Logging and Alerting for enrollment events

Heath_Duke · ‎04-13-2022

I’d like to be notified when a user completes the enrollment and/or activation along with some general detail about the source initiating the enrollment.

I’m logging the auth events to a SIEM but am at a loss on where to capture the ‘Enrollment’ events if even possible.

Any help/advise is much appreciated.

Amy2 · ‎04-18-2022

Hi @Heath_Duke, welcome to the Duo Community! Yes, it is possible to capture enrollment and activation events using a SIEM, and you should also be able to set notifications or other alerts. This will depend on the SIEM you’re using, so please contact your SIEM vendor for more info on that. This help article includes a lot of useful information on this topic. I’d also recommend referring to our guide to using Duo’s Admin API to pull logs which includes basic information about using Duo’s Admin API to export logs to a SIEM.

Under the Duo Admin API authentication logs in our documentation, you’ll find a query parameter for event_types and enrollment which can be used to accomplish this. I believe activation shows up in that list as an enrollment event per the article here.

jwaits · ‎04-22-2022

If your SIEM ingests data from the Duo Admin API, the Enrollment data should be in there (user + application + IP + phone number or WebAuthn ID). We ingest this data into Blumira (alerts) and Chronicle (dashboards) to ensure no rogue devices get added.