Duo

Required fields are in bold.
Duo.Administrator
Duo administrator log events. Reference: https://duo.com/docs/adminapi#administrator-logs​
Column
Type
Description
action
string
The type of change that was performed.
description
string
String detailing what changed, either as free-form text or serialized JSON.
isotimestamp
timestamp
ISO8601 timestamp of the event.
object
string
The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).
timestamp
timestamp
Unix timestamp of the event.
username
string
The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".
p_event_time
timestamp
Panther added standardized event time (UTC)
p_parse_time
timestamp
Panther added standardized log parse time (UTC)
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_usernames
[string]
Panther added field with collection of usernames associated with the row
Duo.Authentication
Duo authentication log events(v2). Reference: https://duo.com/docs/adminapi#authentication-logs​
Column
Type
Description
access_device
{
  "browser":string,
  "browser_version":string,
  "flash_version":string,
  "hostname":string,
  "ip":string,
  "is_encryption_enabled":string,
  "is_firewall_enabled":string,
  "is_password_set":string,
  "java_version":string,
  "location":{
    "city":string,
    "country":string,
    "state":string
},
  "os":string,
  "os_version":string,
  "security_agents":[string]
}
Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt.
alias
string
The username alias used to log in. No value if the user logged in with their username instead of a username alias.
application
{
  "key":string,
  "name":string
}
Information about the application accessed.
auth_device
{
  "ip":string,
  "location":{
    "city":string,
    "country":string,
    "state":string
},
  "name":string
}
Information about the device used to approve or deny authentication.
email
string
The email address of the user, if known to Duo, otherwise none.
event_type
string
The type of activity logged. one of: "authentication" or "enrollment".
factor
string
The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".
isotimestamp
timestamp
ISO8601 timestamp of the event.
ood_software
string
If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software.
reason
string
Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".
result
string
The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".
timestamp
timestamp
Unix timestamp of the event.
txid
string
The transaction ID of the event.
user
{
  "groups":[string],
  "key":string,
  "name":string
}
Information about the authenticating user.
p_event_time
timestamp
Panther added standardized event time (UTC)
p_parse_time
timestamp
Panther added standardized log parse time (UTC)
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_trace_ids
[string]
Panther added field with collection of context trace identifiers
p_any_emails
[string]
Panther added field with collection of email addresses associated with the row
p_any_usernames
[string]
Panther added field with collection of usernames associated with the row
Duo.OfflineEnrollment
Duo Authentication for Windows Logon offline enrollment events. Reference: https://duo.com/docs/adminapi#offline-enrollment-logs​
Column
Type
Description
action
string
The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled".
description
string
Information about the Duo Windows Logon client system as reported by the application.
isotimestamp
timestamp
ISO8601 timestamp of the event.
object
string
The Duo Windows Logon integration's name.
timestamp
timestamp
Unix timestamp of the event.
username
string
The Duo username.
p_event_time
timestamp
Panther added standardized event time (UTC)
p_parse_time
timestamp
Panther added standardized log parse time (UTC)
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_usernames
[string]
Panther added field with collection of usernames associated with the row
Duo.Telephony
Duo telephony log events. Reference: https://duo.com/docs/adminapi#telephony-logs​
Column
Type
Description
context
string
How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".
credits
int
How many telephony credits this event cost.
isotimestamp
timestamp
ISO8601 timestamp of the event.
phone
string
The phone number that initiated this event.
timestamp
timestamp
Unix timestamp of the event.
type
string
The event type. Either "sms" or "phone".
p_event_time
timestamp
Panther added standardized event time (UTC)
p_parse_time
timestamp
Panther added standardized log parse time (UTC)
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label

Crowdstrike

Fastly

Last updated 1 month ago

Column	Type	Description
`action`	`string`	The type of change that was performed.
`description`	`string`	String detailing what changed, either as free-form text or serialized JSON.
`isotimestamp`	`timestamp`	ISO8601 timestamp of the event.
`object`	`string`	The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).
`timestamp`	`timestamp`	Unix timestamp of the event.
`username`	`string`	The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".
`p_event_time`	`timestamp`	Panther added standardized event time (UTC)
`p_parse_time`	`timestamp`	Panther added standardized log parse time (UTC)
`p_log_type`	`string`	Panther added field with type of log
`p_row_id`	`string`	Panther added field with unique id (within table)
`p_source_id`	`string`	Panther added field with the source id
`p_source_label`	`string`	Panther added field with the source label
`p_any_usernames`	`[string]`	Panther added field with collection of usernames associated with the row

