circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Duo Fraud Investigation

Duo Fraud Investigation investigates a suspicious login attempt and creates a ticket in Freshdesk ticketing system for a suspicious login.

1. Trigger: It retrieves the information from the Duo Fraud Main parent playbook to continue the investigation.

2. If Then: It checks if the IP address of the authentication device and access device are the same. If it is the same, it will get a global parameter Verdict. If not, it will continue the investigation.

3. Parameters: It sets the global parameter Verdict as Auth IP & Access IPs are the same.

4. Script: It uses Python script to check if the access IP address is from the known IP address range.

5. If Then: It checks if the IP address is from a known address range. If it is, it will get a global parameter. If not, it will continue the investigation.

6. Parameters: It sets the global parameter Verdict as Access IP is from within known network

7. Query: It runs a query in Logpoint SIEM to get the successful logins of the last 14 days.

8. If Then: It checks if the number of successful logins is greater than 0. If it is, it continues the investigation. If not, it will get a global parameter.

9. Parameters: It sets the global parameter Verdict as No successful logins in last 14 days and opens a ticket for further investigation.

10. For Each: It loops through the query result from the Query block.

11. Playbook: It runs a sub-playbook Duo Fraud Compare that compares the geolocation of the access device, authentication device, and previously logged-in device.

12. Script: It runs a Python script to check if the geolocation of any successful login matches the access device.

13. If Then: It checks if geolocation matches. If matched, it will close the case. If not, it will open a ticket for further investigation.

14. Format: It formats all the parameters into a specific syntax and forwards it to the ticketing system to open a new ticket.

15. Format: It formats all the parameters into a specific format and forwards it to close the case.

16. Case Item: It writes the formatted output to the case created in the Logpoint SIEM.

17. API: It uses Freshdesk API to create a ticket about the suspicious login attempt.

18. Status: It sets the case status to Closed.

19. End: It returns the final Verdict, User, Region, and Incident_ID to the parent playbook.

Last updated

Was this helpful?