Help identifying when Duo mfa is removed from an account via logs

Hey all. I’m trying to identify when a user has Duo MFA removed from their account using the Duo logs. Specifically I’m tryign to accomplish this through a SIEM.

I’ve gone through the docs at Duo Admin API | Duo Security. But I don’t see any event/action that would be specific to the MFA being removed from a user. (Maybe I’m misinterpreting things though, e.g. Admin action of “phone_delete” vs “phone_update” with “deleted_actcode”)

Hoping that someone can provide some insight if I can identify this occurring through the Duo logs.

Are you looking at the actions in the new Activity Logs endpoint? Those seem like the actions you’d be interested in collecting i.e. phone_delete means a phone 2FA device has been removed from a user and was deleted because no other users were attached to that phone), and it aggregates actions from different actors: user, admin, etc. We’re still working on completing the set of actions exposed in this endpoint.

Duo admins removing MFA devices from users also gets captured in the Administrator Logs i.e. phone_delete.