Cisco Duo integration case studies
The Sophos MDR team escalated the following cases for Cisco Duo alerts.
Case 1
The case
On February 6, 2024, the MDR team was alerted to an XDR-duo-Account-Manipulation
detection within your estate, which was triggered by user marked fraud
on the DUO multi factor authenticator. This was associated with the user anadmin
and occurred at 2024-02-05 21:17:33 UTC. The IP of the device attempting access was 193.219.44[.]198
which belongs to ISP Comcast Ltd, in London, England. This login request was generated for attempted access to the application Office 365 Apps-Redacted-Ltd
. As a precaution we would like to confirm whether this was accidental or the user intentionally marked this as fraud as they did not perform a login to request MFA. Please see our recommendations below, let us know if you have any questions or concerns.
Recommendations
- Confirm with MDR team that the above described activity was expected by user
anadmin
. - If not expected, reset the credentials for user
anadmin
.
Customer response
Following this escalation, the customer responded that the user received a Duo authentication request on his phone, which was not initiated by him. Thus, the user denied the request, and triggered the alert. Since this was not an expected authentication, the user's password was reset.
Case 2
The case
On January 11, 2024, the Sophos MDR team received a cluster of security alerts from XDR-duo-Account-Manipulation
. The alert type with the highest alert score is user_marked_fraud
mapped under the MITRE ATTACK Technique as Account Manipulation
. We observed the activity was actioned
(original alert action: information) by the alerting security control. MDR investigation observed user user[@]domain.com
marked a Duo request as fraud. We have checked the source IP xx.xxx.xx.xx
and have not observed any malicious artifacts. OSINT on the IP shows it as belonging to Verizon Business, located in New York. The time of the activity was noted as 2024-01-11 10:39:24.012 UTC.
Recommendations
- Confirm whether this sign-in activity is expected.
- If the activity is not expected, reset the user credentials for
user[@]domain.com
.
Please inform MDR of your actions and findings after reviewing our recommendations. Don't hesitate to contact us with any further questions or concerns.