Column	Type	Description
`access_device`	`{ "browser":string, "browser_version":string, "flash_version":string, "hostname":string, "ip":string, "is_encryption_enabled":string, "is_firewall_enabled":string, "is_password_set":string, "java_version":string, "location":{ "city":string, "country":string, "state":string }, "os":string, "os_version":string, "security_agents":[string] }`	Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt.
`alias`	`string`	The username alias used to log in. No value if the user logged in with their username instead of a username alias.
`application`	`{ "key":string, "name":string }`	Information about the application accessed.
`auth_device`	`{ "ip":string, "location":{ "city":string, "country":string, "state":string }, "name":string }`	Information about the device used to approve or deny authentication.
`email`	`string`	The email address of the user, if known to Duo, otherwise none.
`event_type`	`string`	The type of activity logged. one of: "authentication" or "enrollment".
`factor`	`string`	The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".
`isotimestamp`	`timestamp`	ISO8601 timestamp of the event.
`ood_software`	`string`	If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software.
`reason`	`string`	Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".
`result`	`string`	The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".
`timestamp`	`timestamp`	Unix timestamp of the event.
`txid`	`string`	The transaction ID of the event.
`user`	`{ "groups":[string], "key":string, "name":string }`	Information about the authenticating user.
`p_event_time`	`timestamp`	Panther added standardized event time (UTC)
`p_parse_time`	`timestamp`	Panther added standardized log parse time (UTC)
`p_log_type`	`string`	Panther added field with type of log
`p_row_id`	`string`	Panther added field with unique id (within table)
`p_source_id`	`string`	Panther added field with the source id
`p_source_label`	`string`	Panther added field with the source label
`p_any_ip_addresses`	`[string]`	Panther added field with collection of ip addresses associated with the row
`p_any_domain_names`	`[string]`	Panther added field with collection of domain names associated with the row
`p_any_trace_ids`	`[string]`	Panther added field with collection of context trace identifiers
`p_any_emails`	`[string]`	Panther added field with collection of email addresses associated with the row
`p_any_usernames`	`[string]`	Panther added field with collection of usernames associated with the row

Column	Type	Description
`action`	`string`	The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled".
`description`	`string`	Information about the Duo Windows Logon client system as reported by the application.
`isotimestamp`	`timestamp`	ISO8601 timestamp of the event.
`object`	`string`	The Duo Windows Logon integration's name.
`timestamp`	`timestamp`	Unix timestamp of the event.
`username`	`string`	The Duo username.
`p_event_time`	`timestamp`	Panther added standardized event time (UTC)
`p_parse_time`	`timestamp`	Panther added standardized log parse time (UTC)
`p_log_type`	`string`	Panther added field with type of log
`p_row_id`	`string`	Panther added field with unique id (within table)
`p_source_id`	`string`	Panther added field with the source id
`p_source_label`	`string`	Panther added field with the source label
`p_any_usernames`	`[string]`	Panther added field with collection of usernames associated with the row

Column	Type	Description
`context`	`string`	How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".
`credits`	`int`	How many telephony credits this event cost.
`isotimestamp`	`timestamp`	ISO8601 timestamp of the event.
`phone`	`string`	The phone number that initiated this event.
`timestamp`	`timestamp`	Unix timestamp of the event.
`type`	`string`	The event type. Either "sms" or "phone".
`p_event_time`	`timestamp`	Panther added standardized event time (UTC)
`p_parse_time`	`timestamp`	Panther added standardized log parse time (UTC)
`p_log_type`	`string`	Panther added field with type of log
`p_row_id`	`string`	Panther added field with unique id (within table)
`p_source_id`	`string`	Panther added field with the source id
`p_source_label`	`string`	Panther added field with the source label