To onboard Duo logs to Panther, follow the steps below. You can also view the data ingestion video overview for a quick walkthrough of Duo log onboarding.
Step 1: Create a Duo application
Follow the instructions here to create a new Duo application.
Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.
Grant the application Grant read log permissions.
Step 2: Create a new Duo source in Panther
In the lefthand navigation bar of your Panther Console, click Configure > LogSources.
Click Create New.
Select Duo from the list of available log sources. Click Start Setup.
On the next screen, enter a descriptive name for the source (for example, My Duo logs) and select the type of logs you want to monitor.
Click Setup.
Fill in the fields below:
Integration Key: Enter the integration key of the Duo app.
Secret Key: Enter the secret key of the Duo app.
API Hostname: Enter the API hostname of the Duo app.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Required fields in the schema are listed as "required: true" just below the "name" field.
schema: Duo.Administrator
parser:
native:
name: Duo.Administrator
description: Duo administrator log events.
referenceURL: https://duo.com/docs/adminapi#administrator-logs
fields:
- name: action
required: true
description: The type of change that was performed.
type: string
- name: description
description: String detailing what changed, either as free-form text or serialized JSON.
type: string
- name: isotimestamp
required: true
description: ISO8601 timestamp of the event.
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: object
description: 'The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).'
type: string
- name: timestamp
description: Unix timestamp of the event.
type: timestamp
timeFormat: unix
- name: username
required: true
description: 'The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".'
type: string
indicators:
- username
schema: Duo.Authentication
parser:
native:
name: Duo.Authentication
description: Duo authentication log events(v2).
referenceURL: https://duo.com/docs/adminapi#authentication-logs
fields:
- name: access_device
description: Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt.
type: object
fields:
- name: browser
description: The web browser used for access.
type: string
- name: browser_version
description: The browser version.
type: string
- name: flash_version
description: The Flash plugin version used, if present, otherwise "uninstalled".
type: string
- name: hostname
description: The hostname, if present, otherwise "null".
type: string
indicators:
- hostname
- name: ip
description: The access device's IP address, if present, otherwise "null".
type: string
indicators:
- ip
- name: is_encryption_enabled
description: Reports the disk encryption state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
type: string
- name: is_firewall_enabled
description: Reports the firewall state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
type: string
- name: is_password_set
description: Reports the system password state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
type: string
- name: java_version
description: The Java plugin version used, if present, otherwise "uninstalled".
type: string
- name: location
description: The GeoIP location of the access device, if available. The response may not include all location parameters.
type: object
fields:
- name: city
description: The city name.
type: string
- name: country
description: The country code.
type: string
- name: state
description: The state, county, province, or prefecture.
type: string
- name: os
description: The device operating system name.
type: string
- name: os_version
description: The device operating system version.
type: string
- name: security_agents
description: Reports the security agents present on the endpoint as detected by the Duo Device Health app.
type: array
element:
type: json
- name: alias
description: The username alias used to log in. No value if the user logged in with their username instead of a username alias.
type: string
indicators:
- username
- name: application
description: Information about the application accessed.
type: object
fields:
- name: key
description: The application's integration_key.
type: string
- name: name
description: The application's name.
type: string
- name: auth_device
description: Information about the device used to approve or deny authentication.
type: object
fields:
- name: ip
description: The IP address of the authentication device.
type: string
indicators:
- ip
- name: location
description: The GeoIP location of the authentication device, if available. May not include all location parameters.
type: object
fields:
- name: city
description: The city name.
type: string
- name: country
description: The country code.
type: string
- name: state
description: The state, county, province, or prefecture.
type: string
- name: name
description: The name of the authentication device.
type: string
- name: email
description: The email address of the user, if known to Duo, otherwise none.
type: string
indicators:
- email
- name: event_type
description: 'The type of activity logged. one of: "authentication" or "enrollment".'
type: string
- name: factor
description: 'The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".'
type: string
- name: isotimestamp
required: true
description: ISO8601 timestamp of the event.
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: ood_software
description: If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software.
type: string
- name: reason
description: 'Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".'
type: string
- name: result
description: 'The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".'
type: string
- name: timestamp
description: Unix timestamp of the event.
type: timestamp
timeFormat: unix
- name: txid
required: true
description: The transaction ID of the event.
type: string
indicators:
- trace_id
- name: user
description: Information about the authenticating user.
type: object
fields:
- name: groups
description: Duo group membership information for the user.
type: array
element:
type: string
- name: key
description: The user's user_id.
type: string
- name: name
description: The user's username.
type: string
indicators:
- username
schema: Duo.OfflineEnrollment
parser:
native:
name: Duo.OfflineEnrollment
description: Duo Authentication for Windows Logon offline enrollment events.
referenceURL: https://duo.com/docs/adminapi#offline-enrollment-logs
fields:
- name: action
required: true
description: The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled".
type: string
- name: description
description: Information about the Duo Windows Logon client system as reported by the application.
type: string
- name: isotimestamp
required: true
description: ISO8601 timestamp of the event.
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: object
required: true
description: The Duo Windows Logon integration's name.
type: string
- name: timestamp
description: Unix timestamp of the event.
type: timestamp
timeFormat: unix
- name: username
required: true
description: The Duo username.
type: string
indicators:
- username
schema: Duo.Telephony
parser:
native:
name: Duo.Telephony
description: Duo telephony log events.
referenceURL: https://duo.com/docs/adminapi#telephony-logs
fields:
- name: context
description: 'How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".'
type: string
- name: credits
description: How many telephony credits this event cost.
type: int
- name: isotimestamp
required: true
description: ISO8601 timestamp of the event.
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: phone
required: true
description: The phone number that initiated this event.
type: string
- name: timestamp
description: Unix timestamp of the event.
type: timestamp
timeFormat: unix
- name: type
required: true
description: The event type. Either "sms" or "phone".
type: string
