# Offline Enrollment Logs Collects a list of Duo Authentication for Windows Logon offline enrollment events from Duo Security API. **Sync Type: Incremental** ## Requirements Before you connect Monad to Duo Security, you need an Integration Key, Secret Key, and a Host. 1. [Sign up for a Duo account](https://signup.duo.com/) if you aren't already a customer. 2. [Log in to the Duo Admin Panel](https://admin.duosecurity.com/login?next=%2F) and navigate to Applications and find the application you want to connect Monad to. 3. Retrieve your Client ID, Client Secret, and Hostname (Previously in Duo, the Client ID was called the "Integration key" and the Client secret was called the "Secret key" in case you come across those terms). 4. Ensure Duo is connected to your application. For example, here is documentation for how to connect Duo Security to 1Password: https://duo.com/docs/1password#new-1password-applications ## Details Monad uses the `mintime` on the Duo Security Offline Enrollment Logs API to determine what logs to display. This field is updated every time a request to get Offline Enrollment logs is successful with the last time a request to get the logs was initiated. If this was the first time requesting for admin logs, a full sync of the data is performed. ## Configuration The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below. #### Settings | Setting | Type | Required | Description | |---------|------|----------|-------------| | Host | string | Yes | The Duo API endpoint used for sending authentication and other requests. | #### Secrets | Secret | Type | Required | Description | |---------|------|----------|-------------| | Integration Key | string | Yes | A unique identifier for the integration between your application and Duo Security. | | Secret Key | string | Yes | A private key used to securely sign API requests to Duo. | ## Custom Schema Handling If the source data doesn't align with any of the [OpenSecurityControlFramework (OSCF) schemas](https://schema.ocsf.io/), you can create a custom transformation using our JQ transform pipeline. For example: ```jq { metadata: { schema_version: "1.0.0", custom_framework: "my_framework" }, controls: .[] } ``` For more information on JQ and how to write your own JQ transformations see the JQ docs [here](https://jqlang.github.io/jq/). If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at [support@monad.com](mailto:support@monad.com). We're always looking to expand our coverage of security control frameworks based on community needs. ## Related Articles - [https://duo.com/docs/adminapi#first-steps](https://duo.com/docs/adminapi#first-steps) - [https://pkg.go.dev/github.com/duosecurity/duo_api_golang#NewDuoApi](https://pkg.go.dev/github.com/duosecurity/duo_api_golang#NewDuoApi) - [https://github.com/duosecurity/duo_api_golang](https://github.com/duosecurity/duo_api_golang) - [Duo Offline Enrollment Logs API](https://duo.com/docs/adminapi#offline-enrollment-logs) ## Sample Record ```json { "stat": "OK", "response": [{ "action": "o2fa_user_provisioned", "description": "{\"user_agent\": \"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\", \"hostname\": \"WKSW10x64\", \"factor\": \"duo_otp\"}", "isotimestamp": "2019-08-30T16:10:05+00:00", "object": "Acme Laptop Windows Logon", "timestamp": 1567181405, "username": "narroway" }] } ```