To onboard Duo logs to Panther, follow the steps below. You can also view the data ingestion video overview for a quick walkthrough of Duo log onboarding.
Step 1: Create a Duo application
Follow the instructions here to create a new Duo application.
Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.
Grant the application Grant read log permissions.
Step 2: Create a new Duo source in Panther
In the lefthand navigation bar of your Panther Console, click Configure > LogSources.
Click Create New.
Select Duo from the list of available log sources. Click Start Setup.
On the next screen, enter a descriptive name for the source (for example, My Duo logs) and select the type of logs you want to monitor.
Click Setup.
Fill in the fields below:
Integration Key: Enter the integration key of the Duo app.
Secret Key: Enter the secret key of the Duo app.
API Hostname: Enter the API hostname of the Duo app.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Required fields in the schema are listed as "required: true" just below the "name" field.
schema:Duo.Administratorparser:native:name:Duo.Administratordescription:Duo administrator log events.referenceURL:https://duo.com/docs/adminapi#administrator-logsfields: - name:actionrequired:truedescription:The type of change that was performed.type:string - name:descriptiondescription:String detailing what changed, either as free-form text or serialized JSON.type:string - name:isotimestamprequired:truedescription:ISO8601 timestamp of the event.type:timestamptimeFormat:rfc3339isEventTime:true - name:object description: 'The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).'
type:string - name:timestampdescription:Unix timestamp of the event.type:timestamptimeFormat:unix - name:usernamerequired:true description: 'The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".'
type:stringindicators: - username
schema:Duo.Authenticationparser:native:name:Duo.Authenticationdescription:Duo authentication log events(v2).referenceURL:https://duo.com/docs/adminapi#authentication-logsfields: - name:access_device description: Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt.
type:objectfields: - name:browserdescription:The web browser used for access.type:string - name:browser_versiondescription:The browser version.type:string - name:flash_versiondescription:The Flash plugin version used, if present, otherwise "uninstalled".type:string - name:hostnamedescription:The hostname, if present, otherwise "null".type:stringindicators: - hostname - name:ipdescription:The access device's IP address, if present, otherwise "null".type:stringindicators: - ip - name:is_encryption_enabled description: Reports the disk encryption state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
type:string - name:is_firewall_enabled description: Reports the firewall state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
type:string - name:is_password_set description: Reports the system password state as detected by the Duo Device Health app. One of "true", "false", or "unknown".
type:string - name:java_versiondescription:The Java plugin version used, if present, otherwise "uninstalled".type:string - name:location description: The GeoIP location of the access device, if available. The response may not include all location parameters.
type:objectfields: - name:citydescription:The city name.type:string - name:countrydescription:The country code.type:string - name:statedescription:The state, county, province, or prefecture.type:string - name:osdescription:The device operating system name.type:string - name:os_versiondescription:The device operating system version.type:string - name:security_agentsdescription:Reports the security agents present on the endpoint as detected by the Duo Device Health app.type:arrayelement:type:json - name:alias description: The username alias used to log in. No value if the user logged in with their username instead of a username alias.
type:stringindicators: - username - name:applicationdescription:Information about the application accessed.type:objectfields: - name:keydescription:The application's integration_key.type:string - name:namedescription:The application's name.type:string - name:auth_devicedescription:Information about the device used to approve or deny authentication.type:objectfields: - name:ipdescription:The IP address of the authentication device.type:stringindicators: - ip - name:location description: The GeoIP location of the authentication device, if available. May not include all location parameters.
type:objectfields: - name:citydescription:The city name.type:string - name:countrydescription:The country code.type:string - name:statedescription:The state, county, province, or prefecture.type:string - name:namedescription:The name of the authentication device.type:string - name:emaildescription:The email address of the user, if known to Duo, otherwise none.type:stringindicators: - email - name:event_typedescription:'The type of activity logged. one of: "authentication" or "enrollment".'type:string - name:factor description: 'The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".'
type:string - name:isotimestamprequired:truedescription:ISO8601 timestamp of the event.type:timestamptimeFormat:rfc3339isEventTime:true - name:ood_software description: If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software.
type:string - name:reason description: 'Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".'
type:string - name:resultdescription:'The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".'type:string - name:timestampdescription:Unix timestamp of the event.type:timestamptimeFormat:unix - name:txidrequired:truedescription:The transaction ID of the event.type:stringindicators: - trace_id - name:userdescription:Information about the authenticating user.type:objectfields: - name:groupsdescription:Duo group membership information for the user.type:arrayelement:type:string - name:keydescription:The user's user_id.type:string - name:namedescription:The user's username.type:stringindicators: - username
Duo.OfflineEnrollment
Duo Authentication for Windows Logon offline enrollment events.
schema:Duo.OfflineEnrollmentparser:native:name:Duo.OfflineEnrollmentdescription:Duo Authentication for Windows Logon offline enrollment events.referenceURL:https://duo.com/docs/adminapi#offline-enrollment-logsfields: - name:actionrequired:true description: The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled".
type:string - name:descriptiondescription:Information about the Duo Windows Logon client system as reported by the application.type:string - name:isotimestamprequired:truedescription:ISO8601 timestamp of the event.type:timestamptimeFormat:rfc3339isEventTime:true - name:objectrequired:truedescription:The Duo Windows Logon integration's name.type:string - name:timestampdescription:Unix timestamp of the event.type:timestamptimeFormat:unix - name:usernamerequired:truedescription:The Duo username.type:stringindicators: - username
schema:Duo.Telephonyparser:native:name:Duo.Telephonydescription:Duo telephony log events.referenceURL:https://duo.com/docs/adminapi#telephony-logsfields: - name:context description: 'How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".'
type:string - name:creditsdescription:How many telephony credits this event cost.type:int - name:isotimestamprequired:truedescription:ISO8601 timestamp of the event.type:timestamptimeFormat:rfc3339isEventTime:true - name:phonerequired:truedescription:The phone number that initiated this event.type:string - name:timestampdescription:Unix timestamp of the event.type:timestamptimeFormat:unix - name:typerequired:truedescription:The event type. Either "sms" or "phone".type:string