Skip to content

Duo Access Gateway

Duo Access Gateway

About

Duo Access Gateway is an on-premises solution that secures access to cloud applications with your users’ existing directory credentials (like Microsoft Active Directory or Google Workspace accounts) using the Security Assertion Markup Language (SAML) 2.0 authentication standard. SAML delegates authentication from a service provider to an identity provider, and is used for single sign-on (SSO) solutions.

Product Details

Vendor URL: Duo Access Gateway

Product Type: Authentication

Product Tier: Tier I

Integration Method: API

Integration URL: Duo Access Gateway - Cyderes Documentation

Log Guide: Logs - Duo Access Gateway

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: DUO_CASB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
hostname target.hostname
username principal.user.user_display_name
type principal.application
program principal.application
pid principal.process.pid
eventtype metadata.product_event_type
auth_stage metadata.product_event_type
duoDescription.ip_address principal.ip
src_ip principal.ip
ip principal.ip
src_port principal.port
duoDescription.device additional.fields
duoDescription.factor additional.fields
factor additional.fields
server_section additional.fields
Statically Defined extensions.auth.mechanism
duoDescription.primary_auth_method extensions.auth.auth_details
status security_result.action_details
result security_result.action_details
msg security_result.summary
reason security_result.summary
relayhost intermediary.hostname
Statically Defined metadata.description
Statically Defined metadata.event_type
Statically Defined metadata.product_name
Statically Defined metadata.vendor_name

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
s,se,f USER_LOGIN
DEFAULT GENERIC_EVENT

Log Sample

<13>1 2022-08-08T05:08:30.312+00:00 hostname00aa duo - - - {"rec_timestamp":"2022-08-08T05:08:31+00:00","log_time":1.6599353103128808E9,"@version":"1","server_section":"radius_server_duo_only","log_format":null,"status":"Allow","factor":null,"client_ip":null,"program":"duo","server_section_ikey":"A00BCD00E000FG0HI","duoISOtimestamp":"2022-08-08T05:08:30.312845Z","message":"2022-08-08T05:08:31+00:00 hostname00aa duo: {\"timestamp\": \"2022-08-08T05:08:30.312845Z\", \"msg\": \"Success. Logging you in...\", \"username\": \"notREALUSERNAME\", \"auth_stage\": \"Secondary authentication\", \"status\": \"Allow\", \"client_ip\": null, \"server_section\": \"radius_server_duo_only\", \"server_section_ikey\": \"A00BCD00E000FG0HI\", \"factor\": null, \"hostname\": \"hostname00aa\", \"client_section\": \"no_client\", \"log_logger\": {\"unpersistable\": true}, \"log_level\": {\"name\": \"info\", \"__class_uuid__\": \"02e59486-f24d-46ad-8224-3acdf2a5732a\"}, \"log_namespace\": \"duoauthproxy.lib.log\", \"log_source\": null, \"log_format\": null, \"log_time\": 1659935310.3128808}","@timestamp":"2022-08-08T05:08:30.312Z","log_level":{"__class_uuid__":"02e59486-f24d-46ad-8224-3acdf2a5732a","name":"info"},"username":"notREALUSERNAME","log_source":null,"path":"/nsm/hosts/duo/hostname00aa.log","type":"duo","log_namespace":"duoauthproxy.lib.log","hostname":"hostname00aa","msg":"Success. Logging you in...","auth_stage":"Secondary authentication","relayhost":"aa0aaaa00a","log_logger":{"unpersistable":true},"client_section":"no_client"}

Sample Parsing

metadata.event_timestamp = "2022-08-08T05:08:30.312Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Duo"
metadata.product_name = "Access Gateway"
metadata.product_event_type = "Secondary authentication"
metadata.id = "AAAAAKkpC4TOVVy1rrXFUCKYWb0AAAAADgAAAAAAAAA="
additional.ServerSection = "radius_server_duo_only"
principal.user.user_display_name = "notREALUSERNAME"
principal.application = "duo"
target.hostname = "hostname00aa"
target.asset.hostname = "hostname00aa"
intermediary.hostname = "aa0aaaa00a"
security_result.summary = "Success. Logging you in..."
security_result.action = "ALLOW"
security_result.action_details = "Allow"
extensions.auth.mechanism = "USERNAME_PASSWORD"

Parser Alerting

This product currently does not have any Parser-based Alerting