Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=duo-cases

Cisco Duo integration case studies

API Identity

The Sophos MDR team escalated the following cases for Cisco Duo alerts.

Case 1

The case

On February 6, 2024, the MDR team was alerted to an XDR-duo-Account-Manipulation detection within your estate, which was triggered by user marked fraud on the DUO multi factor authenticator. This was associated with the user anadmin and occurred at 2024-02-05 21:17:33 UTC. The IP of the device attempting access was 193.219.44[.]198 which belongs to ISP Comcast Ltd, in London, England. This login request was generated for attempted access to the application Office 365 Apps-Redacted-Ltd. As a precaution we would like to confirm whether this was accidental or the user intentionally marked this as fraud as they did not perform a login to request MFA. Please see our recommendations below, let us know if you have any questions or concerns.

Recommendations

  • Confirm with MDR team that the above described activity was expected by user anadmin.
  • If not expected, reset the credentials for user anadmin.

Customer response

Following this escalation, the customer responded that the user received a Duo authentication request on his phone, which was not initiated by him. Thus, the user denied the request, and triggered the alert. Since this was not an expected authentication, the user's password was reset.

Case 2

The case

On January 11, 2024, the Sophos MDR team received a cluster of security alerts from XDR-duo-Account-Manipulation. The alert type with the highest alert score is user_marked_fraud mapped under the MITRE ATTACK Technique as Account Manipulation. We observed the activity was actioned (original alert action: information) by the alerting security control. MDR investigation observed user user[@]domain.com marked a Duo request as fraud. We have checked the source IP xx.xxx.xx.xx and have not observed any malicious artifacts. OSINT on the IP shows it as belonging to Verizon Business, located in New York. The time of the activity was noted as 2024-01-11 10:39:24.012 UTC.

Recommendations

  • Confirm whether this sign-in activity is expected.
  • If the activity is not expected, reset the user credentials for user[@]domain.com.

Please inform MDR of your actions and findings after reviewing our recommendations. Don't hesitate to contact us with any further questions or concerns.