Help identifying when Duo mfa is removed from an account via logs

API forum Admin API forum
1

Hey all. I’m trying to identify when a user has Duo MFA removed from their account using the Duo logs. Specifically I’m tryign to accomplish this through a SIEM.

I’ve gone through the docs at Duo Admin API | Duo Security. But I don’t see any event/action that would be specific to the MFA being removed from a user. (Maybe I’m misinterpreting things though, e.g. Admin action of “phone_delete” vs “phone_update” with “deleted_actcode”)

Hoping that someone can provide some insight if I can identify this occurring through the Duo logs.

2

Are you looking at the actions in the new Activity Logs endpoint? Those seem like the actions you’d be interested in collecting i.e. phone_delete means a phone 2FA device has been removed from a user and was deleted because no other users were attached to that phone), and it aggregates actions from different actors: user, admin, etc. We’re still working on completing the set of actions exposed in this endpoint.

Duo admins removing MFA devices from users also gets captured in the Administrator Logs i.e. phone_delete.