Skip to content

DUO Authentication

DUO

About

For organizations of all sizes that need to protect sensitive data at scale, Duo is the user-friendly zero-trust security platform for all users, all devices and all applications.

Product Details

Vendor URL: DUO

Product Type: Authentication

Product Tier: Tier II

Integration Method: Custom

Integration URL: N/A

Log Guide: Audit and Operational Log Details

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: DUO_AUTH

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
GENERIC_EVENT, authentication, admin_login, enrollment metadata.event_type
access_device.hostname principal.hostname
access_device.ip principal.ip
access_device.location.city principal.location.country_or_region
access_device.location.country principal.location.state
access_device.location.state principal.location.city
access_device.os principal.platform
access_device.os_version principal.platform_version
application.name target.application
auth_device.ip target.ip
auth_device.location.city target.location.city
auth_device.location.country target.location.country_or_region
auth_device.location.state target.location.state
auth_device.name target.hostname
Cisco (hardcoded) metadata.vendor_name
device principal.resource.id
Duo Auth (hardcoded) metadata.product_name
email target.user.email_addresses
event_type metadata.event_type
factor extensions.auth.mechanism (Enumerated)
factor extensions.auth.auth_details
host observer.hostname
reason security_result
result security_result.action
SSO (hardcoded) extensions.auth.type
txid metadata.product_log_id
user.groups target.user.group_identifiers
user.key target.user.product_object_id
user.name principal.user.userid
user.name target.user.userid
username principal.user.userid

Product Event Types

Event UDM Event Classification
authentication, admin_login USER_LOGIN
enrollment USER_CREATION
all others GENERIC_EVENT

Log Sample

{"auth_device":{"ip":"10.1.1.7","location":{"city":"McKinney","country":"United States","state":"Texas"},"name":"816-555-1212"},"event_type":"authentication","factor":"duo_push","isotimestamp":"2022-02-17T17:00:32.692541+00:00","application":{"key":"DIRWJLM2NREDACTEDINFO","name":"Azure AD"},"user":{"name":"redacted","groups":["redacted.redacted.DUO.ALL (from AD sync \"Company.domainzone.com\")","redacted.redacted.VPN.EMPLOYEES (from AD sync \"Company.domainzone.com\")"],"key":"DU6U6B2TJREDACTEDINFO"},"alias":"redacted_user@company.com","email":"redacted_Email@company.com","ood_software":null,"timestamp":1645117232,"access_device":{"location":{"city":"Washington","country":"United States","state":"District of Columbia"},"epkey":"EPWKIC9JMZREDACTEDINFO","hostname":null,"ip":"10.1.1.9"},"reason":"user_approved","result":"success","txid":"057d3dfd-229a-4aa1-b659-redacted"}

Sample Parsing

metadata.product_log_id: 057d3dfd-229a-4aa1-b659-redacted
metadata.event_type: USER_LOGIN
metadata.vendor_name: Cisco
metadata.product_name: Duo Auth
metadata.product_event_type: authentication
principal.user.userid: redacted
principal.ip: 10.1.1.9
principal.location.city: Washington
principal.location.state: District of Columbia
principal.location.country_or_region: United States
target.hostname: 816-555-1212
target.user.product_object_id: DU6U6B2TJREDACTEDINFO
target.user.userid: redacted
target.user.group_identifiers: redacted.redacted.DUO.ALL (from AD sync Company.domainzone.com)
target.user.group_identifiers: redacted.redacted.VPN.EMPLOYEES (from AD sync Company.domainzone.com)
target.user.email_addresses: redacted_Email@company.com
target.ip: 10.1.1.7
target.application: Azure AD
target.location.city: McKinney
target.location.state: Texas
target.location.country_or_region: United States
security_result.summary: user_approved
security_result.action: ALLOW
extensions.auth.type: SSO
extensions.auth.mechanism: REMOTE_INTERACTIVE
extensions.auth.auth_details = "duo_push"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon