cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3900
Views
4
Helpful
9
Replies

Bypassed users alert

wujieleo
Level 1
Level 1

Hello.

Is there a native report in DUO that will display which users accounts are set to ‘Bypass’ and send this list through email on a regular basis?

Regards,

Leo

9 Replies 9

Amy2
Level 5
Level 5

Hi @wujieleo,
You can get a list of all users who are currently set to Bypass status from the Duo Admin Panel. From the Users page, select Bypass Users, and you can then Export the list of user in Bypass status to CSV, JSON, or Print file types.

I’m sorry to say it is not currently possible to schedule reports to be automatically sent via email from the Duo Admin Panel. However, this is a popular request we hear from our users. I will add you to the feature request for this, so your interest is documented for the team.
You can set up email alerts for certain user events, though. Please see Kristina’s response here for more info: Schedule reports delivery via email - #5 by DuoKristina

I would also like to +1 this request to be able to schedule a report of bypass users.

jenrj
Cisco Employee
Cisco Employee

Hi @strem, welcome to the Duo Community! Thanks for letting us know about your support for this feature request. I’ll pass this input along to our Product team. Let us know if you need any additional help!

ButlerKD
Level 1
Level 1

Leo,

We are in the process of implementing the Duo Log Sync in conjunction with our Qradar SIEM. Once configured, you should be able to have your SIEM of choice send out alerts based upon your criteria for your environment.

The instructions look to be based on a Linux-based install, but hopefully there will be a fully vetted step-by-step install for the Microsoft Windows ecosystem.

ButlerKD
Level 1
Level 1

Leo,

Here is a step-by-step set of instructions I’ve crafted with the assistance of our Duo Customer Solutions Engineer. It is for the Microsoft Windows environment, and is targeted towards sending logs to a Qradar SIEM, but with the necessary changes you may be able to engineer it for your environment.

  • Kevin

Duo Log Sync Install – Windows

Pre-Requisites:

  1. Download the current version of the Duo Log Sync app from GitHub at “GitHub - duosecurity/duo_log_sync”.

  2. Download the latest version of Python for Windows (currently v3.9.5 x64) from “Download Python | Python.org”.

  3. An operational Duo Authentication Proxy Server running Windows Server 2012 R2/2016/2019

Duo Admin Portal Configuration:
4. Log into the Duo Admin portal. Click on the “Applications” link in the left-side Dashboard. Click on the “Protect an Application” button:

  1. In the search field, locate the “Duo Admin API” application, click the “Protect” button to create the new Admin API application:

  2. Once created, make note of the Integration key, Secret Key, and API hostname. Under “Settings/Permissions”, enable the check box for the following:
    Grant read information
    Grant read log
    Grant read resource

  3. Under “Settings/Networks for API access”, restrict access to the Admin API instance to the proper external network address(es) for the corporate network and click “Save Changes” to commit:

2X_4_400fce4e4a9f49f71de70fe31339b5e8b0863c9e.jpeg

Duo Proxy Server Configuration:
8. On the Duo Proxy server to host the Duo Log Sync instance, extract the “duo_log_sync-master.zip” contents downloaded from “GitHub - duosecurity/duo_log_sync” into a folder named “C:\Program Files\DuoLogSync”:

  1. Located and execute the downloaded installer for Python x64 with the following options configured:
    Install launcher for all users (recommended)
    Add Python 3.9 to the system PATH
    2X_6_6ea24898b877c44d1da27c1969d83eff81ec3048.jpeg

  2. Click “Customize Installation” and take the defaults. Click “Next”:
    2X_4_4726b7125edcfaaac3697527b71e07fa09d7a4e1.jpeg

  3. Under “Advanced Options”, select “Install for all users”. Click “Install
    2X_e_ed96aba6320622bb393d9d5f840c5b07fe5158a6.jpeg

  4. (Optional) Once the install is complete, click the “Disable path length limit” option or the “Close” button to finish:
    2X_1_1fc91729571ef8153719d62586fa1ddd484955a9.jpeg

  5. Create the following folders in the root of “C:\”:
    “C:\tmp”
    “C:\admin\logs”

Configure Duo Log Sync “config.yml”:
14. Extract the contents of the downloaded “duo_log_sync-master zip” to “C:\Program Files” as a folder called “DuoLogSync”:

  1. Open an Administrator command prompt. Change directory to the newly created “C:\Program Files\DuoLogSync” folder. run the command “python setup.py install

  2. Once the installation completes, locate and copy the “template_config.yml” file to “config.yml”:

  3. Modify the contents of the newly created config.yml as necessary for your environment:

Define Log Filepath name
Configure Log File format

  1. Perform the following actions:

Enable “Checkpointing”
Change API calls offset information to “enabled: True”
Define SIEM ID name, FQDN, Port #, and Protocol sections


2X_f_f1be0b72f6d9a285438dbef05c3aeb1dfaf87e8e.jpeg

  1. Input the “Integration key”, “Secret key”, and “API hostname” as configured for the “Admin API” application under “Duo Admin Panel\Applications”:

Starting Duo Log Sync:
20. After saving the modified “config.yml” file, start the Duo Log Sync script by executing the command “duologsync "C:\Program Files\DuoLogSync\config.yml””:

  1. If successful, there should now be a “duologsync.log” file in the previously created “C:\admin\logs” folder:

  1. Opening the “duologsync.log” file should now show any events that have occurred every 120 seconds (Notepad ++ works best for this):

  1. Lastly, to automate the start of the script after a system reboot, save the following PowerShell code to a file named “DuoLogSyncStartup.ps1”.

Open an administrator PowerShell prompt, and execute as “.\DuoLogSyncStartup.ps1“:

##Script for Registering DuoLogSync as a Scheduled Task on Bootup
##Run this as Administrator via Powershell
##Jesse Yother – Customer Solutions Engineer - 4/7/2021

#Installation Variables. This is the only place that should need edited!
#Default Log Sync installation for Windows is:
##"
C:\Users\USERNAME\AppData\Local\Programs\Python\Python39\Scripts\duologsync.exe
$DuoLogSyncLocation = “C:\Program Files\Python39\Scripts\duologsync.exe”
$configLocation = “C:\Program Files\DuoLogSync\config.yml” #config.yml path
$description = “Task to re-enable Duo Log Sync after each reboot”
##"
#Defines the Action to initiate the Duo Log Sync executable
##"
$action = New-ScheduledTaskAction -Execute $DuoLogSyncLocation -Argument $configLocation
##"
#Adds the trigger to run the task at startup
##"
$trigger = New-ScheduledTaskTrigger -AtStartup
##"
#Defines the running user as “System” and sets to run regardless of logon at the highest privilege.
##"
$principal = New-ScheduledTaskPrincipal -UserID “NT AUTHORITY\SYSTEM” - LogonType ServiceAccount -RunLevel Highest
##"
#Registers the task variables as a new Scheduled Task in the Windows Task Scheduler and adds a description.
##"
Register-ScheduledTask -TaskName “DuoLogSync” -Action $action -Trigger $trigger -Principal $principal -Description $description

  1. After a successful execution, the task is now scheduled to start after a system reboot:

  1. This concludes the installation, configuration, and execution of the Duo Log Sync application. Special thanks to Duo Customer Solutions Engineer Jesse Yother for assistance in getting this operational.

@ButlerKevinD , wow thank you so much for taking the time to document this and share it with the community! These steps are thorough and easy to follow, and I love that you included screenshots as well.

@Amy - Happy to help out, and wouldn’t be able to present it here without our CSE’s assistance.

@wujieleo - One thing to note on the scheduled task, you may wish to modify it to the following settings utilizing a domain account with administrative permissions on your Windows Duo Auth Proxy server. After a while, we have noticed the script will crash with a Winsock error.

Also make certain under the “Actions” tab created by the PowerShell script, you encapsulate the “Program/Script” and “Add arguments (optional)” settings with double-quotes ("C:\Program Files\Python39\Scripts\duologsync.exe" and “C:\Program Files\DuoLogSync\config.yml”).

Thus far with this scheduled task configuration, if it does crash, it is restarted:

General Tab

Triggers Tab

Actions Tab

mharia
Level 1
Level 1

I’d like to +1 this request as well.

In fact, not just a scheduled report, but ideally a real-time alert since it could be an extremely material security event.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links