Cisco Duo for Microsoft Sentinel

Solution: CiscoDuoSecurity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Cisco Systems
Support Tier	Partner
Support Link	https://duo.com/support
Categories	domains
Version	3.1.1
Author	CiscoDuoSecurity - support@duosecurity.com
First Published	2022-01-07
Last Updated	2026-03-02
Solution Folder	CiscoDuoSecurity
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The Cisco Duo Security solution allows you to ingest authentication logs, activity logs, administrator logs, telephony logs, offline enrolment logs and Trust Monitor events into Microsoft Sentinel using the Cisco Duo Admin API. Refer to API documentation for more information.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Cisco Duo Security 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`CiscoDuo_CL` 🔶	Cisco Duo Security	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Cisco Duo - AD sync failed	Medium	Impact	`CiscoDuo_CL`
Cisco Duo - Admin password reset	High	Persistence	`CiscoDuo_CL`
Cisco Duo - Admin user created	Medium	Persistence, PrivilegeEscalation	`CiscoDuo_CL`
Cisco Duo - Admin user deleted	Medium	Impact	`CiscoDuo_CL`
Cisco Duo - Authentication device new location	Medium	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Multiple admin 2FA failures	High	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Multiple user login failures	High	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Multiple users deleted	Medium	Impact	`CiscoDuo_CL`
Cisco Duo - New access device	Medium	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Unexpected authentication factor	Medium	InitialAccess	`CiscoDuo_CL`

Hunting Queries

Name	Tactics	Tables Used
Cisco Duo - Admin failure authentications	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Admin failure authentications	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Authentication error reasons	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Authentication errors	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Delete actions	Impact	`CiscoDuo_CL`
Cisco Duo - Deleted users	Impact	`CiscoDuo_CL`
Cisco Duo - Devices with unsecure settings	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Devices with vulnerable OS	InitialAccess	`CiscoDuo_CL`
Cisco Duo - Fraud authentications	InitialAccess	`CiscoDuo_CL`
Cisco Duo - New users	InitialAccess, Persistence	`CiscoDuo_CL`

Workbooks

Name	Tables Used
CiscoDuo	`CiscoDuo_CL`

Parsers

Name	Description	Tables Used
CiscoDuo	-	`CiscoDuo_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.1.1	17-02-2026	Bumped solution version to 3.1.1. Updated ARM template apiVersions to meet ARM-TTK "< 2 years old" requirements.
3.1.0	03-02-2026	Python runtime compatibility fix (breaking for connector deployments running on Python 3.11). Fixed solution installation via Azure portal by deriving deployment location from selected workspace (prevents empty location).
3.0.4	26-09-2025	Updated support Microsoft to Partner
3.0.3	02-09-2025	Added support for new log endpoints
3.0.2	16-04-2024	Added Deploy to Azure Goverment button for Government portal in Dataconnector Fixed Parser issue for Parser name and ParentID mismatch
3.0.1	30-01-2024	Updated solution to fix parser query
3.0.0	08-01-2024	Updated solution to fix Api version of saved searches