Excellent. My guess is you may be able to use your SSO application logs (cas, shib, etc) to get IP and USERID as well as other info. As for the User being created in DUO, unless you have the DUO logs being pumped into Splunk you may not be able to see that. Depending on your process for adding users into DUO you may be able to get the info in another way. When we rolled DUO out for our Students we used the DUO API and created an intercept for Users not already in DUO. The User would SSO auth, then the app would use the API to check DUO to see if the User was in DUO. If not, they would then be given the option to create their account. We would then push the data from our system to DUO and would use the success from that to count the users added to DUO.

Hope this helps.

I believe that DUO logs are being pumped to Splunk. I setup a connector and I can see data on the dashboard. I also set up an alert and a trigger action but it doesn't seem to work. I am probably doing something wrong.

I used to be our DUO Admin but have moved on. In the DUO Telephony log you should be able to look for Enrollment to key on users being added.

We are not getting the DUO logs into Splunk so I can't really provide more than ideas 🙂