Collect Duo authentication logs

Supported in:

This document explains how to ingest Duo authentication logs to Google Security Operations using Amazon S3. The parser extracts the logs from JSON formatted messages. It transforms the raw log data into the Unified Data Model (UDM), mapping fields like user, device, application, location, and authentication details, while also handling various authentication factors and results to categorize security events. The parser also performs data cleaning, type conversion, and error handling to ensure data quality and consistency.

Before you begin

  • Google SecOps instance
  • Privileged access to Duo tenant (Admin API application)
  • Privileged access to AWS (S3, IAM, Lambda, EventBridge)

Configure Duo Admin API application

  1. Sign in to Duo Admin Panel.
  2. Go to Applications > Protect an Application.
  3. Add Admin API application.
  4. Copy and save the following values to a secure location:
    • Integration key (ikey)
    • Secret key (skey)
    • API hostname (for example, api-XXXXXXXX.duosecurity.com)
  5. In Permissions, enable Grant read log (to read authentication logs).
  6. Save the application.

Configure AWS S3 bucket and IAM for Google SecOps

  1. Create Amazon S3 bucket following this user guide: Creating a bucket
  2. Save bucket Name and Region for future reference (for example, duo-auth-logs).
  3. Create a user following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select the Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: add a description tag.
  10. Click Create access key.
  11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly
  17. Search for and select the AmazonS3FullAccess policy.
  18. Click Next.
  19. Click Add permissions.

Configure the IAM policy and role for S3 uploads

  1. Go to AWS console > IAM > Policies > Create policy > JSON tab.

  2. Enter the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPutDuoAuthObjects",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::duo-auth-logs/*"
    },
    {
      "Sid": "AllowGetStateObject",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::duo-auth-logs/duo/auth/state.json"
    }
  ]
}
    • Replace duo-auth-logs if you entered a different bucket name.

  3. Click Next > Create policy.

  4. Go to IAM > Roles > Create role > AWS service > Lambda.

  5. Attach the newly created policy.

  6. Name the role WriteDuoAuthToS3Role and click Create role.

Create the Lambda function

  1. In the AWS Console, go to Lambda > Functions > Create function.
  2. Click Author from scratch.

  3. Provide the following configuration details:

    Setting Value
    Name duo_auth_to_s3
    Runtime Python 3.13
    Architecture x86_64
    Execution role WriteDuoAuthToS3Role

  4. After the function is created, open the Code tab, delete the stub and enter the following code (duo_auth_to_s3.py):

    #!/usr/bin/env python3
# Lambda: Pull Duo Admin API v2 Authentication Logs to S3 (raw JSON pages)
# Notes:
# - Duo v2 requires mintime/maxtime in *milliseconds* (13-digit epoch).
# - Pagination via metadata.next_offset ("<millis>,<txid>").
# - We save state (mintime_ms) in ms to resume next run without gaps.

import os, json, time, hmac, hashlib, base64, email.utils, urllib.parse
from urllib.request import Request, urlopen
from urllib.error import HTTPError, URLError
import boto3

DUO_IKEY = os.environ["DUO_IKEY"]
DUO_SKEY = os.environ["DUO_SKEY"]
DUO_API_HOSTNAME = os.environ["DUO_API_HOSTNAME"].strip()
S3_BUCKET = os.environ["S3_BUCKET"]
S3_PREFIX = os.environ.get("S3_PREFIX", "duo/auth/").strip("/")
STATE_KEY = os.environ.get("STATE_KEY", "duo/auth/state.json")
LIMIT = min(int(os.environ.get("LIMIT", "500")), 1000)  # default 100, max 1000

s3 = boto3.client("s3")

def _canon_params(params: dict) -> str:
    parts = []
    for k in sorted(params.keys()):
        v = params[k]
        if v is None:
            continue
        parts.append(f"{urllib.parse.quote(str(k), '~')}={urllib.parse.quote(str(v), '~')}")
    return "&".join(parts)

def _sign(method: str, host: str, path: str, params: dict) -> dict:
    now = email.utils.formatdate()
    canon = "\n".join([now, method.upper(), host.lower(), path, _canon_params(params)])
    sig = hmac.new(DUO_SKEY.encode("utf-8"), canon.encode("utf-8"), hashlib.sha1).hexdigest()
    auth = base64.b64encode(f"{DUO_IKEY}:{sig}".encode()).decode()
    return {"Date": now, "Authorization": f"Basic {auth}"}

def _http(method: str, path: str, params: dict, timeout: int = 60, max_retries: int = 5) -> dict:
    host = DUO_API_HOSTNAME
    assert host.startswith("api-") and host.endswith(".duosecurity.com"), \
        "DUO_API_HOSTNAME must be like api-XXXXXXXX.duosecurity.com"
    qs = _canon_params(params)
    url = f"https://{host}{path}" + (f"?{qs}" if qs else "")

