Authentication Events

Collects authentication events from Duo Security for user access visibility.

Sync Type: Incremental

Requirements

Before you connect Monad to Duo Security, you need an Integration Key, Secret Key, and a Host.

1. Sign up for a Duo account if you aren't already a customer.
2. Log in to the Duo Admin Panel and navigate to Applications and find the application you want to connect Monad to.
3. Retrieve your Client ID, Client Secret, and Hostname (Previously in Duo, the Client ID was called the "Integration key" and the Client secret was called the "Secret key" in case you come across those terms).
4. Ensure Duo is connected to your application. For example, here is documentation for how to connect Duo Security to 1Password: https://duo.com/docs/1password#new-1password-applications

Details

Monad uses the mintime on the Duo Security Authentication Logs API to determine what logs to display. This field is updated every time a request to get authentication logs is successful with the last time a request to get the logs was initiated. If this was the first time requesting for admin logs, a full sync of the data is performed.

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

Setting	Type	Required	Description
Host	string	Yes	The Duo API endpoint used for sending authentication and other requests.

Secrets

Secret	Type	Required	Description
Integration Key	string	Yes	A unique identifier for the integration between your application and Duo Security.
Secret Key	string	Yes	A private key used to securely sign API requests to Duo.

Custom Schema Handling

If the source data doesn't align with any of the OpenSecurityControlFramework (OSCF) schemas, you can create a custom transformation using our JQ transform pipeline. For example:

{
  metadata: {
    schema_version: "1.0.0",
    custom_framework: "my_framework"
  },
  controls: .[]
}

For more information on JQ and how to write your own JQ transformations see the JQ docs here.

If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at support@monad.com. We're always looking to expand our coverage of security control frameworks based on community needs.

Related Articles

• https://duo.com/docs/adminapi#first-steps
• https://pkg.go.dev/github.com/duosecurity/duo_api_golang#NewDuoApi
• https://github.com/duosecurity/duo_api_golang

Sample Record

{
  "access_device": {
    "browser": "Safari",
    "browser_version": "69.0.3497.100",
    "epkey": "4abce39a-006e-7e99-3cbe-dcfc4b7478dc",
    "flash_version": "uninstalled",
    "hostname": null,
    "ip": "145.120.95.237",
    "is_encryption_enabled": false,
    "is_firewall_enabled": false,
    "is_password_set": false,
    "java_version": "uninstalled",
    "location": {
      "city": "San Francisco",
      "country": "United States",
      "state": "California"
    },
    "os": "macOS High Sierra",
    "os_version": "10.15.3",
    "security_agents": []
  },
  "adaptive_trust_assessments": {
    "more_secure_auth": {
      "detected_attack_detectors": [
        "ANOMALOUS_DEVICE"
      ],
      "features_version": "3.0",
      "model_version": "2022.07.19.001",
      "policy_enabled": true,
      "reason": "Suspicious activity detected",
      "trust_level": "LOW"
    },
    "remember_me": {
      "features_version": "3.0",
      "model_version": "2022.07.19.001",
      "policy_enabled": true,
      "reason": "Regular Access Pattern",
      "trust_level": "HIGH"
    }
  },
  "alias": "",
  "application": {
    "key": "89a36bbf-d0ec-3c5b-2d2d-afdf15a50060",
    "name": "Microsoft Azure Active Directory"
  },
  "auth_device": {
    "ip": "10.7.161.224",
    "key": "9d119e99-d266-821e-a309-363cf76b1c98",
    "location": {
      "city": "New York",
      "country": "United States",
      "state": "Illinois"
    },
    "name": "My Pixel 6 (423-555-9144)"
  },
  "email": "Tom Miller@example.com",
  "event_type": "authentication",
  "factor": "hardware_token",
  "isotimestamp": "2025-08-11T23:47:00.042228Z",
  "ood_software": null,
  "passport_assessment": {
    "is_supported": true,
    "reason": "unsupported_platform"
  },
  "reason": "user_denied",
  "result": "FAILURE",
  "timestamp": 1754956020,
  "trusted_endpoint_status": "trusted",
  "txid": "cca760c6-b003-dc8a-143d-b2bbe52a4305",
  "user": {
    "groups": [
      "Duo Users",
      "Sales"
    ],
    "key": "24b08c4a-8dee-e313-2f18-aeb9b321e40e",
    "name": "Peter Jones@example.com"
  },
  "metadata": {
    "next_offset": [
      "1754956020042",
      "68c828e4-cc93-3079-40c3-e282f7210c2e"
    ],
    "total_objects": 100
  }
}