Table: duo_auth_log_record - Query Duo Security Authentication Log Records using SQL
Duo Security is a cloud-based security platform that provides two-factor authentication, endpoint security, remote access solutions and more. This platform helps prevent breaches, reduce risk, and ensure regulatory compliance. The Authentication Log Records in Duo Security provide detailed information about user authentication attempts, including the user, device, location, and result.
Table Usage Guide
The duo_auth_log_record
table provides insights into user authentication activities within Duo Security. As a security analyst, explore detailed information about user authentication attempts through this table, including the user, device, location, and result. Utilize it to uncover information about user activities, detect potential security breaches, and ensure regulatory compliance.
Examples
Authentication log records for the last 30 days (default time range)
select *from duo_auth_log_recordorder by timestamp desc;
select *from duo_auth_log_recordorder by timestamp desc;
Authentication log records for the last 24 hours
select *from duo_auth_log_recordwhere timestamp > current_timestamp - interval '24 hours'order by timestamp desc;
select *from duo_auth_log_recordwhere timestamp > datetime('now', '-24 hours')order by timestamp desc;
Authentication log records for a specific time range
select *from duo_auth_log_recordwhere timestamp >= '2022-04-17T07:00:00-04:00' and timestamp < '2022-04-17T08:00:00-04:00'order by timestamp desc;
select *from duo_auth_log_recordwhere timestamp >= '2022-04-17T07:00:00-04:00' and timestamp < '2022-04-17T08:00:00-04:00'order by timestamp desc;
Schema for duo_auth_log_record
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
action | text | The type of change that was performed, e.g. auth_login, group_create, user_update. | |
description | jsonb | Details of what changed, format varies based on the action. | |
object | text | The object that was acted on. For example: 'jsmith' (for users), '(555) 713-6275 x456' (for phones), or 'HOTP 8-digit 123456' (for tokens). | |
timestamp | timestamp with time zone | >, >=, =, <, <= | Time when the event occurred. |
username | text | The full name of the authistrator who performed the action in the Duo Auth Panel. If the action was performed with the API this will be 'API'. Automatic actions like deletion of inactive users have 'System' for the username. Changes synchronized from Directory Sync will have a username of the form (example) 'AD Sync: name of directory'. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- duo
You can pass the configuration to the command with the --config
argument:
steampipe_export_duo --config '<your_config>' duo_auth_log_record