Mozilla Security Duo notifications
Analyze messages generated from the Duo logging API and provide alerting notifications on various event types.
This sandbox expects Duo messages generated in the Mozlog format, as occurs with the duopull-lambda function (https://github.com/mozilla-services/duopull-lambda).
If enable_metrics is true, the module will submit metrics events for collection by the metrics output sandbox. Ensure process_message_inject_limit is set appropriately, as if enabled process_event will submit up to 2 messages (the alert, and the metric event).
1. Sample Configuration
filename = "moz_security_duo.lua"
message_matcher = "Logger == 'input.duopull_lambda_duopull_logs'"
ticker_interval = 0
preserve_data = false
bypass_create = false -- bypass code generation
user_create = false -- new user creation
auth_phone_fail = false -- telephony factor, request failure
auth_fraud = false -- duo fraud marker
admin_2fa_error = false -- admin console 2fa error
integration_addup = false -- integration key add/change
admin_addup = false -- console administrator add/change
anomalous_push = false -- duo anomalous push notification
-- module makes use of alert output and needs a valid alert configuration
alert = {
modules = { }
}
-- enable_metrics = false -- optional, if true enable secmetrics submission
source code: moz_security_duo.lua