AlienVault® USM Anywhere™

Duo Security

When you configure Duo Security to send log data to USM Anywhere, you can use the Duo Two-Factor Authentication CEF plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Duo Security
Device Type Authentication and DHCP
Connection Type Syslog

Integrating Duo Security

Duo Security does not have a connector or integration specific for USM Anywhere. However, there is a duo-log-grabber on GitHub that "grabs the administrator and authentication logs from the Duo Security API and sends CEF-formatted syslog." You can use it to send logs to USM Anywhere instead.

Before you configure the integration, you must have the IP Address of the USM Anywhere Sensor. You also need to obtain account information for the Duo Auth API.

To send CEF-formatted syslog messages to USM Anywhere

  1. Download the utility from
  2. Install the utility.

    pip install -r requirements.txt

  3. Update the conf.ini file.

    1. Update the [api] section with your Duo Security API credentials.
    2. In the [syslog] section, replace <syslog_server> with the IP address of the USM Anywhere Sensor.
  4. Run the utility or schedule it to run at an interval to import Duo Security logs into USM Anywhere.

Plugin Enablement

The Duo Two-Factor Authentication CEF plugin automatically processes all messages when the raw message contains \|Duo Security\|Two-factor\|.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • authentication_mode
  • customfield_0
  • customfield_2
  • customfield_6
  • customfield_7
  • customheader_0
  • customheader_2
  • customheader_6
  • customheader_7
  • destination_hostname
  • destination_username
  • email_sender
  • event_description_url
  • event_name
  • event_outcome
  • event_receipt_time*
  • event_severity
  • operating_system
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_address
  • source_username

Note: The field event_receipt_time must be selected before it is available in any reports.

To select the Event Receipt Time field

  1. Go to Activity > Events and click the icon.
  2. Use the Available Columns selector to add Event Receipt Time.
  3. Click Apply.

Once this change is applied, the field is displayed for all events.


For troubleshooting, refer to the vendor documentation: