Duo Security

Duo Security is a multi-factor authentication provider that you can use to authenticate to the platform and track user ingress and admin activity.

To use this application with InsightIDR:

  • Enable the Duo Admin API
  • Configure the event source in InsightIDR

Enable Duo Admin API

InsightIDR provides support for monitoring user accounts and authentications within Duo Security. This functionality is available by configuring a secret key with Duo Security which provides out of-network access to its data.

The Admin API is not enabled by default. Contact your Duo representative to enable this feature. You can read the Admin API documentation at https://duo.com/docs/adminapi.

To configure the Duo Admin API to work with InsightIDR:

  1. Log in to the Duo Admin Panel and go to Applications.
  2. On the lefthand menu, select Applications > Protect an Application.
  3. Search for "Admin API."
  4. Copy the integration key, secret key, and API hostname for later configuration in InsightIDR. Note: In Duo, the API Hostname relates to the Subdomain in InsightIDR, and the Secret Key relates to Token/Secret in InsightIDR.
  5. Go to the Properties page.
  6. Enable the following permissions:
    • Grant read information
    • Grant read log
    • Grant read resource
  7. Click Save Changes.

Read more about Duo Applications here: https://duo.com/docs/protecting-applications

How to Configure This Event Source

Enter this information into the InsightIDR events source settings in order for the event source to authenticate back to Duo Security. After creating your token, you need to edit the Duo Security event source in InsightIDR.

To configure this event source:

  1. From your dashboard, select Data Collection on the left menu.
  2. When the Data Collection page appears, click Setup Event Source and choose Add Event Source.
  3. From the Security Data section, click the Cloud Service icon.
  4. Select your collector and choose Duo Security from the Select Event Source Type dropdown menu.
  5. Enter a name for your event source.
  6. Optionally, select Send Unparsed Data to ingest unparsed logs.
  7. Select your LDAP Account Attribution Preference.
    • If you have a multi-domain environment, select Use fully qualified domain name attribution to better attribute users and assets.
  8. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  9. Enter the integration key that you copied in the earlier configuration of your Duo Security Admin API.
  10. Create a new credential:
    • Click Create New.
    • Specify a name for the credential.
    • Enter the Subdomain in the form of api-xxxxxxxx. The Subdomain is the first part of the API hostname in the Duo Admin API. For example, if you had api-12ab3456.yourdomain.com enter api-12ab3456 in the Subdomain field.
    • Enter the Token/Secret. The Token/Secret is the Secret Key in the Duo Admin API.
  11. Enter the refresh rate in minutes.
  12. Optionally, provide multi-domain details to map the relationship between applications attached to this Duo account and Active Directory domains so InsightIDR can attribute user activity.
  13. Optionally, select the checkboxes to Fetch admin logs and Fetch Trust Monitor logs if you would like to collect additional logs from these endpoints.
  14. Click Save.

Troubleshooting

When using Windows collectors, you may experience issues connecting to Duo when using hardened cipher-suites. Duo recommends applying a Microsoft patch to fix issues with TLS1.1 or TLS1.2. Further information can be found here: https://help.duo.com/s/article/ka070000000fy7pAAA/3136?language=en_US.

Duo Security integrates with a wide range of devices and applications. For more information, read their documentation here: https://duo.com/docs.