Investigate User
Workflow #0062
Response Workflow
This workflow takes a Duo Security user’s username as input and retrieves the user’s Duo profile and recent activity. If the user information is retrieved successfully, a ServiceNow ticket is created to notify the appropriate team to investigate further. Supported observables: user
, email
Change Log
Date | Notes |
---|---|
Apr 29, 2022 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Duo - Admin - Get Authentication Logs
- Duo - Admin - Get User
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Duo Security
- ServiceNow
Workflow Steps
- Make sure the observable is supported
- Fetch global variables
- Verify required input was provided
- Check if a username suffix was provided and, if so, apply it
- Fetch the user from Duo (end the workflow if not found)
- Parse a variety of information from the user’s profile
- Fetch authentication logs for the user
- Check if logs were fetched:
- If not, end the workflow
- If they were:
- Parse the logs to an HTML table
- Create a ServiceNow incident
Configuration
- Provide the workflow your Duo Security Admin API information by either:
- Storing the information in global variables and using the
Fetch Global Variables
group at the beginning of the workflow to update theDuo Hostname
,Duo Integration Key
, andDuo Secret Key
local variables; or - Remove the variables from the
Fetch Global Variables
group and add your information directly to the corresponding local variables
- Storing the information in global variables and using the
- Set
Duo Username Suffix
. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example:@company.com
- Update the
Hours to Search
variable to adjust the length of time to search authentication logs - Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Duo Security | HTTP Endpoint | Protocol: HTTPS Host: <api hostname>.duosecurity.com Path: None | None | Be sure to use the API Hostname from your Duo integration |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |