diff --git a/queries/cisco_duo_failed_mfa_login_within_5_mins.yml b/queries/cisco_duo_failed_mfa_login_within_5_mins.yml
new file mode 100644
index 0000000..ab3ba8f
--- /dev/null
+++ b/queries/cisco_duo_failed_mfa_login_within_5_mins.yml
@@ -0,0 +1,44 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Cisco Duo - Failed MFA Login within 5 mins
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1621
+
+# Description of what the query does and its purpose.
+description: |
+  Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Other
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor = cisco
+  | #event.module = "duo"
+  | event.action = "authentication"
+  | Vendor.reason =~ in(values=["no_keys_pressed","invalid_passcode","verification_code_incorrect","user_cancelled","no_response"])
+  |groupBy([user.name],function=[count(field=Vendor.reason, distinct=true, as=reason),collect(fields=[source.geo.country_name, source.ip,Vendor.reason]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
+  |reason >1
+  | time_diff_min := (end_time - start_time) / 60000
+  | time_diff_min <= 5
+  | start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone=UTC)
+  | end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone=UTC)
+  | drop([start_time, end_time])
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.