Weekly Release Notes: Week 43, 2022
New features
New check detecting if a bypass code has been used.
Duo has a functionality for admins to create Bypass codes that can be send to the user, to re-establish access in case of major issues.
Of course this powerful function is not to be used lightly, and need to be monitored closely, as it could be abused.
This is why we have added a check that will detect and notify you when a successful sign in is done using a Duo Bypass Code.
Duo bypass code usage statistics
In order to complement the new check, and get more information about Bypass code usage, it is now displayed as an MFA factor, with usage count in each user360 page.
New Check: User Has Directly Assigned Application
Users should be assigned access to applications through groups and roles, and direct user assignment should be monitored as it could be used by an attacker to access additional assets while evading usual scrutiny.
This check will trigger alerts whenever an individual account is directly given access to an application.
Applications listed in the ignore list will not trigger an alert.
The list of directly assigned applications is displayed for each user that failed the check.
Improvements
New “Application” topic for checks
Each check is assigned some “topics” that you can filter on, in order to address specific use cases with more focus.
We have added an “application” topic for all application-related checks.
Check customization: Define the attempts threshold for the Inactive Account Probing check
While all our checks are calibrated out of the box to perform well in a variety of situation, it can be useful to tweak some parameters to better fit your specific policies. That’s why we are always adding ways for you to customize how our checks perform.
This week, the Account probing threshold can be configured to define the number of failed attempts that should trigger the alert.
领英推荐
Inactive Account Probing check explainability
It is important that you always get as much relevant information as possible about the reasons behind a check failing, so you can perform an efficient investigation.
This week we are adding the last successful sign in time and list of failed sign in events that occurred after the last successful sign. You can see this information in the explainability drawer for the “Inactive Account Probing” check.
Weak auth method used tag to user activity
It is important that you can easily identify when a weak auth method is used by an user, for example when this method is a single phone number used by multiple accounts.
This week we are adding a new tag (Weak MFA Configured) which is going to highlight an event in the user activity table, so you can easily spot such behaviors.
External session id added to user activity table
We want to display the user's external session id without needing to look inside the raw data.
This week, we are adding this data to the user activity queues, allowing admins to filter user activity with just a few clicks that will automatically create the corresponding filter chip that admins can use to search for the session user activity or even reverse lookup search.
Added activity target information into check explainability
We now show which were the actual targets on the check explainability
Added more activity target info on Activity Table
We now show more targets on the Activity Table, such Policy Entity, Policy Rule, group and others
Bug fixes