On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Investigate User

Workflow #0062

Response Workflow

This workflow takes a Duo Security user’s username as input and retrieves the user’s Duo profile and recent activity. If the user information is retrieved successfully, a ServiceNow ticket is created to notify the appropriate team to investigate further. Supported observables: user, email


Change Log

Date Notes
Apr 29, 2022 - Initial release
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Duo - Admin - Get Authentication Logs
    • Duo - Admin - Get User
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Duo Security
  • ServiceNow

Workflow Steps

  1. Make sure the observable is supported
  2. Fetch global variables
  3. Verify required input was provided
  4. Check if a username suffix was provided and, if so, apply it
  5. Fetch the user from Duo (end the workflow if not found)
  6. Parse a variety of information from the user’s profile
  7. Fetch authentication logs for the user
  8. Check if logs were fetched:
    • If not, end the workflow
    • If they were:
      • Parse the logs to an HTML table
      • Create a ServiceNow incident


  • Provide the workflow your Duo Security Admin API information by either:
    • Storing the information in global variables and using the Fetch Global Variables group at the beginning of the workflow to update the Duo Hostname, Duo Integration Key, and Duo Secret Key local variables; or
    • Remove the variables from the Fetch Global Variables group and add your information directly to the corresponding local variables
  • Set Duo Username Suffix. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example: @company.com
  • Update the Hours to Search variable to adjust the length of time to search authentication logs
  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • If you want to change the name of this workflow in the pivot menu, change its display name


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Duo Security HTTP Endpoint Protocol: HTTPS
Host: <api hostname>.duosecurity.com
Path: None
None Be sure to use the API Hostname from your Duo integration
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password