- Home
- Play books
- Cisco Duo – Risky login from untrusted endpoint
Cisco Duo – Risky login from untrusted endpoint
In this page
Playbook Description
This playbook investigates risky logons from untrusted endpoints by analyzing user behavior, checking device reputation, and evaluating the risk of the login attempt.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Defense Evasion(TA0005) | System Binary Proxy Execution(T1218) | InstallUtil(T1218.004) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Model(D3-Model) | Application Hardening(D3-AH) | Process Segment Execution Prevention(D3-PSEP) |
Playbook input type
Alert
Prerequisites
- VirusTotal API - Need to connect with VirusTotal API and fetch access key to check IPreputation.
- Cisco Duo configuration - Need to connect Cisco Duo using HMAC connection with Integration and secret key.
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs
Dependencies
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
Extensions - Cisco Duo
- ciscoduo_retrieveBypassCodesByUserId
- ciscoduo_createPolicy
- ciscoduo_retrievePolicies
- ciscoduo_retrieveEndpointById
- ciscoduo_modifyUser
- ciscoduo_deleteBypassCode
- ciscoduo_retrieveUserById
Utility functions:
- utility_filterAndMatchEvents
- utility_getRequiredTime
- utility_analyseDeviceHealthResult
- utility_convertTimeToUTC
- utility_validateResponses
- utility_sendMail
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Cisco Duo connection - Need to connect Cisco Duo using Integration Key, Secret Key and API Hostname.
Sub playbooks
- Cisco Duo - Block IP
- Cisco Duo - Add user to group
Execution workflow
Investigation:
- Checks the IP reputation.
- Calculates the IP risk score.
- Checks the bypass-code issued recently.
- Analyzes the user.
Decision logic:
- Proceeds to remediation based on the following conditions:
- The associated IP address has a high-risk score.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Retrieves the bypass_codes.
- Checks whether bypass code exists.
- Passes bypass code results.
- Executes the "Cisco Duo - Add user to group" sub-playbook.
- Retrieves all policies.
- Checks if trusted endpoint policy already exists.
- Checks whether policy does not exists.
- Passes policy result.
- Checks whether endpoint ID exists.
- Passes endpoint results.
- Executes the "Cisco Duo - Block IP" sub-playbook.
- Checks if any remediation failed.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Review the blocked IP address to ensure no legitimate traffic was affected.
- Investigate whether the compromised account was used to access any sensitive applications.
- Review Cisco Duo authentication logs for any additional unauthorized access attempts.
- Consider enforcing additional MFA factors for the affected user before re-enabling access.
- Audit endpoint health policies across the organization to prevent future untrusted endpoint logons.
