---
title: Cisco Duo log export initiated
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Cisco Duo log export initiated
---

# Cisco Duo log export initiated
Classification:detection-engineTactic:[TA0009-collection](https://attack.mitre.org/tactics/TA0009)Technique:[T1530-data-from-cloud-storage](https://attack.mitre.org/techniques/T1530) 
## Goal{% #goal %}

Detects when a Cisco Duo log export is initiated by any actor, which may indicate data collection or staging for exfiltration of event history.

## Strategy{% #strategy %}

This rule monitors Cisco Duo activity logs for `log_export_start` events. This event captures any log export initiation regardless of actor type, providing broad coverage while relying on analyst review to distinguish authorized automated exports (expected as rare, system-initiated) from interactive exports by human or API actors.

## Triage and Response{% #triage-and-response %}

- Identify the actor `{{@usr.email}}` that initiated the log export and determine whether this was expected — for example, a scheduled automated process or an approved admin action.
- Review the timing of the export relative to other recent admin activity for `{{@usr.email}}`, including any recent logins from unusual locations, failed authentication attempts, or permission changes.
- Determine the scope of the exported logs: check whether the export covered all users, specific applications, or a particular time range, which can indicate what data was targeted.
- Examine whether a `log_export_complete` or `log_export_failure` event followed this start event to determine whether the export succeeded and how much data may have been collected.
- Verify whether any external data transfer events correlate with the log export completion, which could indicate the exported data was sent to attacker infrastructure.
