steampipe plugin install duo

Table: duo_admin_log_record - Query Duo Security Admin Log Records using SQL

Duo Security is a cloud-based access security provider protecting the world's fastest-growing and largest companies and thousands of organizations worldwide, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. The platform provides a suite of security products including Duo's Trusted Access platform, one of the most secure access platforms in the world. It offers numerous services like secure single sign-on (SSO), Duo Push, Universal Prompt, and more.

Table Usage Guide

The duo_admin_log_record table provides insights into Admin Log Records within Duo Security. As a Security Analyst, explore record-specific details through this table, including action types, object details, and associated metadata. Utilize it to monitor administrator actions, track system changes, and ensure adherence to security policies.

Examples

Admin log records for the last 30 days (default time range)

select
*
from
duo_admin_log_record
order by
timestamp desc;
select
*
from
duo_admin_log_record
order by
timestamp desc;

Admin log records for the last 24 hours

select
*
from
duo_admin_log_record
where
timestamp > current_timestamp - interval '24 hours'
order by
timestamp desc;
select
*
from
duo_admin_log_record
where
timestamp > datetime('now', '-24 hours')
order by
timestamp desc;

Admin log records for a specific time range

select
*
from
duo_admin_log_record
where
timestamp >= '2022-04-17T07:00:00-04:00'
and timestamp < '2022-04-17T08:00:00-04:00'
order by
timestamp desc;
select
*
from
duo_admin_log_record
where
timestamp >= '2022-04-17T07:00:00-04:00'
and timestamp < '2022-04-17T08:00:00-04:00'
order by
timestamp desc;

Failed login attempts in the last 7 days

select
*
from
duo_admin_log_record
where
action = 'admin_login_error'
and timestamp > current_timestamp - interval '7 days'
order by
timestamp desc;
select
*
from
duo_admin_log_record
where
action = 'admin_login_error'
and timestamp > datetime('now', '-7 days')
order by
timestamp desc;

Schema for duo_admin_log_record

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
actiontextThe type of change that was performed, e.g. admin_login, group_create, user_update.
descriptionjsonbDetails of what changed, format varies based on the action.
objecttextThe object that was acted on. For example: 'jsmith' (for users), '(555) 713-6275 x456' (for phones), or 'HOTP 8-digit 123456' (for tokens).
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
timestamptimestamp with time zone>, >=, =, <, <=Time when the event occurred.
usernametextThe full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be 'API'. Automatic actions like deletion of inactive users have 'System' for the username. Changes synchronized from Directory Sync will have a username of the form (example) 'AD Sync: name of directory'.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- duo

You can pass the configuration to the command with the --config argument:

steampipe_export_duo --config '<your_config>' duo_admin_log_record