Table: duo_admin_log_record - Query Duo Security Admin Log Records using SQL
Duo Security is a cloud-based access security provider protecting the world's fastest-growing and largest companies and thousands of organizations worldwide, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. The platform provides a suite of security products including Duo's Trusted Access platform, one of the most secure access platforms in the world. It offers numerous services like secure single sign-on (SSO), Duo Push, Universal Prompt, and more.
Table Usage Guide
The duo_admin_log_record
table provides insights into Admin Log Records within Duo Security. As a Security Analyst, explore record-specific details through this table, including action types, object details, and associated metadata. Utilize it to monitor administrator actions, track system changes, and ensure adherence to security policies.
Examples
Admin log records for the last 30 days (default time range)
select *from duo_admin_log_recordorder by timestamp desc;
select *from duo_admin_log_recordorder by timestamp desc;
Admin log records for the last 24 hours
select *from duo_admin_log_recordwhere timestamp > current_timestamp - interval '24 hours'order by timestamp desc;
select *from duo_admin_log_recordwhere timestamp > datetime('now', '-24 hours')order by timestamp desc;
Admin log records for a specific time range
select *from duo_admin_log_recordwhere timestamp >= '2022-04-17T07:00:00-04:00' and timestamp < '2022-04-17T08:00:00-04:00'order by timestamp desc;
select *from duo_admin_log_recordwhere timestamp >= '2022-04-17T07:00:00-04:00' and timestamp < '2022-04-17T08:00:00-04:00'order by timestamp desc;
Failed login attempts in the last 7 days
select *from duo_admin_log_recordwhere action = 'admin_login_error' and timestamp > current_timestamp - interval '7 days'order by timestamp desc;
select *from duo_admin_log_recordwhere action = 'admin_login_error' and timestamp > datetime('now', '-7 days')order by timestamp desc;
Schema for duo_admin_log_record
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
action | text | The type of change that was performed, e.g. admin_login, group_create, user_update. | |
description | jsonb | Details of what changed, format varies based on the action. | |
object | text | The object that was acted on. For example: 'jsmith' (for users), '(555) 713-6275 x456' (for phones), or 'HOTP 8-digit 123456' (for tokens). | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
timestamp | timestamp with time zone | >, >=, =, <, <= | Time when the event occurred. |
username | text | The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be 'API'. Automatic actions like deletion of inactive users have 'System' for the username. Changes synchronized from Directory Sync will have a username of the form (example) 'AD Sync: name of directory'. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- duo
You can pass the configuration to the command with the --config
argument:
steampipe_export_duo --config '<your_config>' duo_admin_log_record