Duo Access Gateway¶
About¶
Duo Access Gateway is an on-premises solution that secures access to cloud applications with your users’ existing directory credentials (like Microsoft Active Directory or Google Workspace accounts) using the Security Assertion Markup Language (SAML) 2.0 authentication standard. SAML delegates authentication from a service provider to an identity provider, and is used for single sign-on (SSO) solutions.
Product Details¶
Vendor URL: Duo Access Gateway
Product Type: Authentication
Product Tier: Tier I
Integration Method: API
Integration URL: Duo Access Gateway - Cyderes Documentation
Log Guide: Logs - Duo Access Gateway
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: DUO_CASB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| hostname | target.hostname |
| username | principal.user.user_display_name |
| type | principal.application |
| program | principal.application |
| pid | principal.process.pid |
| eventtype | metadata.product_event_type |
| auth_stage | metadata.product_event_type |
| duoDescription.ip_address | principal.ip |
| src_ip | principal.ip |
| ip | principal.ip |
| src_port | principal.port |
| duoDescription.device | additional.fields |
| duoDescription.factor | additional.fields |
| factor | additional.fields |
| server_section | additional.fields |
| Statically Defined | extensions.auth.mechanism |
| duoDescription.primary_auth_method | extensions.auth.auth_details |
| status | security_result.action_details |
| result | security_result.action_details |
| msg | security_result.summary |
| reason | security_result.summary |
| relayhost | intermediary.hostname |
| Statically Defined | metadata.description |
| Statically Defined | metadata.event_type |
| Statically Defined | metadata.product_name |
| Statically Defined | metadata.vendor_name |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| s,se,f | USER_LOGIN | ||
| DEFAULT | GENERIC_EVENT |
Log Sample¶
<13>1 2022-08-08T05:08:30.312+00:00 hostname00aa duo - - - {"rec_timestamp":"2022-08-08T05:08:31+00:00","log_time":1.6599353103128808E9,"@version":"1","server_section":"radius_server_duo_only","log_format":null,"status":"Allow","factor":null,"client_ip":null,"program":"duo","server_section_ikey":"A00BCD00E000FG0HI","duoISOtimestamp":"2022-08-08T05:08:30.312845Z","message":"2022-08-08T05:08:31+00:00 hostname00aa duo: {\"timestamp\": \"2022-08-08T05:08:30.312845Z\", \"msg\": \"Success. Logging you in...\", \"username\": \"notREALUSERNAME\", \"auth_stage\": \"Secondary authentication\", \"status\": \"Allow\", \"client_ip\": null, \"server_section\": \"radius_server_duo_only\", \"server_section_ikey\": \"A00BCD00E000FG0HI\", \"factor\": null, \"hostname\": \"hostname00aa\", \"client_section\": \"no_client\", \"log_logger\": {\"unpersistable\": true}, \"log_level\": {\"name\": \"info\", \"__class_uuid__\": \"02e59486-f24d-46ad-8224-3acdf2a5732a\"}, \"log_namespace\": \"duoauthproxy.lib.log\", \"log_source\": null, \"log_format\": null, \"log_time\": 1659935310.3128808}","@timestamp":"2022-08-08T05:08:30.312Z","log_level":{"__class_uuid__":"02e59486-f24d-46ad-8224-3acdf2a5732a","name":"info"},"username":"notREALUSERNAME","log_source":null,"path":"/nsm/hosts/duo/hostname00aa.log","type":"duo","log_namespace":"duoauthproxy.lib.log","hostname":"hostname00aa","msg":"Success. Logging you in...","auth_stage":"Secondary authentication","relayhost":"aa0aaaa00a","log_logger":{"unpersistable":true},"client_section":"no_client"}
Sample Parsing¶
metadata.event_timestamp = "2022-08-08T05:08:30.312Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Duo"
metadata.product_name = "Access Gateway"
metadata.product_event_type = "Secondary authentication"
metadata.id = "AAAAAKkpC4TOVVy1rrXFUCKYWb0AAAAADgAAAAAAAAA="
additional.ServerSection = "radius_server_duo_only"
principal.user.user_display_name = "notREALUSERNAME"
principal.application = "duo"
target.hostname = "hostname00aa"
target.asset.hostname = "hostname00aa"
intermediary.hostname = "aa0aaaa00a"
security_result.summary = "Success. Logging you in..."
security_result.action = "ALLOW"
security_result.action_details = "Allow"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon