Duo Security

  • Updated on Dec 14, 2025
  • Published on May 15, 2023
Prev Next

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Duo Authentication Logs

duo_authentication_logs

NDJSON

API

Duo Users Logs

duo_users

NDJSON

API

Duo Administrator Logs

duo_administrator_logs

NDJSON

API

Duo Trust Monitor Events

duo_trust_monitor_events

NDJSON

API

Overview

imageDuo Security is a user-centric access security platform that provides two-factor authentication.

Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

Supported data types

Duo Authentication Logs

Table name: duo_authentication_logs

Duo Security Authentication Logs are records that track and detail every authentication attempt and action within Duo's system. These logs are essential for security, providing insights into login attempts, successful and failed authentications, device details used for access, and specific user actions regarding authentication and policy changes.

Learn more here.

Duo Users Logs

Table name: duo_users

Duo Security's user logs provide detailed information about authentication events and actions taken by users within the system. These logs are essential for monitoring access, troubleshooting authentication issues, and ensuring compliance with security policies.

Learn more here.

Duo Administrator Logs

Table name: duo_administrator_logs

Duo Administrator Logs capture activities performed by administrators within the Duo Security system. These logs are critical for security and compliance, tracking changes made to configurations, user management actions, policy updates, and administrative access.

Learn more here.

Duo Trust Monitor Events

Table name: duo_trust_monitor_events

Duo Trust Monitor Events analyze and highlight authentication activities that deviate from established user patterns, helping to identify potentially risky behavior. This tool is designed to enhance security by detecting unusual access attempts or actions that could indicate a compromise, enabling prompt investigation and response to suspicious activities.

Learn more here.

🚧 Note

This data source is available for Duo Beyond and Duo Access plans. Make sure these are available before setting it up in Hunters.

Send data to Hunters

Hunters supports the collection of logs from Duo Security using API.

To connect Duo Security logs:

  1. Log into Duo Admin Panel Access Panel using an account with administrative privileges.

  2. Create an Admin API Integration

    1. Navigate to “Applications” and select “Protect an Application.”

    2. Search for “Admin API” and click “Protect.”

    3. Duo will generate the following credentials:

      1. Integration Key

      2. Secret Key

      3. API Hostname (for example, api-xxxxxxxx.duosecurity.com)

  3. Assign API Permissions Ensure the Admin API application has the following permissions (These permissions are required for Hunters to access the necessary log endpoints):

    1. Grant read resource

    2. Grant read log

  4. Confirm Supported Log Types Hunters supports the following Duo log types (All of these are accessible via the Admin API using the same credentials):

    1. Authentication Logs

    2. Users Logs

    3. Administrator Logs

    4. Trust Monitor Events

  5. Ensure NDJSON Format Duo exports logs in NDJSON (newline-delimited JSON) format, which is the expected format for ingestion by Hunters. No additional formatting is required.

  6. Configure the Integration in Hunters In the Hunters platform:

    1. Navigate to Data Sources > Add Source > Duo Security

    2. Enter the Integration Key, Secret Key, and API Hostname

    3. Select the log types to ingest

    4. Set the desired collection frequency (recommended: hourly)

  7. Test Connection Verify that the credentials and endpoint are working correctly.

  8. Gather the following information from your Duo Security account:

    • Integration key

    • Secret key

    • API hostname (Example - api-xxxxxxxx.duosecurity.com)

      📘Note

      The permissions needed for the Hunters integration are Grant read resource and Grant read log. More information on Duo API permissions can be found here.

  9. Complete the process on the Hunters platform, following this process.

    1. Test Connection Verify that the credentials and endpoint are working correctly.

    2. Validate Data Ingestion Check the Data Ingestion Dashboard in Hunters to confirm that logs are being received and parsed as expected.

Expected format

The expected format of the logs is the NDJson format as exported by Duo.

