Duo Security

Duo Security is a multi-factor authentication provider that you can use to authenticate to the platform, as well as track user ingress and admin activity.

To use this application with InsightIDR:

  • Configure the Duo AdminAPI
  • Configure the event source in InsightIDR

Configure Duo AdminAPI

InsightIDR provides support for monitoring user accounts and authentications within Duo Security. This functionality is available by configuring a secret key with Duo Security which provides out of-network access to its data.

The AdminAPI is not enabled by default. Contact your Duo representative to enable this feature. You can read the AdminAPI documentation here: https://duo.com/docs/adminapi.

To configure the Duo AdminAPI to work with InsightIDR:

  1. Log in to the Duo Admin Panel and go to Applications.
  2. On the lefthand menu, select Applications > Protect an Application.
  3. Search for "Admin API."
  4. Copy the integration key, secret key, and API hostname for later configuration in InsightIDR.
  5. Go to the Properties page.
  6. Enable the following permissions:
    • Grant read information
    • Grant read log
    • Grant read resource
  7. Click the Save Changes button.

Read more about Duo Applications here: https://duo.com/docs/protecting-applications

How to Configure This Event Source

Enter this information into the InsightIDR events source settings in order for the event source to authenticate back to Duo Security. After creating your token, you need to edit the Duo Security event source in InsightIDR.

To configure this event source:

  1. From your dashboard, select Data Collection on the left-hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
  4. Select your collector and Duo Security from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unfiltered logs.
  7. Select your LDAP account attribution preference.
  8. Enter the integration key in the "Integration Key" field.
  9. Select your existing credentials or optionally create a new credential.
  10. Enter the refresh rate in minutes.
  11. Optionally click the Add button to provide your multi-domain details and any Advanced Event Source Settings.
  12. Click Save.

Picture of Add Event Source Page


When using Windows collectors, you may experience issues connecting to Duo when using hardened cipher-suites. Duo recommends applying a Microsoft patch to fix issues with TLS1.1 or TLS1.2. Further information can be found here: https://help.duo.com/s/article/ka070000000fy7pAAA/3136?language=en_US.

Duo Security integrates with a wide range of devices and applications. For more information, read their documentation here: https://duo.com/docs.