id: 5653900e-4b21-408d-84da-e4db3da891bb name: Cisco Duo - Authentication error reasons description: | 'Query searches for authentication error reasons.' severity: Medium requiredDataConnectors: - connectorId: CiscoDuoSecurity dataTypes: - CiscoDuo tactics: - InitialAccess relevantTechniques: - T1078 query: | CiscoDuo | where TimeGenerated > ago(24h) | where EventType =~ 'authentication' | where EventResult in~ ('denied', 'failure') | summarize count() by EventResultDetails, DstUserName | extend AccountCustomEntity = DstUserName entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity