 15
LogTypes:
- Duo.Authentication
Tags:
- Duo
Severity: Medium
Description: >
A Duo authentication was denied due to an anomalous 2FA push.
Reference: https://duo.com/docs/adminapi#authentication-logs
Runbook: Follow up with the user to confirm they intended several pushes in quick succession.
Tests:
- Name: anomalous_push_occurred
ExpectedResult: true
Log:
{
"access_device": { "ip": "12.12.112.25", "os": "Mac OS X" },
"auth_device": { "ip": "12.12.12.12" },
"application": { "key": "D12345", "name": "Slack" },
"event_type": "authentication",
"factor": "duo_push",
"reason": "anomalous_push",
"result": "denied",
"user": { "name": "example@example.io" },
}
- Name: good_auth
ExpectedResult: false
Log:
{
"access_device": { "ip": "12.12.112.25", "os": "Mac OS X" },
"auth_device": { "ip": "12.12.12.12" },
"application": { "key": "D12345", "name": "Slack" },
"event_type": "authentication",
"factor": "duo_push",
"reason": "user_approved",
"result": "success",
"user": { "name": "example@example.io" },
}
- Name: denied_old_creds
ExpectedResult: false
Log:
{
"access_device": { "ip": "12.12.112.25", "os": "Mac OS X" },
"auth_device": { "ip": "12.12.12.12" },
"application": { "key": "D12345", "name": "Slack" },
"event_type": "authentication",
"factor": "duo_push",
"reason": "out_of_date",
"result": "denied",
"user": { "name": "example@example.io" },
}