Overview
After you have completed the Integrating with Duo Security procedure, you can use the tests below to trigger Blumira's detections for certain Google Workspace activity.
Duo: Bypass Code Created
When you see a Duo bypass code created, it may be because the user does not have the device they initially set up MFA with, either due to losing it or getting a new one. Alternatively, it could be a bad actor attempting to bypass MFA requirements or create an additional authentication option under their control.
To test "DUO: Bypass Code Created" detection, do the following:
- Log in to admin.duosecurity.com.
- Navigate to Users and select a user.
- Scroll to Bypass Codes and click Add Bypass Code.
- After the bypass code is created, you will see the user who created the bypass code, along with the creation and expiration details, which will also appear in the finding's details in Blumira.
Duo: User Set to Bypass Status
Users who have been assigned "bypass" status can log in to Duo protected applications without any MFA checks. These users will be able to log in with just a username and password.
Steps to test detection: DUO: Bypass Code Created
- Log in to admin.duosecurity.com.
- Navigate to Users and select a user, preferably a test user who is not in your primary IdP.
- Under the Status section, select Bypass.
Duo: User Reported Fraudulent Authentication Attempt
To test the "Duo: User Reported Fraudulent Authentication Attempt" detection, do the following:
- Have the Duo Admin Panel and Blumira app open.
- Go to an application protected by Duo Security.
- Once on the Duo prompt (MFA) screen, select Send Me a Push to send a prompt to your mobile device or tablet.
- Deny the push notification by tapping the red X.
- Tap Report as Fraud.