id: a4ce5d43-3bca-4eb4-8302-b868e45c6dc4 Function: Title: Parser for CiscoDuo Version: '1.0.0' LastUpdated: '2023-08-23' Category: Microsoft Sentinel Parser FunctionName: CiscoDuo FunctionAlias: CiscoDuo FunctionQuery: | CiscoDuo_CL | extend EventVendor = 'Cisco' | extend EventProduct = 'Duo Security' | extend parse_json(description_s) | extend SrcDvcType=description_s['device'], SrcIpAddr=iff(isnotempty(description_s), description_s['ip_address'], access_device_ip_s), DstUserName=iff(isnotempty(username_s), username_s, user_name_s), SrcUserName=object_s, EventType=iff(isnotempty(eventtype_s), eventtype_s, event_type_s), EventEndTime=unixtime_seconds_todatetime(tolong(timestamp_d)), HttpUserAgentOriginal = description_s['user_agent'] | extend AccessDvcSecurityAgents=column_ifexists( "access_device_security_agents_s" , "") , TrustedEndpointStatus=column_ifexists( "trusted_endpoint_status_s", "") , SurfacedAuthAccessDeviceSecurityAgents=column_ifexists( "surfaced_auth_access_device_security_agents_s", "") , SrcDvcOs=column_ifexists( "access_device_os_s", "") , DstGeoRegion=column_ifexists( "state_s", "") , AccessDvcBrowser=column_ifexists( "access_device_browser_s", "") , AccessDvcBrowserVersion=column_ifexists( "access_device_browser_version_s", "") , AccessDvcFlashVersion=column_ifexists( "access_device_flash_version_s", "") , AccessDvcEncryptionEnabled=column_ifexists( "access_device_is_encryption_enabled_s", "") , AccessDvcFirewallEnabled=column_ifexists( "access_device_is_firewall_enabled_s", "") , AccessDvcPasswordSet=column_ifexists( "access_device_is_password_set_s", "") , AccessDvcJavaVersion=column_ifexists( "access_device_java_version_s", "") , AccessDvcOsVersion=column_ifexists( "access_device_os_version_s", "") , Explanations=column_ifexists( "explanations_s", "") , FromCommonNetblock=column_ifexists( "from_common_netblock_b", "") , FromNewUser=column_ifexists( "from_new_user_b", "") , SrcRiskLevel=column_ifexists( "low_risk_ip_b", "") , PriorityEvent=column_ifexists( "priority_event_b", "") , PriorityReasons=column_ifexists( "priority_reasons_s", "") , Sekey=column_ifexists( "sekey_s", "") , SurfacedAuthAccessDeviceBrowser=column_ifexists( "surfaced_auth_access_device_browser_s", "") , SurfacedAuthAccessDeviceBrowserVersion=column_ifexists( "surfaced_auth_access_device_browser_version_s", "") , SurfacedAuthAccessDeviceIp=column_ifexists( "surfaced_auth_access_device_ip_s", "") , SurfacedAuthAccessDeviceEncryptionEnabled=column_ifexists( "surfaced_auth_access_device_is_encryption_enabled_s", "") , SurfacedAuthAccessDeviceFirewallEnabled=column_ifexists( "surfaced_auth_access_device_is_firewall_enabled_s", "") , SurfacedAuthAccessDevicePasswordSet=column_ifexists( "surfaced_auth_access_device_is_password_set_s", "") , SurfacedAuthAccessDeviceLocationCity=column_ifexists( "surfaced_auth_access_device_location_city_s", "") , SurfacedAuthAccessDeviceLocationCountry=column_ifexists( "surfaced_auth_access_device_location_country_s", "") , SurfacedAuthAccessDeviceLocationState=column_ifexists( "surfaced_auth_access_device_location_state_s", "") , SurfacedAuthAccessDeviceOs=column_ifexists( "surfaced_auth_access_device_os_s", "") , SurfacedAuthAccessDeviceOsVersion_s=column_ifexists( "surfaced_auth_access_device_os_version_s", "") , SurfacedAuthAlias=column_ifexists( "surfaced_auth_alias_s", "") , SurfacedAuthApplicationKey=column_ifexists( "surfaced_auth_application_key_s", "") , SurfacedAuthApplicationName=column_ifexists( "surfaced_auth_application_name_s", "") , SurfacedAuthEmail=column_ifexists( "surfaced_auth_email_s", "") , SurfacedAuthFactor=column_ifexists( "surfaced_auth_factor_s", "") , SurfacedAuthIsotimestamp=column_ifexists( "surfaced_auth_isotimestamp_t", "") , SurfacedAuthOodSoftware_s=column_ifexists( "surfaced_auth_ood_software_s", "") , SurfacedAuthReason=column_ifexists( "surfaced_auth_reason_s", "") , SurfacedAuthResult=column_ifexists( "surfaced_auth_result_s", "") , SurfacedAuthTimestamp=column_ifexists( "surfaced_auth_timestamp_d", "") , SurfacedAuthTransactionId=column_ifexists( "surfaced_auth_txid_g", "") , SurfacedAuthUserGroups=column_ifexists( "surfaced_auth_user_groups_s", "") , SurfacedAuthUserKey=column_ifexists( "surfaced_auth_user_key_s", "") , SurfacedAuthUserName=column_ifexists( "surfaced_auth_user_name_s", "") , SurfacedTimestamp=column_ifexists( "surfaced_timestamp_d", "") , EventUid=column_ifexists( "triage_event_uri_s", "") , context_s=column_ifexists( "context_s", "") , phone_s=column_ifexists( "phone_s", "") , type_s=column_ifexists ( "type_s", "") , TriagedAsInteresting=column_ifexists( "triaged_as_interesting_b", "") , Credits=column_ifexists( "credits_d", "") | project-rename DvcAction=action_s, DvcHostname=host_s, SrcGeoCountry=access_device_location_country_s, SrcGeoCity=access_device_location_city_s, EventResult=result_s, EventResultDetails=reason_s, AuthDeviceCountry=auth_device_location_country_s, AuthFactor=factor_s, AccessDvcIpAddr=access_device_ip_s, AccessDvcLocationState=access_device_location_state_s, Alias=alias_s, User=email_s, SrcAppId=application_key_s, SrcAppName=application_name_s, DvcIpAddr=auth_device_ip_s, AuthDeviceCity=auth_device_location_city_s, AuthDeviceState=auth_device_location_state_s, SrcHostname=auth_device_name_s, TransactionId=txid_g, UserGroups=user_groups_s, SrcUserId=user_key_s, Context=context_s, IsoTimestamp=isotimestamp_t, Phone=phone_s, SrcDomainType=type_s