Security Operations: How to Get the Most from Duo and Your SIEM
The Security Operations Center (SOC): A wonderful place where all of an organization’s telemetry is fed into robust tools that display, record, and alert to anomalous behavior detected within the network. You might imagine a room full of Security Analysts sitting in desks that are all facing the same direction - towards multiple monitors hanging on the wall that display maps, graphs, threat feeds, and incident queues. However, does your Security Incident and Event Management (SIEM) platform know about Duo?
In order to paint a complete picture of an incident or potential Indicator of Compromise (IoC), every organization should be equipped with a SIEM that ingests logs from every application - especially those that are vital to business operations. If you are not consuming Duo logs via your SIEM platform, then you are missing out on a critical part of your users’ authentication telemetry that can help ensure their access to sensitive information is protected from threat actors. But what should you be ingesting from Duo - and how?
Thankfully, you don’t have to figure this out alone. In this article, we unpack what logs you should include in your SIEM. And Duo Care subscribers can reach out to their Customer Success Manager (CSM) or Customer Solutions Engineer (CSE) for help with this process.
Types of Duo logs for SIEM integration
Authentication Logs
The core logs of any Duo tenant, the Authentication Logs report on user access and enrollment events - whether the user was successful or denied authentication to a particular application. This telemetry can include the Duo username, application name, date/time, IP address, the access device (which can include OS and browser type/version), and the 2FA device/method. Depending on your edition of Duo and what features you have deployed, you can even see if the access device is a Trusted Endpoint (corporate-owned or BYOD) or meets certain security hygiene policies.
If a user marks an authentication attempt as Fraud or the IP address is from a geolocation that your organization does not do business in, this information is great to have in your SIEM for correlation.
Administrator Logs
Also known as Administrator Actions, these logs record the actions of Duo Admins as well as administrative functions such as Directory Sync and API access. Auditing what administrators do can help detect potential misconfigurations or insider threats. Was a Duo user disabled and by which Admin? Who created an integration and how did they log into the Admin Panel to begin with? These are questions that Administrator Logs can help answer.
Telephony Logs
These logs track usage of Telephony credits, which are used for Phone Call or SMS authentication as well as Duo Mobile activations. If your organization makes use of these, then reporting on credit utilization is important. Knowing the context of credit consumption and how much a particular authentication cost (depending on the geolocation) is what the Telephony Log can provide when paired with the Telephony Rate Card.
Trust Monitor Logs
If you are a Duo Advantage or Premier customer, Trust Monitor can send Security Events directly to your SIEM. While you may choose to create your own Duo alerts within the SIEM based upon other log sources or events, Trust Monitor is a threat detection feature that provides Duo-specific alerting such as authentications or registrations that surfaced due to their anomaly score, known attack patterns, or other heuristics. Just remember to first create a Risk Profile and then let Trust Monitor take it from there.
Authentication Proxy Logs
If you have deployed the Duo Authentication Proxy and are using it for LDAP/RADIUS authentication, it is a good idea to obtain specific logs from each Auth Proxy server. The ‘authevents.log’ contains both primary (LDAP/RADIUS) and secondary (Duo) authentication events.
If a user is failing authentication but the event is not showing in the Authentication Log, then these logs can help determine what the issue is. This is also useful if you are unable to obtain authentication logs directly from your primary authentication source.
You can also output SIEM-consumable Duo Single Sign-On (SSO) Active Directory authentication events to an ‘ssoevents.log’ file. This log contains entries for SSO events such as connecting to or disconnecting from Duo's SSO service, and success/failure results for LDAP SSO authentications.
Methods of Log Collection
API Endpoint
Using Duo’s Admin API, a SIEM can pull logs directly from the following endpoints:
There are multiple ways of exporting logs from these API endpoints, such as via:
Examples of collectors provided by your SIEM vendor:
Duo Splunk Connector (Splunkbase app)
Can also ingest Endpoint Logs (for Duo Advantage and Premier editions)
This is an open-source utility supported by Duo that can send logs to a TCP or UDP port via JSON or CEF (syslog)
Logs from the Authentication Proxy
The ‘authevents.log’ and ‘ssoevents.log’ files are created and stored locally on their respective Auth Proxy server, but that doesn't mean you can’t have them in your SIEM for indexing and searching! Using a tool, such as Splunk’s Universal Forwarder, these logs (which are formatted in JSON) can be forwarded to your SIEM. Please reference Understanding Duo Authentication Proxy SIEM Logging.
Duo recommends securing communications between the Authentication Proxy and your SIEM application with TLS. Additionally, you may want to enable heartbeat alerts or other notifications on your SIEM for awareness of interruptions to Authentication Proxy log collection. Consult your SIEM vendor for more information.
Improving your SIEM with Duo data
Logs from every source are important to an organization because they help create a clearer picture of what is taking place on the network. Ingesting logs from Duo remains a critical component of your organization’s security telemetry and will ultimately aid your SecOps team in identifying authentication anomalies when they arise.
Need help? Customers who subscribe to Duo Care have access to a Customer Success Manager (CSM) and a Customer Solutions Engineer (CSE) who can help design the best method of collecting Duo logs for ingestion into your SIEM. In this way, Duo Care helps ensure that your organization remains aware of security events related to Duo usage.
Happy logging!