Cisco Duo Integration Guide
cloud integrations cisco identity
The following instructions are for configuring a Cisco Duo integration to facilitate log ingestion into Secureworks® Taegis™ XDR.
Note
Integrating Cisco Duo enables XDR to collect event logs from Duo. This guide does not refer to Duo integration for SSO into XDR.
Cisco Duo Requirements ⫘
A Cisco Duo administrator user account with the Owner role. The user must have permissions to create or modify an Admin API application in the Duo Admin Panel.
Data Provided from Integration ⫘
The following Cisco Duo event types are supported by XDR.
- Authentication events
Note
Cisco Duo event types not listed above are normalized to the generic schema.
| Auth | CloudAudit | DNS | HTTP | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|
| Cisco Duo | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure Cisco Duo Admin API ⫘
- Refer to the vendor's documentation to configure the Duo Admin API.
-
Ensure that the Grant read log permission is enabled.
-
Copy the Integration Key, Secret Key, and API Hostname. These values will be required to complete the integration in XDR.
Complete the Integration in XDR ⫘
Create the Integration
- From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
- Select the Cisco Duo card.
-
Enter the following fields:
- Integration Name — Any unique string
- Integration Key — Generated in the Configuration section
- Secret Key — Generated in the Configuration section
- API Hostname — Generated in the Configuration section
-
Select Done. The Manage Integrations page displays with the successfully added Cisco Duo integration listed under Cloud API Integrations.
Tip
You can use the Integration Name defined in Step 3 above to identify the integration within the Cloud API Integrations table.
Sample Logs ⫘
Cisco Duo Authentication Event ⫘
{
"access_device": {
"browser": "Edge Chromium",
"browser_version": "113.0.1774.50",
"epkey": "XXX4LNVTCXXXLGXXX874",
"flash_version": "uninstalled",
"hostname": null,
"ip": "10.10.10.10",
"is_encryption_enabled": "unknown",
"is_firewall_enabled": "unknown",
"is_password_set": "unknown",
"java_version": "uninstalled",
"location": {
"city": "Staten Island",
"country": "United States",
"state": "New York"
},
"os": "Windows",
"os_version": "11"
},
"adaptive_trust_assessments": {
"more_secure_auth": {
"features_version": null,
"model_version": null,
"policy_enabled": false,
"reason": "Not requested",
"trust_level": "UNSET"
},
"remember_me": {
"features_version": "3.0",
"model_version": "2022.07.19.001",
"policy_enabled": false,
"reason": "Known Access IP",
"trust_level": "NORMAL"
}
},
"alias": "",
"application": {
"key": "XXXKZ5XXXQY0LXXXP63E",
"name": "Citrix(Web)"
},
"auth_device": {
"ip": "10.10.10.10",
"key": "XXX5ZTZXXXVZ3XXX2IR5",
"location": {
"city": "Staten Island",
"country": "United States",
"state": "New York"
},
"name": "123-456-7890"
},
"email": "user123@publicdomain.com",
"event_type": "authentication",
"factor": "duo_push",
"isotimestamp": "2023-05-26T14:03:24.454814+00:00",
"ood_software": null,
"reason": "user_approved",
"result": "success",
"timestamp": 1685109804,
"trusted_endpoint_status": "unknown",
"txid": "9db06fea-d301-4dc1-95e5-702386ec9f51",
"user": {
"groups": [
"Duo_Citrix (from AD sync \"MY_LDAPS\")",
"DuoAzureAD (from AD sync \"MY_LDAPS\")",
"DuoEnrollmentGroup (from AD sync \"MY_LDAPS\")"
],
"key": "XXXO54YXXXVGTMXXXAR6",
"name": "user123"
},
"eventtype": "authentication",
"host": "api-xxxxxxxx.duosecurity.com"
}