Duo Security Logs

Panther supports pulling logs directly from Duo

Overview

Panther can collect the following Duo logs via the Duo API:

How to onboard Duo logs to Panther

To onboard Duo logs to Panther, follow the steps below. You can also view the data ingestion video overview for a quick walkthrough of Duo log onboarding.

Step 1: Create a Duo application

  1. Follow the instructions here to create a new Duo application.

    Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.

  2. Grant the application Grant read log permissions.

Step 2: Create a new Duo source in Panther

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Select Duo from the list of available log sources. Click Start Setup.

  4. On the next screen, enter a descriptive name for the source (for example, My Duo logs) and select the type of logs you want to monitor.

  5. Click Setup.

  6. Fill in the fields below:

    • Integration Key: Enter the integration key of the Duo app.

    • Secret Key: Enter the secret key of the Duo app.

    • API Hostname: Enter the API hostname of the Duo app.

  7. Click Setup. You will be directed to a success screen:

  • You can optionally enable one or more Detection Packs.

  • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Duo.Administrator

Duo administrator log events.

For more information, see Duo Documentation on Administrator Logs.

schema: Duo.Administrator
parser:
    native:
        name: Duo.Administrator
description: Duo administrator log events.
referenceURL: https://duo.com/docs/adminapi#administrator-logs
fields:
    - name: action
      required: true
      description: The type of change that was performed.
      type: string
    - name: description
      description: String detailing what changed, either as free-form text or serialized JSON.
      type: string
    - name: isotimestamp
      required: true
      description: ISO8601 timestamp of the event.
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: object
      description: 'The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).'
      type: string
    - name: timestamp
      description: Unix timestamp of the event.
      type: timestamp
      timeFormat: unix
    - name: username
      required: true
      description: 'The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".'
      type: string
      indicators:
        - username

Duo.Authentication

Duo authentication log events(v2).

For more information, see Duo Documentation on Authentication Logs.

schema: Duo.Authentication
parser:
    native:
        name: Duo.Authentication
description: Duo authentication log events(v2).
referenceURL: https://duo.com/docs/adminapi#authentication-logs
fields:
    - name: access_device
      description: Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt.
      type: object
      fields:
        - name: browser
          description: The web browser used for access.
          type: string
        - name: browser_version
          description: The browser version.
          type: string
        - name: flash_version
          description: The Flash plugin version used, if present, otherwise "uninstalled".
          type: string
        - name: hostname
          description: The hostname, if present, otherwise "null".
          type: string
          indicators:
            - hostname
        - name: ip
          description: The access device's IP address, if present, otherwise "null".
          type: string
          indicators:
            - ip
        - name: is_encryption_enabled
          description: Reports the disk encryption state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
          type: string
        - name: is_firewall_enabled
          description: Reports the firewall state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
          type: string
        - name: is_password_set
          description: Reports the system password state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
          type: string
        - name: java_version
          description: The Java plugin version used, if present, otherwise "uninstalled".
          type: string
        - name: location
          description: The GeoIP location of the access device, if available. The response may not include all location parameters.
          type: object
          fields:
            - name: city
              description: The city name.
              type: string
            - name: country
              description: The country code.
              type: string
            - name: state
              description: The state, county, province, or prefecture.
              type: string
        - name: os
          description: The device operating system name.
          type: string
        - name: os_version
          description: The device operating system version.
          type: string
        - name: security_agents
          description: Reports the security agents present on the endpoint as detected by the Duo Device Health app.
          type: array
          element:
            type: json
    - name: alias
      description: The username alias used to log in. No value if the user logged in with their username instead of a username alias.
      type: string
      indicators:
        - username
    - name: application
      description: Information about the application accessed.
      type: object
      fields:
        - name: key
          description: The application's integration_key.
          type: string
        - name: name
          description: The application's name.
          type: string
    - name: auth_device
      description: Information about the device used to approve or deny authentication.
      type: object
      fields:
        - name: ip
          description: The IP address of the authentication device.
          type: string
          indicators:
            - ip
        - name: location
          description: The GeoIP location of the authentication device, if available. May not include all location parameters.
          type: object
          fields:
            - name: city
              description: The city name.
              type: string
            - name: country
              description: The country code.
              type: string
            - name: state
              description: The state, county, province, or prefecture.
              type: string
        - name: name
          description: The name of the authentication device.
          type: string
    - name: email
      description: The email address of the user, if known to Duo, otherwise none.
      type: string
      indicators:
        - email
    - name: event_type
      description: 'The type of activity logged. one of: "authentication" or "enrollment".'
      type: string
    - name: factor
      description: 'The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".'
      type: string
    - name: isotimestamp
      required: true
      description: ISO8601 timestamp of the event.
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: ood_software
      description: If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software.
      type: string
    - name: reason
      description: 'Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".'
      type: string
    - name: result
      description: 'The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".'
      type: string
    - name: timestamp
      description: Unix timestamp of the event.
      type: timestamp
      timeFormat: unix
    - name: txid
      required: true
      description: The transaction ID of the event.
      type: string
      indicators:
        - trace_id
    - name: user
      description: Information about the authenticating user.
      type: object
      fields:
        - name: groups
          description: Duo group membership information for the user.
          type: array
          element:
            type: string
        - name: key
          description: The user's user_id.
          type: string
        - name: name
          description: The user's username.
          type: string
          indicators:
            - username

Duo.OfflineEnrollment

Duo Authentication for Windows Logon offline enrollment events.

For more information, see Duo Documentation on Offline Enrollment Logs.

schema: Duo.OfflineEnrollment
parser:
    native:
        name: Duo.OfflineEnrollment
description: Duo Authentication for Windows Logon offline enrollment events.
referenceURL: https://duo.com/docs/adminapi#offline-enrollment-logs
fields:
    - name: action
      required: true
      description: The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled".
      type: string
    - name: description
      description: Information about the Duo Windows Logon client system as reported by the application.
      type: string
    - name: isotimestamp
      required: true
      description: ISO8601 timestamp of the event.
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: object
      required: true
      description: The Duo Windows Logon integration's name.
      type: string
    - name: timestamp
      description: Unix timestamp of the event.
      type: timestamp
      timeFormat: unix
    - name: username
      required: true
      description: The Duo username.
      type: string
      indicators:
        - username

Duo.Telephony

Duo telephony log events.

For more information, see Duo Documentation on Telephony Logs.

schema: Duo.Telephony
parser:
    native:
        name: Duo.Telephony
description: Duo telephony log events.
referenceURL: https://duo.com/docs/adminapi#telephony-logs
fields:
    - name: context
      description: 'How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".'
      type: string
    - name: credits
      description: How many telephony credits this event cost.
      type: int
    - name: isotimestamp
      required: true
      description: ISO8601 timestamp of the event.
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: phone
      required: true
      description: The phone number that initiated this event.
      type: string
    - name: timestamp
      description: Unix timestamp of the event.
      type: timestamp
      timeFormat: unix
    - name: type
      required: true
      description: The event type. Either "sms" or "phone".
      type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated