CiscoDuo_CL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Custom Log V1	Yes 🔶 — uses type-suffixed column names
Ingestion API Supported	✓ Yes

Schema
Solutions
Connectors
Content Items
Parsers

Schema (82 columns)

Source: KQL validation test schema

Column Name	Type
access_device_browser_s	string
access_device_browser_version_s	string
access_device_flash_version_s	string
access_device_ip_s	string
access_device_is_encryption_enabled_b	bool
access_device_is_firewall_enabled_b	bool
access_device_is_password_set_b	bool
access_device_java_version_s	string
access_device_location_city_s	string
access_device_location_country_s	string
access_device_location_state_s	string
access_device_os_s	string
access_device_os_version_s	string
access_device_security_agents_s	string
action_s	string
alias_s	string
application_key_s	string
application_name_s	string
auth_device_ip_s	string
auth_device_location_city_s	string
auth_device_location_country_s	string
auth_device_location_state_s	string
auth_device_name_s	string
context_s	string
credits_d	real
description_s	string
email_s	string
event_type_s	string
eventtype_s	string
explanations_s	string
factor_s	string
from_common_netblock_b	bool
from_new_user_b	bool
host_s	string
isotimestamp_t [UTC]	string
low_risk_ip_b	bool
object_s	string
phone_s	string
priority_event_b	bool
priority_reasons_s	string
reason_s	string
result_s	string
sekey_s	string
state_s	string
surfaced_auth_access_device_browser_s	string
surfaced_auth_access_device_browser_version_s	string
surfaced_auth_access_device_ip_s	string
surfaced_auth_access_device_is_encryption_enabled_s	string
surfaced_auth_access_device_is_firewall_enabled_s	string
surfaced_auth_access_device_is_password_set_s	string
surfaced_auth_access_device_location_city_s	string
surfaced_auth_access_device_location_country_s	string
surfaced_auth_access_device_location_state_s	string
surfaced_auth_access_device_os_s	string
surfaced_auth_access_device_os_version_s	string
surfaced_auth_access_device_security_agents_s	string
surfaced_auth_alias_s	string
surfaced_auth_application_key_s	string
surfaced_auth_application_name_s	string
surfaced_auth_email_s	string
surfaced_auth_factor_s	string
surfaced_auth_isotimestamp_t [UTC]	string
surfaced_auth_ood_software_s	string
surfaced_auth_reason_s	string
surfaced_auth_result_s	string
surfaced_auth_timestamp_d	real
surfaced_auth_txid_s	string
surfaced_auth_user_groups_s	string
surfaced_auth_user_key_s	string
surfaced_auth_user_name_s	string
surfaced_timestamp_d	real
TimeGenerated	datetime
timestamp_d	real
triage_event_uri_s	string
triaged_as_interesting_b	bool
trusted_endpoint_status_s	string
txid_g	string
type_s	string
user_groups_s	string
user_key_s	string
user_name_s	string
username_s	string

Solutions (2)

This table is used by the following solutions:

Connectors (1)

This table is ingested by the following connectors:

Connector	Selection Criteria
Cisco Duo Security

Content Items Using This Table (22)

Analytic Rules (11)

In solution CiscoDuoSecurity:

Analytic Rule	Selection Criteria
Cisco Duo - AD sync failed
Cisco Duo - Admin password reset
Cisco Duo - Admin user created
Cisco Duo - Admin user deleted
Cisco Duo - Authentication device new location
Cisco Duo - Multiple admin 2FA failures
Cisco Duo - Multiple user login failures
Cisco Duo - Multiple users deleted
Cisco Duo - New access device
Cisco Duo - Unexpected authentication factor

In solution Threat Intelligence (NEW):

Analytic Rule	Selection Criteria
TI Map IP Entity to Duo Security

Hunting Queries (10)

In solution CiscoDuoSecurity:

Hunting Query	Selection Criteria
Cisco Duo - Admin failure authentications
Cisco Duo - Admin failure authentications
Cisco Duo - Authentication error reasons
Cisco Duo - Authentication errors
Cisco Duo - Delete actions
Cisco Duo - Deleted users
Cisco Duo - Devices with unsecure settings
Cisco Duo - Devices with vulnerable OS
Cisco Duo - Fraud authentications
Cisco Duo - New users

Workbooks (1)

In solution CiscoDuoSecurity:

Workbook	Selection Criteria
CiscoDuo

Parsers Using This Table (1)

Other Parsers (1)

Parser	Solution	Selection Criteria
CiscoDuo	CiscoDuoSecurity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index

CiscoDuo_CL

Contents

Schema (82 columns)

Solutions (2)

Connectors (1)

Content Items Using This Table (22)

Analytic Rules (11)

Hunting Queries (10)

Workbooks (1)

Parsers Using This Table (1)

Other Parsers (1)