Liongard Ideas Portal

Regarding the alerts I posted, of course this only runs after the Duo inspector updates, so typically we tell our team "Don't leave a user in bypass, but if you do(for example VPN troubleshooting), we'll receive a ticket no later than the next day for the issue. In other words, it's of course not a real-time alert, as Roar/Duo process doesn't have real-time inspections.

We have implemented this for our clients by the following methods against the Duo inspector:

• Created a metric for "Duo: Bypassed User Count":

  • Users[?status == `bypass`] | length(@)

Then for the specific user(s) "Metric":

• Users[?status == `bypass`].realname | join(`, `, @)

Finally, the alert rule:

CONDITIONS

• Duo: Bypassed User Count > 0

  High priority

BODY

There is a user within this Duo tenant that is currently in Bypass which may allow them to circumvent the multi-factor authentication process. This is a critical alert that needs to be reviewed as soon as possible. Duo Security: Detect Bypassed Users: {{Duo Security: List Bypassed Users}}

ALERT COMMENTS

Duo Security: Detect Bypassed Users: {{Duo Security: List Bypassed Users}} These users are currently bypassed and need to be resolved.

TEMPLATES (our template name)