Hey all. I’m trying to identify when a user has Duo MFA removed from their account using the Duo logs. Specifically I’m tryign to accomplish this through a SIEM.
I’ve gone through the docs at Duo Admin API | Duo Security. But I don’t see any event/action that would be specific to the MFA being removed from a user. (Maybe I’m misinterpreting things though, e.g. Admin action of “phone_delete” vs “phone_update” with “deleted_actcode”)
Hoping that someone can provide some insight if I can identify this occurring through the Duo logs.