Cisco Duo Policy Allow Devices Without Screen Lock

The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the environment due to reduced device security requirements.