security_content/data_sources/cisco_duo_administrator.yml at develop · jwindley/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: Cisco Duo Administrator
id: 38e22de6-8b6b-449c-ae26-a640c88ff7f9
version: 1
date: '2025-07-10'
author: Patrick Bareiss, Splunk
description: Data source object for Cisco Duo Administrator
source: cisco_duo
sourcetype: cisco:duo:administrator
separator: null
supported_TA:
- name: Cisco Security Cloud
  url: https://splunkbase.splunk.com/app/7404
  version: 3.5.3
fields:
- action
- actionlabel
- ctime
- description
- eventtype
- extracted_eventtype
- isotimestamp
- object
- timestamp
- username
output_fields:
- user
example_log: '{"ctime": "Tue Jul  8 12:28:47 2025", "action": "policy_create", "description":
  "{\"enroll_policy\": \"Allow Access\", \"name\": \"test4\", \"pretty_trusted_devices\":
  \"\", \"admin_email\": \"test@test.com\"}", "isotimestamp": "2025-07-08T12:28:47+00:00",
  "object": "test4", "timestamp": 1751977727, "username": "Test Test", "host": "api-41e72ada.duosecurity.com",
  "extracted_eventtype": "administrator", "actionlabel": "Added policy"}'