Duo Security

  • Updated on Mar 4, 2025
  • Published on May 15, 2023

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Duo Authentication Logs

✅

✅

✅

duo_authentication_logs

NDJSON

API

Duo Users Logs

✅

duo_users

NDJSON

API

Duo Administrator Logs

✅

✅

duo_administrator_logs

NDJSON

API

Duo Trust Monitor Events

✅

✅

duo_trust_monitor_events

NDJSON

API

Overview

imageDuo Security is a user-centric access security platform that provides two-factor authentication.

Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

Supported data types

Duo Authentication Logs

Table name: duo_authentication_logs

Duo Security Authentication Logs are records that track and detail every authentication attempt and action within Duo's system. These logs are essential for security, providing insights into login attempts, successful and failed authentications, device details used for access, and specific user actions regarding authentication and policy changes.

Learn more here.

Duo Users Logs

Table name: duo_users

Duo Security's user logs provide detailed information about authentication events and actions taken by users within the system. These logs are essential for monitoring access, troubleshooting authentication issues, and ensuring compliance with security policies.

Learn more here.

Duo Administrator Logs

Table name: duo_administrator_logs

Duo Administrator Logs capture activities performed by administrators within the Duo Security system. These logs are critical for security and compliance, tracking changes made to configurations, user management actions, policy updates, and administrative access.

Learn more here.

Duo Trust Monitor Events

Table name: duo_trust_monitor_events

Duo Trust Monitor Events analyze and highlight authentication activities that deviate from established user patterns, helping to identify potentially risky behavior. This tool is designed to enhance security by detecting unusual access attempts or actions that could indicate a compromise, enabling prompt investigation and response to suspicious activities.

Learn more here.

🚧 Note

This data source is available for Duo Beyond and Duo Access plans. Make sure these are available before setting it up in Hunters.

Send data to Hunters

Hunters supports the collection of logs from Duo Security using API.

To connect Duo Security logs:

  1. Gather the following information from your Duo Security account:

    • Integration key

    • Secret key

    • API hostname (Example - api-xxxxxxxx.duosecurity.com)

      📘Note

      The permissions needed for the Hunters integration are Grant read resource and Grant read log. More information on Duo API permissions can be found here.

  2. Complete the process on the Hunters platform, following this process.

Expected format

The expected format of the logs is the NDJson format as exported by Duo.

Authentication logs

{"access_device": {"browser": "Chrome", "browser_version": "94.0.4606.61", "epkey": "AAAAA", "flash_version": "uninstalled", "hostname": null, "ip": "1.1.1.1", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": "uninstalled", "location": {"city": "New York", "country": "USA", "state": "New York"}, "os": "Windows", "os_version": "10", "security_agents": "unknown"}, "alias": "", "application": {"key": "BBBBB", "name": "Auth0 Device Health Apps"}, "auth_device": {"ip": null, "location": {"city": "New York", "country": "USA", "state": "Ney York"}, "name": null}, "email": "john.doe@google.com", "event_type": "authentication", "factor": "remembered_device", "isotimestamp": "2021-09-30T18:03:11.290140+00:00", "ood_software": null, "reason": "remembered_device", "result": "success", "timestamp": 1633024991, "trusted_endpoint_status": "unknown", "txid": "111-222-333-aaa", "user": {"groups": ["group A", "Group B"], "key": "AA444", "name": "John.Doe"}, "eventtype": "authentication", "host": "api-111.duosecurity.com"}

Users logs

{"alias1": null, "alias2": null, "alias3": null, "alias4": null, "aliases": {}, "created": 1581630080, "desktoptokens": [], "email": "asdda.dsd@hunter.com", "firstname": "Dan", "groups": [{"desc": "", "group_id": "DGNNZ5G123JM20WRNG6", "mobile_otp_enabled": false, "name": "ERT-DUO-RDP (from AD sync \"AD Sync - WER\")", "push_enabled": false, "sms_enabled": false, "status": "Active", "voice_enabled": false}, {"desc": "", "group_id": "DGAW12221ZARE8IKON9", "mobile_otp_enabled": false, "name": "ERT-DUO-UNIX-SSH (from AD sync \"AD Sync - WER\")", "push_enabled": false, "sms_enabled": false, "status": "Active", "voice_enabled": false}], "is_enrolled": true, "last_directory_sync": 1666270958, "last_login": 1666262891, "lastname": "Pacheco", "notes": "", "phones": [{"activated": true, "capabilities": ["auto", "push", "sms", "mobile_otp"], "encrypted": "Encrypted", "extension": "", "fingerprint": "Configured", "last_seen": "2022-12-07T14:34:34", "model": "Motorola Moto G(8) Power", "name": "", "number": "+5564541135635", "phone_id": "DPEI89RT4724CB61JIAU", "platform": "Google Android", "postdelay": "", "predelay": "", "screenlock": "Locked", "sms_passcodes_sent": false, "tampered": "Not tampered", "type": "Mobile"}], "realname": "Dan Pachecy", "status": "active", "tokens": [], "u2ftokens": [], "user_id": "DUQ8VFVBVONI675X5818", "username": "dan.pachecy", "webauthncredentials": []}

Administrator logs

{"action": "activation_set_password", "description": null, "isotimestamp": "2022-11-29T06:28:14+00:00", "object": "Sushma N", "timestamp": 1669703294, "username": "Sushma N"}

Trust Monitor events

{"explanations":[{"summary":"Summary1","type":"TYPE_1"},{"summary":"Summary2","type":"TYPE_2"}],"from_common_netblock":true,"from_new_user":false,"low_risk_ip":false,"priority_event":false,"priority_reasons":[],"sekey":"ABCDEFG4HIJKL8MN2OPQ","state":"new","state_updated_timestamp":null,"surfaced_auth":{"access_device":{"browser":"Chrome","browser_version":"109.0.5414.120","epkey":null,"flash_version":null,"hostname":null,"ip":"11.2.33.444","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":"Stamford","country":"United States","state":"Connecticut"},"os":"Windows","os_version":"11"},"adaptive_trust_assessments":{},"alias":"unknown","application":{"key":"ABCDEFG1HIJKL3MN4OPQ","name":"Name"},"auth_device":{"ip":"111.222.333.444","key":null,"location":{"city":"Mumbai","country":"India","state":"Maharashtra"},"name":"888-777-9999"},"email":"","event_type":null,"factor":"duo_push","isotimestamp":"2023-02-30T13:14:53.366+00:00","ood_software":"","reason":"reason1","result":"success","timestamp":1674998023,"txid":"11ab2c3d-e4fg-5hi6-jk78-9900i1jk2l34","user":{"groups":["Message1"],"key":"AABBCCD1EEF3HH4IIJ","name":"User1"}},"surfaced_timestamp":1675014560123,"triage_event_uri":"https://example.com/uri","triaged_as_interesting":false,"type":"type1"}