    attempt, backoff = 0, 1.0
    while True:
        req = Request(url, method=method.upper())
        req.add_header("Accept", "application/json")
        for k, v in _sign(method, host, path, params).items():
            req.add_header(k, v)
        try:
            with urlopen(req, timeout=timeout) as r:
                return json.loads(r.read().decode("utf-8"))
        except HTTPError as e:
            if (e.code == 429 or 500 <= e.code <= 599) and attempt < max_retries:
                time.sleep(backoff); attempt += 1; backoff *= 2; continue
            raise
        except URLError:
            if attempt < max_retries:
                time.sleep(backoff); attempt += 1; backoff *= 2; continue
            raise

def _read_state_ms() -> int | None:
    try:
        obj = s3.get_object(Bucket=S3_BUCKET, Key=STATE_KEY)
        val = json.loads(obj["Body"].read()).get("mintime")
        if val is None:
            return None
        # Backward safety: if seconds were stored, convert to ms
        return int(val) * 1000 if len(str(int(val))) <= 10 else int(val)
    except Exception:
        return None

def _write_state_ms(mintime_ms: int):
    body = json.dumps({"mintime": int(mintime_ms)}).encode("utf-8")
    s3.put_object(Bucket=S3_BUCKET, Key=STATE_KEY, Body=body, ContentType="application/json")

def _write_page(payload: dict, when_epoch_s: int, page: int) -> str:
    key = f"{S3_PREFIX}/{time.strftime('%Y/%m/%d', time.gmtime(when_epoch_s))}/duo-auth-{page:05d}.json"
    s3.put_object(
        Bucket=S3_BUCKET,
        Key=key,
        Body=json.dumps(payload, separators=(",", ":")).encode("utf-8"),
        ContentType="application/json",
    )
    return key

def fetch_and_store():
    now_s = int(time.time())
    # Duo recommends a ~2-minute delay buffer; use maxtime = now - 120 seconds (in ms)
    maxtime_ms = (now_s - 120) * 1000
    mintime_ms = _read_state_ms() or (maxtime_ms - 3600 * 1000)  # 1 hour on first run

    page = 0
    total = 0
    next_offset = None

    while True:
        params = {"mintime": mintime_ms, "maxtime": maxtime_ms, "limit": LIMIT}
        if next_offset:
            params["next_offset"] = next_offset

        data = _http("GET", "/admin/v2/logs/authentication", params)
        _write_page(data, maxtime_ms // 1000, page)
        page += 1

        resp = data.get("response")
        items = resp if isinstance(resp, list) else []
        total += len(items)

        meta = data.get("metadata") or {}
        next_offset = meta.get("next_offset")
        if not next_offset:
            break

    # Advance window to maxtime_ms for next run
    _write_state_ms(maxtime_ms)
    return {"ok": True, "pages": page, "events": total, "next_mintime_ms": maxtime_ms}

def lambda_handler(event=None, context=None):
    return fetch_and_store()

if __name__ == "__main__":
    print(lambda_handler())

  5. Go to Configuration > Environment variables > Edit > Add new environment variable.

  6. Enter the following environment variables provided, replacing with your values:

    Key Example
    S3_BUCKET duo-auth-logs
    S3_PREFIX duo/auth/
    STATE_KEY duo/auth/state.json
    DUO_IKEY DIXYZ...
    DUO_SKEY ****************
    DUO_API_HOSTNAME api-XXXXXXXX.duosecurity.com
    LIMIT 500

  7. After the function is created, stay on its page (or open Lambda > Functions > your‑function).

  8. Select the Configuration tab.

  9. In the General configuration panel click Edit.

  10. Change Timeout to 5 minutes (300 seconds) and click Save.

Create an EventBridge schedule

  1. Go to Amazon EventBridge > Scheduler > Create schedule.
  2. Provide the following configuration details:
    • Recurring schedule: Rate (1 hour).
    • Target: your Lambda function.
    • Name: duo-auth-1h.
  3. Click Create schedule.

Optional: Create read-only IAM user & keys for Google SecOps

  1. In the AWS Console, go to IAM > Users, then click Add users.
  2. Provide the following configuration details:
    • User: Enter a unique name (for example, secops-reader)
    • Access type: Select Access key - Programmatic access
    • Click Create user.
  3. Attach minimal read policy (custom): Users > select secops-reader > Permissions > Add permissions > Attach policies directly > Create policy

  4. In the JSON editor, enter the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::<your-bucket>/*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::<your-bucket>"
    }
  ]
}

