Data Source: Cisco Duo Activity

Date: 2025-07-10

ID: 83f727f6-8754-41f8-b9f7-8226886a659e

Author: Patrick Bareiss, Splunk

Description

Data source object for Cisco Duo Activity

Details

Property	Value
Source	`cisco_duo`
Sourcetype	`cisco:duo:activity`

Name ▲▼	Technique ▲▼	Type ▲▼
Cisco Duo Admin Login Unusual Browser	Modify Authentication Process	TTP
Cisco Duo Admin Login Unusual Country	Modify Authentication Process	TTP
Cisco Duo Admin Login Unusual Os	Modify Authentication Process	TTP

Supported Apps

Cisco Security Cloud (version 3.6.3)

Event Fields

+ Fields

  <span class="pill kill-chain">access_device.browser</span>
  
  <span class="pill kill-chain">access_device.browser_version</span>
  
  <span class="pill kill-chain">access_device.ip.address</span>
  
  <span class="pill kill-chain">access_device.location.city</span>
  
  <span class="pill kill-chain">access_device.location.country</span>
  
  <span class="pill kill-chain">access_device.location.state</span>
  
  <span class="pill kill-chain">access_device.os</span>
  
  <span class="pill kill-chain">access_device.os_version</span>
  
  <span class="pill kill-chain">action.details</span>
  
  <span class="pill kill-chain">action.name</span>
  
  <span class="pill kill-chain">activity_id</span>
  
  <span class="pill kill-chain">actor.details</span>
  
  <span class="pill kill-chain">actor.key</span>
  
  <span class="pill kill-chain">actor.name</span>
  
  <span class="pill kill-chain">actor.type</span>
  
  <span class="pill kill-chain">akey</span>
  
  <span class="pill kill-chain">application</span>
  
  <span class="pill kill-chain">ctime</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">extracted_eventtype</span>
  
  <span class="pill kill-chain">old_target</span>
  
  <span class="pill kill-chain">outcome.result</span>
  
  <span class="pill kill-chain">target.details</span>
  
  <span class="pill kill-chain">target.key</span>
  
  <span class="pill kill-chain">target.name</span>
  
  <span class="pill kill-chain">target.type</span>
  
  <span class="pill kill-chain">ts</span>
  
</div>

Example Log

1{"ctime": "Thu Jul 10 07:37:49 2025", "access_device": {"browser": "Chrome", "browser_version": "137.0.0.0", "ip": {"address": "1.2.3.4"}, "location": {"city": "San Jose", "country": "United States", "state": "California"}, "os": "Windows", "os_version": "11"}, "action": {"details": "{\"auth_method\": \"Password\", \"auth_device\": \"WAPF4P9AJ344ZX3DGPNO\", \"factor\": \"webauthn\", \"role\": \"Owner\"}", "name": "admin_login"}, "activity_id": "e9b8d7eb-f274-4250-8f52-d0bee46b8abc", "actor": {"details": "{\"created\": \"2025-07-02T09:18:46.000000+00:00\", \"last_login\": \"2025-07-10T07:37:33.000000+00:00\", \"email\": \"test@test.com\", \"status\": null, \"groups\": null}", "key": "DEKXVXLFZBK5U0C9F1ST", "name": "Test Test", "type": "admin"}, "akey": "DAYQ46XVNT0NKTYQ5L5O", "application": null, "old_target": null, "outcome": {"result": "SUCCESS"}, "target": {"details": null, "key": null, "name": null, "type": "admin_login"}, "ts": "2025-07-10T07:37:49.616714+00:00", "timestamp": 1752133069, "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "activity"}

Required Output Fields

user
src_ip

Source: GitHub | Version: 1

Data Source: Cisco Duo Activity

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log

Required Output Fields