Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1511
Views
3
Helpful
4
Replies

Key Duo usecases for security monitoring by SOC

Colloh
Level 1
Level 1

‎05-18-2021 08:45 AM

Hi team,

I am seeking to be advised on some of the key usecase scnarios that we couls monitor in our SOC. I have for instance considered user logins where duo push and access device are in separate locations. I would appreciate any further insights on some important usecases.

Regards

Labels:
0 Helpful
4 Replies 4

Amy2
Level 5
Level 5

‎05-19-2021 06:50 AM

Hi @Colloh, what a great question you’ve asked here! This is exactly the kind of best practice conversation we love to see in the Community. Just to clarify, SOC in this context refers to your Security Operations Center - is that correct?

I’ll take this back to our team and see if others have any advice I can share with you, and I hope other members of the Community and Duo admins weigh in as well!

Kind of related - we have a free course on Duo Trust Monitor available on our learning management system, Duo Level Up. The content it covers seems super relevant to your question, so you might want to explore that and check it out.

Colloh
Level 1
Level 1
In response to Amy2

‎05-19-2021 11:12 AM

Hi Amy

You are right, SOC refers to Security Operations Center.
Thanks for getting back to me, I will check the Duo Trust Monitor course

Amy2
Level 5
Level 5
In response to Colloh

‎05-20-2021 05:31 AM

Thanks for confirming that! One of our Customer Success Managers at Duo recommended that if you use a SEIM like Rapid7 or Splunk, you could forward the logging there and set up reporting to monitor authentication requests.

Most of the cases we recommend looking at will be covered in the Trust Monitor course. These include:

  • An unrealistic geovelocity where the time and distance between two distinct logins makes it impossible for the user to have made both attempts.
  • An access device or application that the user has not used in the last 180 days.
  • An IP address that the user has not logged in from or has infrequently logged in from in the last 180 days.
  • A time or location that would be unusual for the user to log in from.
  • Or authentication attempts marked by the user as fraud.

Colloh
Level 1
Level 1
In response to Amy2

‎05-20-2021 06:46 AM

Hi Amy,

Thanks very much for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents