TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM
ENVIRONMENT: REST API
SUMMARY: Configuration Guide for Cisco Duo
Device Configuration Checklist
Vendor Information
Vendor |
Cisco |
---|---|
Supported Model Name/Number |
Duo |
Supported Software Version(s) |
N/A |
Collection Method |
REST API |
Provider Name |
Duo |
Additional Information |
Only administrators with the Owner role can create and modify an Admin API application in the Duo Admin Panel.
Device Configuration Checklist
Duo Admin Portal Steps
- Log into the Duo Admin Panel
- Navigate to Applications > Protect an Application
- Locate the Admin API in the applications list
- Click Protect to the right to configure the application
- Record the following
- Integration Key
- Secret Key <--treat this like a password
- API Hostname
- Set Permissions to Grant read log.
- Save your changes.
Huntress Portal Steps
- Log in to Huntress and open SIEM.
- Select Source Management.
- Click Add Source
- Choose Duo
- Click Add on the right side of the screen
- Set the Configuration Details
- Select appropriate Organization from the drop down menu
- Enter a unique Name for the Duo source
- (Optional) Enter a description for the source
- Enter the Integration Key generated in Step 8 of the Duo Admin Portal steps
- Enter the Secret Key generated in Step 8 of the Duo Admin Portal steps
- Enter the API Hostname generated in Step 8 of the Duo Admin Portal steps
- Click Save
Example Log Messages
Authentication Success
{"access_device":{"browser":null,"browser_version":null,"epkey":null,"flash_version":null,"hostname":null,"ip":"99.190.72.255","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":"Cartersville","country":"United States","state":"Georgia"},"os":null,"os_version":null},"adaptive_trust_assessments":{"more_secure_auth":{"detected_attack_detectors":null,"features_version":"3.0","model_version":"2022.07.19.001","policy_enabled":false,"preview_mode_enabled":true,"reason":"Normal level of trust; no detection of known attack pattern","trust_level":"NORMAL"},"remember_me":{"features_version":"3.0","model_version":"2022.07.19.001","policy_enabled":false,"reason":"Known Access IP","trust_level":"NORMAL"}},"alias":"","application":{"key":"sdvzdrwrzxcv","name":"Huntress"},"auth_device":{"ip":"99.190.72.255","key":"sdfgtdga4","location":{"city":"Cartersville","country":"United States","state":"Georgia"},"name":"888-555-1212"},"email":"user.name@domain.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2024-12-10T20:27:31.808283+00:00","ood_software":null,"rbfs_triggered_attacks":null,"reason":"user_approved","result":"success","timestamp":1733862451,"trusted_endpoint_status":"unknown","txid":"f0341cd0-1de7-43a4-a022-d0282db2dd85","user":{"groups":[],"key":"abc123","name":"user.name@domain.com"}}
Authentication Failure
{"access_device":{"epkey":"EPWQ5ZRJZYY46W3UFD6Z","hostname":null,"ip":"50.235.2.146","location":{"city":"Abingdon","country":"United States","state":"Maryland"}},"alias":"","application":{"key":"DIGIFWARFIIDSUNTB0RB","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":null,"key":null,"location":{"city":null,"country":null,"state":null},"name":null},"email":"username@domain.com","event_type":"authentication","factor":"passcode","isotimestamp":"2024-12-10T17:47:23.986666+00:00","ood_software":null,"reason":"invalid_passcode","result":"denied","timestamp":1733852843,"trusted_endpoint_status":"unknown","txid":"99d9cb85-4019-48e8-9f36-22a48322c4ef","user":{"groups":["Duo MFA group (from AD sync \"AD Sync\")","SSL-AD-USERS (from AD sync \"AD Sync\")"],"key":"abc123","name":"username"}}