Key Duo usecases for security monitoring by SOC

Hi team,

I am seeking to be advised on some of the key usecase scnarios that we couls monitor in our SOC. I have for instance considered user logins where duo push and access device are in separate locations. I would appreciate any further insights on some important usecases.


Hi @Colloh, what a great question you’ve asked here! This is exactly the kind of best practice conversation we love to see in the Community. Just to clarify, SOC in this context refers to your Security Operations Center - is that correct?

I’ll take this back to our team and see if others have any advice I can share with you, and I hope other members of the Community and Duo admins weigh in as well!

Kind of related - we have a free course on Duo Trust Monitor available on our learning management system, Duo Level Up. The content it covers seems super relevant to your question, so you might want to explore that and check it out.

1 Like

Hi Amy

You are right, SOC refers to Security Operations Center.
Thanks for getting back to me, I will check the Duo Trust Monitor course

1 Like

Thanks for confirming that! One of our Customer Success Managers at Duo recommended that if you use a SEIM like Rapid7 or Splunk, you could forward the logging there and set up reporting to monitor authentication requests.

Most of the cases we recommend looking at will be covered in the Trust Monitor course. These include:

  • An unrealistic geovelocity where the time and distance between two distinct logins makes it impossible for the user to have made both attempts.
  • An access device or application that the user has not used in the last 180 days.
  • An IP address that the user has not logged in from or has infrequently logged in from in the last 180 days.
  • A time or location that would be unusual for the user to log in from.
  • Or authentication attempts marked by the user as fraud.
1 Like

Hi Amy,

Thanks very much for your help.