Duo Security

Duo Security is a multi-factor authentication provider that you can use to authenticate to the platform, as well as track user ingress and admin activity.

To use this application with InsightIDR:

  • Configure the Duo AdminAPI
  • Configure the event source in InsightIDR

Configure Duo AdminAPI

InsightIDR provides support for monitoring user accounts and authentications within Duo Security. This functionality is available by configuring a secret key with Duo Security which provides out of-network access to its data.

The AdminAPI is not enabled by default. Contact your Duo representative to enable this feature. You can read the AdminAPI documentation here: https://duo.com/docs/adminapi.

To configure the Duo AdminAPI to work with InsightIDR:

  1. Log in to the Duo Admin Panel and go to Applications.
  2. On the lefthand menu, select Applications > Protect an Application.
  3. Search for "Admin API."
  4. Copy the integration key, secret key, and API hostname for later configuration in InsightIDR.
  5. Go to the Properties page.
  6. Enable the following permissions:
    • Grant read information
    • Grant read log
    • Grant read resource
  7. Click the Save Changes button.

Read more about Duo Applications here: https://duo.com/docs/protecting-applications

How to Configure This Event Source

Enter this information into the InsightIDR events source settings in order for the event source to authenticate back to Duo Security. After creating your token, you need to edit the Duo Security event source in InsightIDR.

To configure this event source:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unfiltered logs.
  6. Enter the integration key in the "Integration Key" field.
  7. Select your existing credentials or optionally create a new credential.
  8. Enter the Integration Key you copied in the earlier configuration from your Duo Security Admin API.
  9. Enter the Token/Secret from the Duo AdminAPI.
  10. Enter the Domain from your Duo AdminAPI in the form of api-xxx. For example, if your full organization domain is api-xxx.duosecurity.com, only use api-xxx.
  11. Enter the refresh rate in minutes.
  12. Optionally check the Show Domain Config box if you use Duo to authenticate to multiple domains. Then configure the application name, domain, and click the + button to add that new authentication domain.
  13. Optionally configure your default domain and any Advanced Event Source Settings.
  14. Click the save button.

Troubleshooting

When using Windows collectors, you may experience issues connecting to Duo when using hardened cipher-suites. Duo recommends applying a Microsoft patch to fix issues with TLS1.1 or TLS1.2. Further information can be found here: https://help.duo.com/s/article/ka070000000fy7pAAA/3136?language=en_US.

Duo Security integrates with a wide range of devices and applications. For more information, read their documentation here: https://duo.com/docs.