Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Duo

What is Discovered and Monitored

Protocol Information Discovered

Metrics/LOGs Collected

Used For
API Host name and Device Type from LOG, Login Audit Trail

4 log types

Security and Compliance

Event Types

Go to Admin > Device Type > Event Types and search for “Cisco-Duo”.

Rules

None

Reports

None

Configuration

Configuring Cisco Duo

Follow these steps to configure Cisco Duo to send logs to FortiSIEM.

  1. Contact Cisco Duo support to enable the Admin API.
  2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API.
  3. Select the Integration key, Secret key, and API hostname options.

     

Configuring FortiSIEM

Follow these steps to configure FortiSIEM to receive Cisco Duo logs.

  1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials.
  2. In Step 1: Enter Credentials, click New to create a Cisco Duo credential.

     

    Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.

    Setting Value
    Name Enter a name for the credential.
    Device Type Cisco Duo Security
    Access Protocol Cisco Duo Admin REST API
    Pull Interval (minutes) 2
    Integration Key Enter the integration key you obtained from Cisco Duo.
    Secret Key Enter the secret key you obtained from Cisco Duo.
    Description Enter an optional description for the credential.
  3. In Step 2: Enter IP Range to Credentials Associations, click New to create a new association between the credential and the API hostname.

     

  4. Click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the connectivity results.

     

  5. Go to the ANALYTICS page and check for Cisco Duo logs.

     

Sample Events

These events are collected via API:

FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"event_type":"authentication","factor":"duo_push","reason":"user_approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}}

Cisco Duo

What is Discovered and Monitored

Protocol Information Discovered

Metrics/LOGs Collected

Used For
API Host name and Device Type from LOG, Login Audit Trail

4 log types

Security and Compliance

Event Types

Go to Admin > Device Type > Event Types and search for “Cisco-Duo”.

Rules

None

Reports

None

Configuration

Configuring Cisco Duo

Follow these steps to configure Cisco Duo to send logs to FortiSIEM.

  1. Contact Cisco Duo support to enable the Admin API.
  2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API.
  3. Select the Integration key, Secret key, and API hostname options.

     

Configuring FortiSIEM

Follow these steps to configure FortiSIEM to receive Cisco Duo logs.

  1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials.
  2. In Step 1: Enter Credentials, click New to create a Cisco Duo credential.

     

    Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.

    Setting Value
    Name Enter a name for the credential.
    Device Type Cisco Duo Security
    Access Protocol Cisco Duo Admin REST API
    Pull Interval (minutes) 2
    Integration Key Enter the integration key you obtained from Cisco Duo.
    Secret Key Enter the secret key you obtained from Cisco Duo.
    Description Enter an optional description for the credential.
  3. In Step 2: Enter IP Range to Credentials Associations, click New to create a new association between the credential and the API hostname.

     

  4. Click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the connectivity results.

     

  5. Go to the ANALYTICS page and check for Cisco Duo logs.

     

Sample Events

These events are collected via API:

FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"event_type":"authentication","factor":"duo_push","reason":"user_approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}}