Duo Security

Duo Security Setup Requirements

Duo does not have the AdminAPI enabled by default. Therefore, you will have to contact your Duo representative to enable the AdminAPI to leverage this integration.

If required, documentation on the API is here.

Once they have been enabled, you'll need to load the Duo logs. To load Duo logs, the collector needs to be able to connect to https://[ customersubdomain ].duosecurity.com.

Setting Up Duo Security Admin API Integration

InsightOps provides support for monitoring user accounts and authentications within Duo Security. This functionality is available by configuring a secret key with Duo Security which provides out of-network access to its data.

Perform the following steps to have the InsightOps collector ingest logs from Duo Security.

  1. Contact Duo Security Customer Support and request that they unlock the Admin API in order to give InsightOps access to the authentication log history.
  2. Create an Admin API Integration in the Duo Admin panel.
  3. Copy the integration key, secret key, and the specific sub-domain for the Admin API integration.
  4. Enter the credentials into the corresponding fields in the InsightOps event source setup page.

Note: Authentication logs are available from Duo Security via the Admin API integration. This integration is only available to Enterprise edition customers, and are enabled on request. If you are an Enterprise edition customer and have not requested the Admin API integration, please contact Duo Security support and request it.

To create a new integration:

  1. Log onto the Duo Security Admin Panel.
  2. Click Integrations in the left sidebar.
  3. Click the +New Integration button. A screen displays prompting you to choose an integration type.
  4. Select Admin API from the from the Integration Type drop-down list.
  5. Enter the name of the integration in the Integration name field. This name is not used in InsightOps and can be anything that you like.
  6. Click the Create Integration button.
  7. Scroll down to Permissions and select the check box next to Grant read log in order to grant permissions to the API Application. Then save changes. The Integration Properties page displays.
  8. Enter the integration key in the Integration Key field.
  9. Enter the secret key provided by Duo Security in the Secret Key field.
  10. Enter the API host name in the API hostname field.

How to Configure This Event Source

Enter this information into the InsightOps events source settings in order for the event source to authenticate back to Duo Security. After creating your token, you need to edit the Duo Security event source in InsightOps. Perform the following steps.

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Cloud Service icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Duo Security
  6. Choose a timezone, or optionally display only US timezones
  7. Optionally choose to send unfiltered logs
  8. Enter the integration key in the Integration Key field.
  9. Select your existing Credentials or create a new one.
  10. Enter the secret key in the Secret Key field.
  11. Enter the Duo subdomain in the Duo Subdomain field in the form of api-xxxxxxxx.
    • For example, if you had api-12ab3456.yourdomain.com you would use api-12ab3456 as the subdomain.
  12. Enter the refresh rate in minutes.
  13. Configure any Advanced Settings.
  14. Click save.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.

Troubleshooting

When using Windows collectors, you may experience issues connecting to Duo when using hardened cipher-suites. Duo recommends applying a Microsoft patch to fix issues with TLS1.1 or TLS1.2. Further information can be found here.

Duo Security integrates with a wide range of devices and applications. Click here for more information.