Authentication logs

{"access_device": {"browser": "Chrome", "browser_version": "94.0.4606.61", "epkey": "AAAAA", "flash_version": "uninstalled", "hostname": null, "ip": "1.1.1.1", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": "uninstalled", "location": {"city": "New York", "country": "USA", "state": "New York"}, "os": "Windows", "os_version": "10", "security_agents": "unknown"}, "alias": "", "application": {"key": "BBBBB", "name": "Auth0 Device Health Apps"}, "auth_device": {"ip": null, "location": {"city": "New York", "country": "USA", "state": "Ney York"}, "name": null}, "email": "john.doe@google.com", "event_type": "authentication", "factor": "remembered_device", "isotimestamp": "2021-09-30T18:03:11.290140+00:00", "ood_software": null, "reason": "remembered_device", "result": "success", "timestamp": 1633024991, "trusted_endpoint_status": "unknown", "txid": "111-222-333-aaa", "user": {"groups": ["group A", "Group B"], "key": "AA444", "name": "John.Doe"}, "eventtype": "authentication", "host": "api-111.duosecurity.com"}

Users logs

{"alias1": null, "alias2": null, "alias3": null, "alias4": null, "aliases": {}, "created": 1581630080, "desktoptokens": [], "email": "asdda.dsd@hunter.com", "firstname": "Dan", "groups": [{"desc": "", "group_id": "DGNNZ5G123JM20WRNG6", "mobile_otp_enabled": false, "name": "ERT-DUO-RDP (from AD sync \"AD Sync - WER\")", "push_enabled": false, "sms_enabled": false, "status": "Active", "voice_enabled": false}, {"desc": "", "group_id": "DGAW12221ZARE8IKON9", "mobile_otp_enabled": false, "name": "ERT-DUO-UNIX-SSH (from AD sync \"AD Sync - WER\")", "push_enabled": false, "sms_enabled": false, "status": "Active", "voice_enabled": false}], "is_enrolled": true, "last_directory_sync": 1666270958, "last_login": 1666262891, "lastname": "Pacheco", "notes": "", "phones": [{"activated": true, "capabilities": ["auto", "push", "sms", "mobile_otp"], "encrypted": "Encrypted", "extension": "", "fingerprint": "Configured", "last_seen": "2022-12-07T14:34:34", "model": "Motorola Moto G(8) Power", "name": "", "number": "+5564541135635", "phone_id": "DPEI89RT4724CB61JIAU", "platform": "Google Android", "postdelay": "", "predelay": "", "screenlock": "Locked", "sms_passcodes_sent": false, "tampered": "Not tampered", "type": "Mobile"}], "realname": "Dan Pachecy", "status": "active", "tokens": [], "u2ftokens": [], "user_id": "DUQ8VFVBVONI675X5818", "username": "dan.pachecy", "webauthncredentials": []}

Administrator logs

{"action": "activation_set_password", "description": null, "isotimestamp": "2022-11-29T06:28:14+00:00", "object": "Sushma N", "timestamp": 1669703294, "username": "Sushma N"}

Trust Monitor events

{"explanations":[{"summary":"Summary1","type":"TYPE_1"},{"summary":"Summary2","type":"TYPE_2"}],"from_common_netblock":true,"from_new_user":false,"low_risk_ip":false,"priority_event":false,"priority_reasons":[],"sekey":"ABCDEFG4HIJKL8MN2OPQ","state":"new","state_updated_timestamp":null,"surfaced_auth":{"access_device":{"browser":"Chrome","browser_version":"109.0.5414.120","epkey":null,"flash_version":null,"hostname":null,"ip":"11.2.33.444","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":"Stamford","country":"United States","state":"Connecticut"},"os":"Windows","os_version":"11"},"adaptive_trust_assessments":{},"alias":"unknown","application":{"key":"ABCDEFG1HIJKL3MN4OPQ","name":"Name"},"auth_device":{"ip":"111.222.333.444","key":null,"location":{"city":"Mumbai","country":"India","state":"Maharashtra"},"name":"888-777-9999"},"email":"","event_type":null,"factor":"duo_push","isotimestamp":"2023-02-30T13:14:53.366+00:00","ood_software":"","reason":"reason1","result":"success","timestamp":1674998023,"txid":"11ab2c3d-e4fg-5hi6-jk78-9900i1jk2l34","user":{"groups":["Message1"],"key":"AABBCCD1EEF3HH4IIJ","name":"User1"}},"surfaced_timestamp":1675014560123,"triage_event_uri":"https://example.com/uri","triaged_as_interesting":false,"type":"type1"}