Data Source: Cisco Duo Administrator

Date: 2025-07-10

ID: 38e22de6-8b6b-449c-ae26-a640c88ff7f9

Author: Patrick Bareiss, Splunk

Description

Data source object for Cisco Duo Administrator

Details

Property	Value
Source	`cisco_duo`
Sourcetype	`cisco:duo:administrator`

Supported Apps

Cisco Security Cloud (version 3.2.3)

Event Fields

+ Fields

  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">actionlabel</span>
  
  <span class="pill kill-chain">ctime</span>
  
  <span class="pill kill-chain">description</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">extracted_eventtype</span>
  
  <span class="pill kill-chain">isotimestamp</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">username</span>
  
</div>

Example Log

1{"ctime": "Tue Jul  8 12:28:47 2025", "action": "policy_create", "description": "{\"enroll_policy\": \"Allow Access\", \"name\": \"test4\", \"pretty_trusted_devices\": \"\", \"admin_email\": \"test@test.com\"}", "isotimestamp": "2025-07-08T12:28:47+00:00", "object": "test4", "timestamp": 1751977727, "username": "Test Test", "host": "api-41e72ada.duosecurity.com", "extracted_eventtype": "administrator", "actionlabel": "Added policy"}

Source: GitHub | Version: 1