TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Duo Authentication Logs | ✅ | ✅ | ✅ | duo_authentication_logs | NDJSON | API | |
Duo Users Logs | ✅ | duo_users | NDJSON | API | |||
Duo Administrator Logs | ✅ | ✅ | duo_administrator_logs | NDJSON | API | ||
Duo Trust Monitor Events | ✅ | ✅ | duo_trust_monitor_events | NDJSON | API |
Overview
Duo Security is a user-centric access security platform that provides two-factor authentication.
Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.
Supported data types
Duo Authentication Logs
Table name: duo_authentication_logs
Duo Security Authentication Logs are records that track and detail every authentication attempt and action within Duo's system. These logs are essential for security, providing insights into login attempts, successful and failed authentications, device details used for access, and specific user actions regarding authentication and policy changes.
Learn more here.
Duo Users Logs
Table name: duo_users
Duo Security's user logs provide detailed information about authentication events and actions taken by users within the system. These logs are essential for monitoring access, troubleshooting authentication issues, and ensuring compliance with security policies.
Learn more here.
Duo Administrator Logs
Table name: duo_administrator_logs
Duo Administrator Logs capture activities performed by administrators within the Duo Security system. These logs are critical for security and compliance, tracking changes made to configurations, user management actions, policy updates, and administrative access.
Learn more here.
Duo Trust Monitor Events
Table name: duo_trust_monitor_events
Duo Trust Monitor Events analyze and highlight authentication activities that deviate from established user patterns, helping to identify potentially risky behavior. This tool is designed to enhance security by detecting unusual access attempts or actions that could indicate a compromise, enabling prompt investigation and response to suspicious activities.
Learn more here.
🚧 Note
This data source is available for Duo Beyond and Duo Access plans. Make sure these are available before setting it up in Hunters.
Send data to Hunters
Hunters supports the collection of logs from Duo Security using API.
To connect Duo Security logs:
Gather the following information from your Duo Security account:
Integration key
Secret key
API hostname (Example -
api-xxxxxxxx.duosecurity.com
)📘Note
The permissions needed for the Hunters integration are Grant read resource and Grant read log. More information on Duo API permissions can be found here.
Complete the process on the Hunters platform, following this process.
Expected format
The expected format of the logs is the NDJson format as exported by Duo.
Authentication logs
{"access_device": {"browser": "Chrome", "browser_version": "94.0.4606.61", "epkey": "AAAAA", "flash_version": "uninstalled", "hostname": null, "ip": "1.1.1.1", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": "uninstalled", "location": {"city": "New York", "country": "USA", "state": "New York"}, "os": "Windows", "os_version": "10", "security_agents": "unknown"}, "alias": "", "application": {"key": "BBBBB", "name": "Auth0 Device Health Apps"}, "auth_device": {"ip": null, "location": {"city": "New York", "country": "USA", "state": "Ney York"}, "name": null}, "email": "john.doe@google.com", "event_type": "authentication", "factor": "remembered_device", "isotimestamp": "2021-09-30T18:03:11.290140+00:00", "ood_software": null, "reason": "remembered_device", "result": "success", "timestamp": 1633024991, "trusted_endpoint_status": "unknown", "txid": "111-222-333-aaa", "user": {"groups": ["group A", "Group B"], "key": "AA444", "name": "John.Doe"}, "eventtype": "authentication", "host": "api-111.duosecurity.com"}
Users logs
{"alias1": null, "alias2": null, "alias3": null, "alias4": null, "aliases": {}, "created": 1581630080, "desktoptokens": [], "email": "asdda.dsd@hunter.com", "firstname": "Dan", "groups": [{"desc": "", "group_id": "DGNNZ5G123JM20WRNG6", "mobile_otp_enabled": false, "name": "ERT-DUO-RDP (from AD sync \"AD Sync - WER\")", "push_enabled": false, "sms_enabled": false, "status": "Active", "voice_enabled": false}, {"desc": "", "group_id": "DGAW12221ZARE8IKON9", "mobile_otp_enabled": false, "name": "ERT-DUO-UNIX-SSH (from AD sync \"AD Sync - WER\")", "push_enabled": false, "sms_enabled": false, "status": "Active", "voice_enabled": false}], "is_enrolled": true, "last_directory_sync": 1666270958, "last_login": 1666262891, "lastname": "Pacheco", "notes": "", "phones": [{"activated": true, "capabilities": ["auto", "push", "sms", "mobile_otp"], "encrypted": "Encrypted", "extension": "", "fingerprint": "Configured", "last_seen": "2022-12-07T14:34:34", "model": "Motorola Moto G(8) Power", "name": "", "number": "+5564541135635", "phone_id": "DPEI89RT4724CB61JIAU", "platform": "Google Android", "postdelay": "", "predelay": "", "screenlock": "Locked", "sms_passcodes_sent": false, "tampered": "Not tampered", "type": "Mobile"}], "realname": "Dan Pachecy", "status": "active", "tokens": [], "u2ftokens": [], "user_id": "DUQ8VFVBVONI675X5818", "username": "dan.pachecy", "webauthncredentials": []}
Administrator logs
{"action": "activation_set_password", "description": null, "isotimestamp": "2022-11-29T06:28:14+00:00", "object": "Sushma N", "timestamp": 1669703294, "username": "Sushma N"}
Trust Monitor events
{"explanations":[{"summary":"Summary1","type":"TYPE_1"},{"summary":"Summary2","type":"TYPE_2"}],"from_common_netblock":true,"from_new_user":false,"low_risk_ip":false,"priority_event":false,"priority_reasons":[],"sekey":"ABCDEFG4HIJKL8MN2OPQ","state":"new","state_updated_timestamp":null,"surfaced_auth":{"access_device":{"browser":"Chrome","browser_version":"109.0.5414.120","epkey":null,"flash_version":null,"hostname":null,"ip":"11.2.33.444","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":"Stamford","country":"United States","state":"Connecticut"},"os":"Windows","os_version":"11"},"adaptive_trust_assessments":{},"alias":"unknown","application":{"key":"ABCDEFG1HIJKL3MN4OPQ","name":"Name"},"auth_device":{"ip":"111.222.333.444","key":null,"location":{"city":"Mumbai","country":"India","state":"Maharashtra"},"name":"888-777-9999"},"email":"","event_type":null,"factor":"duo_push","isotimestamp":"2023-02-30T13:14:53.366+00:00","ood_software":"","reason":"reason1","result":"success","timestamp":1674998023,"txid":"11ab2c3d-e4fg-5hi6-jk78-9900i1jk2l34","user":{"groups":["Message1"],"key":"AABBCCD1EEF3HH4IIJ","name":"User1"}},"surfaced_timestamp":1675014560123,"triage_event_uri":"https://example.com/uri","triaged_as_interesting":false,"type":"type1"}