  5. Set the name to secops-reader-policy.

  6. Go to Create policy > search/select > Next > Add permissions.

  7. Go to Security credentials > Access keys > Create access key.

  8. Download the CSV (these values are entered into the feed).

Configure a feed in Google SecOps to ingest Duo Authentication Logs

  1. Go to SIEM Settings > Feeds.
  2. Click + Add New Feed.
  3. In the Feed name field, enter a name for the feed (for example, Duo Authentication Logs).
  4. Select Amazon S3 V2 as the Source type.
  5. Select Duo Auth as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • S3 URI: s3://duo-auth-logs/duo/auth/
    • Source deletion options: Select the deletion option according to your preference.
    • Maximum File Age: Default 180 Days.
    • Access Key ID: User access key with access to the S3 bucket.
    • Secret Access Key: User secret key with access to the S3 bucket.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
access_device.browser target.resource.attribute.labels.value If access_device.browser is present, its value is mapped to the UDM.
access_device.hostname principal.hostname If access_device.hostname is present and not empty, its value is mapped to the UDM. If it's empty and the event_type is USER_CREATION, the event_type is changed to USER_UNCATEGORIZED. If access_device.hostname is empty and hostname field exists, the value of hostname is used.
access_device.ip principal.ip If access_device.ip exists and is a valid IPv4 address, its value is mapped to the UDM. If it's not a valid IPv4 address, it's added as a string value to additional.fields with key access_device.ip.
access_device.location.city principal.location.city If present, the value is mapped to the UDM.
access_device.location.country principal.location.country_or_region If present, the value is mapped to the UDM.
access_device.location.state principal.location.state If present, the value is mapped to the UDM.
access_device.os principal.platform If present, the value is translated to the corresponding UDM value (MAC, WINDOWS, LINUX).
access_device.os_version principal.platform_version If present, the value is mapped to the UDM.
application.key target.resource.id If present, the value is mapped to the UDM.
application.name target.application If present, the value is mapped to the UDM.
auth_device.ip target.ip If present and not "None", the value is mapped to the UDM.
auth_device.location.city target.location.city If present, the value is mapped to the UDM.
auth_device.location.country target.location.country_or_region If present, the value is mapped to the UDM.
auth_device.location.state target.location.state If present, the value is mapped to the UDM.
auth_device.name target.hostname OR target.user.phone_numbers If auth_device.name is present and is a phone number (after normalization), it's added to target.user.phone_numbers. Otherwise, it's mapped to target.hostname.
client_ip target.ip If present and not "None", the value is mapped to the UDM.
client_section target.resource.attribute.labels.value If client_section is present, its value is mapped to the UDM with the key client_section.
dn target.user.userid If dn is present and user.name and username are not, the userid is extracted from the dn field using grok and mapped to the UDM. The event_type is set to USER_LOGIN.
event_type metadata.product_event_type AND metadata.event_type The value is mapped to metadata.product_event_type. It's also used to determine the metadata.event_type: "authentication" becomes USER_LOGIN, "enrollment" becomes USER_CREATION, and if it's empty or neither of those, it becomes GENERIC_EVENT.
factor extensions.auth.mechanism AND extensions.auth.auth_details The value is translated to the corresponding UDM auth.mechanism value (HARDWARE_KEY, REMOTE_INTERACTIVE, LOCAL, OTP). The original value is also mapped to extensions.auth.auth_details.
hostname principal.hostname If present and access_device.hostname is empty, the value is mapped to the UDM.
log_format target.resource.attribute.labels.value If log_format is present, its value is mapped to the UDM with the key log_format.
log_level.__class_uuid__ target.resource.attribute.labels.value If log_level.__class_uuid__ is present, its value is mapped to the UDM with the key __class_uuid__.
log_level.name target.resource.attribute.labels.value AND security_result.severity If log_level.name is present, its value is mapped to the UDM with the key name. If the value is "info", security_result.severity is set to INFORMATIONAL.
log_logger.unpersistable target.resource.attribute.labels.value If log_logger.unpersistable is present, its value is mapped to the UDM with the key unpersistable.
log_namespace target.resource.attribute.labels.value If log_namespace is present, its value is mapped to the UDM with the key log_namespace.
log_source target.resource.attribute.labels.value If log_source is present, its value is mapped to the UDM with the key log_source.
msg security_result.summary If present and reason is empty, the value is mapped to the UDM.
reason security_result.summary If present, the value is mapped to the UDM.
result security_result.action_details AND security_result.action If present, the value is mapped to security_result.action_details. "success" or "SUCCESS" translates to security_result.action ALLOW, otherwise BLOCK.
server_section target.resource.attribute.labels.value If server_section is present, its value is mapped to the UDM with the key server_section.
server_section_ikey target.resource.attribute.labels.value If server_section_ikey is present, its value is mapped to the UDM with the key server_section_ikey.
status security_result.action_details AND security_result.action If present, the value is mapped to security_result.action_details. "Allow" translates to security_result.action ALLOW, "Reject" translates to BLOCK.
timestamp metadata.event_timestamp AND event.timestamp The value is converted to a timestamp and mapped to both metadata.event_timestamp and event.timestamp.
txid metadata.product_log_id AND network.session_id The value is mapped to both metadata.product_log_id and network.session_id.
user.groups target.user.group_identifiers All values in the array are added to target.user.group_identifiers.
user.key target.user.product_object_id If present, the value is mapped to the UDM.
user.name target.user.userid If present, the value is mapped to the UDM.
username target.user.userid If present and user.name is not, the value is mapped to the UDM. The event_type is set to USER_LOGIN.
(Parser Logic) metadata.vendor_name Always set to "DUO_SECURITY".
(Parser Logic) metadata.product_name Always set to "MULTI-FACTOR_AUTHENTICATION".
(Parser Logic) metadata.log_type Taken from the raw log's top-level log_type field.
(Parser Logic) extensions.auth.type Always set to "SSO".

Need more help? Get answers from Community members and Google SecOps professionals.