Duo Security provides a suite of multi-factor authentication (MFA), single sign-on (SSO), remote access, and access control products to improve organizations’ security and productivity. Panther can collect, normalize, and monitor Duo logs to help you identify suspicious activity in real time. Your normalized data is then retained to inform future security investigations in a data lake powered by the cloud-native data platform, Snowflake.
Use Cases for Duo Logs
Panther can support multiple Duo log types, including Authentication, Administrator, Telephony, and Offline Enrollment logs. Some common SIEM use cases for these log types include:
- Monitoring unexpected behavior from users with administrative permissions in Duo
- Alerting when new administrators are created or admin policies are updated
- Identifying when MFA bypass codes are created, used, or viewed
- Detecting suspicious visits and logins from offline devices
Onboarding Duo Logs in Panther
Panther’s integration for Duo is fast and easy to configure via the Duo API. Simply select Duo from the list of log sources in the Panther console, create an Admin API application in the Duo Admin Panel, and submit your API key and credentials in the Panther setup menu.
For more details on onboarding Duo logs or for supported log schema, you can view our Duo documentation here.
Parsing, Normalizing, & Analyzing Duo Logs
As Panther ingests Duo logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to build detections, identify anomalies, and conduct investigations using days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all log sources - not just Duo. Panther’s powerful search tools allow you to conduct investigations for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
Detection as Code
With Panther, you aren’t confined to restrictive detections or proprietary languages as seen in many SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate systems like CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Pre-built detections for Duo are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for Duo logs here.
Panther generates alerts when your detection rules or policies for Duo are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to task management or SOAR platforms for more remediation options.
Alerts are categorized within five severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Duo logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
Replacing Traditional SIEM for Duo
With Panther, your team doesn’t have to waste time and resources on operational overhead, pay excessive costs to keep up with the growth of cloud app data or struggle with limited detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for Duo, request a demo today.