Duo

Required fields are in bold.

Duo.Administrator

Duo administrator log events. Reference: https://duo.com/docs/adminapi#administrator-logs

Column

Type

Description

action

string

The type of change that was performed.

description

string

String detailing what changed, either as free-form text or serialized JSON.

isotimestamp

timestamp

ISO8601 timestamp of the event.

object

string

The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).

timestamp

timestamp

Unix timestamp of the event.

username

string

The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_usernames

[string]

Panther added field with collection of usernames associated with the row

Duo.Authentication

Duo authentication log events(v2). Reference: https://duo.com/docs/adminapi#authentication-logs

Column

Type

Description

access_device

{ "browser":string, "browser_version":string, "flash_version":string, "hostname":string, "ip":string, "is_encryption_enabled":string, "is_firewall_enabled":string, "is_password_set":string, "java_version":string, "location":{ "city":string, "country":string, "state":string }, "os":string, "os_version":string, "security_agents":[string] }

Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt.

alias

string

The username alias used to log in. No value if the user logged in with their username instead of a username alias.

application

{ "key":string, "name":string }

Information about the application accessed.

auth_device

{ "ip":string, "location":{ "city":string, "country":string, "state":string }, "name":string }

Information about the device used to approve or deny authentication.

email

string

The email address of the user, if known to Duo, otherwise none.

event_type

string

The type of activity logged. one of: "authentication" or "enrollment".

factor

string

The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".

isotimestamp

timestamp

ISO8601 timestamp of the event.

ood_software

string

If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software.

reason

string

Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".

result

string

The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".

timestamp

timestamp

Unix timestamp of the event.

txid

string

The transaction ID of the event.

user

{ "groups":[string], "key":string, "name":string }

Information about the authenticating user.

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_trace_ids

[string]

Panther added field with collection of context trace identifiers

p_any_emails

[string]

Panther added field with collection of email addresses associated with the row

p_any_usernames

[string]

Panther added field with collection of usernames associated with the row

Duo.OfflineEnrollment

Duo Authentication for Windows Logon offline enrollment events. Reference: https://duo.com/docs/adminapi#offline-enrollment-logs

Column

Type

Description

action

string

The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled".

description

string

Information about the Duo Windows Logon client system as reported by the application.

isotimestamp

timestamp

ISO8601 timestamp of the event.

object

string

The Duo Windows Logon integration's name.

timestamp

timestamp

Unix timestamp of the event.

username

string

The Duo username.

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_usernames

[string]

Panther added field with collection of usernames associated with the row

Duo.Telephony

Duo telephony log events. Reference: https://duo.com/docs/adminapi#telephony-logs

Column

Type

Description

context

string

How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".

credits

int

How many telephony credits this event cost.

isotimestamp

timestamp

ISO8601 timestamp of the event.

phone

string

The phone number that initiated this event.

timestamp

timestamp

Unix timestamp of the event.

type

string

The event type. Either "sms" or "phone".

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label