What Changed
Updated IPEntity_DuoSecurity Analytic Rule (v1.0.9 → v1.0.10) to use ASIM-normalized CiscoDuo table instead of legacy DuoSecurityAuthentication_CL table.
Detection Logic
Joins threat intelligence IP indicators against Duo authentication events using CiscoDuo table with normalized field names:
- Primary data source: ThreatIntelligenceIndicator joined with CiscoDuo
- Core logic: correlates TI_ipEntity against AccessDvcIpAddr for active indicators within confidence thresholds
- Entity types mapped: Account (DstUserName), IP (AccessDvcIpAddr)
MITRE Mapping
KQL logic unavailable — YAML not included in diff context.
Field Migration Impact
Legacy field names replaced with ASIM-normalized equivalents:
- access_device_ip_s → AccessDvcIpAddr
- user_name_s → DstUserName
- factor_s → AuthFactor
- result_s → EventResult
- application_name_s → SrcAppName
- event_type_s → EventType
- txid_g → TransactionId
- isotimestamp_t → IsoTimestamp
Existing deployments using the legacy DuoSecurityAuthentication_CL table must ensure CiscoDuo ASIM parser is deployed for continued threat intelligence correlation.
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DuoSecurity.yaml
(packaging artefacts: 3.0.15.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json)