Liongard Ideas Portal

Submit and upvote ideas to make Liongard better. You get 20 votes so vote wisely. 🙂


The Product Team is constantly reading your ideas and while we can’t promise that all ideas will become a reality, we value your feedback and promise to always have our Partners in mind when building and improving Liongard.

Check out our FAQs to learn more.

See what we've shipped by clicking here!

Duo Security - Alert on account placed in BYPASS

We have a major need to be alerted if a Duo Security user account is placed into BYPASS mode.

  • Adam Wall
  • Oct 8 2021
  • Reviewed - Under Consideration
Last Reviewed Date 2022-01-09
  • Attach files
  • Chris Holliman commented
    2 Dec, 2021 04:26pm

    Regarding the alerts I posted, of course this only runs after the Duo inspector updates, so typically we tell our team "Don't leave a user in bypass, but if you do(for example VPN troubleshooting), we'll receive a ticket no later than the next day for the issue. In other words, it's of course not a real-time alert, as Roar/Duo process doesn't have real-time inspections.

  • Chris Holliman commented
    2 Dec, 2021 04:24pm

    We have implemented this for our clients by the following methods against the Duo inspector:

    • Created a metric for "Duo: Bypassed User Count":

      • Users[?status == `bypass`] | length(@)

    Then for the specific user(s) "Metric":

    • Users[?status == `bypass`].realname | join(`, `, @)

    Finally, the alert rule:


    CONDITIONS

    BODY

    There is a user within this Duo tenant that is currently in Bypass which may allow them to circumvent the multi-factor authentication process. This is a critical alert that needs to be reviewed as soon as possible. Duo Security: Detect Bypassed Users: {{Duo Security: List Bypassed Users}}

    ALERT COMMENTS

    Duo Security: Detect Bypassed Users: {{Duo Security: List Bypassed Users}} These users are currently bypassed and need to be resolved.

    TEMPLATES (our template name)