Cisco Duo dataset

Patrick Bareiss · Patrick Bareiss · commit fd9ba6697aa0 · 2025-07-10T13:30:34.000+02:00
diff --git a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:efb0188ba7bca7fa541230f7d1c778ecfb25ebfca7e34767b46e528a9fdfc2de
+size 916
diff --git a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 01167925-4c70-4c62-a850-54c3da8ed54e
+date: '2025-07-10'
+description: 'Deleted multiple policies in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8701e9be8bef7d2802e1d82899c51c9de4feda793bbbd8f54480ebbc92adf1d6
+size 2765
diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 27cc5ad7-1afd-4409-863e-9fac6f4cf941
+date: '2025-07-08'
+description: 'Changed the setting for a user to allow them to bypass 2FA in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json
+sourcetypes:
+- cisco:duo:activity
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:858d3cfb2f5ad7dfb9f02b8fa37c60a8bb8b923a26a2d15082991d02ac0d2189
+size 1119
diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 876dbd42-57bb-40dc-a61f-269b6b6f6a4a
+date: '2025-07-08'
+description: 'Generate a bypass code for a user in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5c5aebd7d22c939949ea0f673ffdf1aeccbd2902b550447291c68835435326ba
+size 425
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 61a63676-89fe-4c8a-aa62-f0cf0e917837
+date: '2025-07-10'
+description: 'Created a policy which allows devices without screen lock in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9665b55655c437d63bace9e1d299e6664100c87c6e7ef6d4423ca9ccf100062b
+size 955
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: db6c74e0-aaac-4bd2-b557-d2327746d105
+date: '2025-07-09'
+description: 'Created a policy which allow network bypass 2FA in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f889c0bf46213a2b4c8166d4f255743e54d15348e049a16209ad47dbc5a1dcef
+size 1396
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: ed19ab1d-7610-4e8c-89a9-8c82ff450bb0
+date: '2025-07-09'
+description: 'Created a policy which allow old Flash and Java versions in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5d4bf93f8c0d7b075f3a9db935dca4ff934ecb9920dafbb1ae4965d1e30c125e
+size 432
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: b8be207e-3693-4653-aecf-a26dba43c5cc
+date: '2025-07-10'
+description: 'Created a policy which allows tampered devices in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:140dc72dbc8ac06fb6a473f8959a3466ea69f98e5b4f71ca27c09f579afa252c
+size 2435
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 6aa8cb0c-fde5-4c1f-abc6-45aba2142277
+date: '2025-07-08'
+description: 'Created a policy which allows bypass 2FA in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0ab0169e776928afa361de5d4132ef22d7f576d34282ba4e7b2f50d04e5e6ce
+size 994
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: bf1b3ff6-c06c-4782-8949-8f3dfc7557c2
+date: '2025-07-08'
+description: 'Created a policy which allows bypass 2FA in Duo for users in other countries.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd8e3b82a68fd3266e1456921e986db7564fbd952c573151c900dd72429b1516
+size 1211
diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 4cad132f-5b35-4397-8a0a-4566272264ed
+date: '2025-07-08'
+description: 'Created a policy which denies access in Duo.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json
+sourcetypes:
+- cisco:duo:administrator
+references:
+- https://attack.mitre.org/techniques/T1556/ 
diff --git a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f227990d742fbca024a6a2e6eefabef088c3558849985ae2ef14deb2c97bc9fb
+size 8694
diff --git a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 8bb65e4d-656a-40a8-a8be-0f3735f4a9e5
+date: '2025-07-10'
+description: 'Logged in as an admin from an unusual location.'
+environment: Cisco Duo Tenant
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json
+sourcetypes:
+- cisco:duo:activity
+references:
+- https://attack.mitre.org/techniques/T1556/ 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:efb0188ba7bca7fa541230f7d1c778ecfb25ebfca7e34767b46e528a9fdfc2de`
	`3`	`+size 916`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:8701e9be8bef7d2802e1d82899c51c9de4feda793bbbd8f54480ebbc92adf1d6`
	`3`	`+size 2765`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:858d3cfb2f5ad7dfb9f02b8fa37c60a8bb8b923a26a2d15082991d02ac0d2189`
	`3`	`+size 1119`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:5c5aebd7d22c939949ea0f673ffdf1aeccbd2902b550447291c68835435326ba`
	`3`	`+size 425`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:9665b55655c437d63bace9e1d299e6664100c87c6e7ef6d4423ca9ccf100062b`
	`3`	`+size 955`