Cisco Duo sample event messages

Use these sample event messages to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco Duo sample message when you use the Cisco Duo protocol

Sample 1: The following sample event message shows that a customer successfully enrolled with Cisco Duo.

{"access_device":{"browser":"Firefox","browser_version":"84.0","epkey":null,"flash_version":"uninstalled","hostname":null,"ip":"10.120.139.72","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"city","country":"country","state":"state"},"os":"Mac OS X","os_version":"11.0","security_agents":"unknown"},"alias":"unknown","application":{"key":"1111111111AAAAAAAAAA","name":"1Password"},"auth_device":{"ip":null,"location":{"city":null,"country":null,"state":null},"name":"514-894-3479"},"email":null,"event_type":"enrollment","factor":"sms_passcode","isotimestamp":"2021-10-04T19:40:32.385977+00:00","ood_software":null,"reason":null,"result":"success","timestamp":1633376432,"trusted_endpoint_status":"unknown","txid":"1a32fe06-cc6c-4a34-9f08-43e23fb1f4b3","user":{"groups":[],"key":"1111111111AAAAAAAABB","name":"test.user@example.com"}}

Table 1. Highlighted fields in the Cisco Duo event
QRadar field name	Highlighted payload field name
Event ID	event_type
Source IP	ip
Username	name

Sample 2: The following sample event message shows that an end user approved an authentication request.

{"access_device":{"browser":null,"browser_version":null,"epkey":null,"flash_version":null,"hostname":null,"ip":"10.10.10.10","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":null,"country":null,"state":null},"os":null,"os_version":null,"security_agents":"unknown"},"alias":"testuser","application":{"key":"1111111111AAAAAAAAAA","name":"macOS"},"auth_device":{"ip":"142.120.139.72","location":{"city":"Ottawa","country":"Canada","state":"Ontario"},"name":"514-894-3479"},"email":"test.user@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-10-06T14:22:47.921053+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1633530167,"trusted_endpoint_status":"unknown","txid":"73eb9ca7-45d1-4f97-af0b-7c15700f6f2f","user":{"groups":[],"key":"1111111111AAAAAAAABB","name":"testuser"}}

Table 2. Highlighted fields in the Cisco Duo sample event
QRadar field name	Highlighted payload field name
Event ID	reason
Source IP	ip
Username	name
Identity IP	ip
Identity Username	name