Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Cisco Duo

Cisco Duo

What is Discovered and Monitored

Protocol Information Discovered

Metrics/LOGs Collected

Used For
API Host name and Device Type from LOG, Login Audit Trail

4 log types

Security and Compliance

Event Types

Go to Admin > Device Type > Event Types and search for “Cisco-Duo”.

Rules

None

Reports

None

Configuration

Configuring Cisco Duo

Follow these steps to configure Cisco Duo to send logs to FortiSIEM.

  1. Contact Cisco Duo support to enable the Admin API.
  2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API.
  3. Select the Integration key, Secret key, and API hostname options.

Configuring FortiSIEM

Follow these steps to configure FortiSIEM to receive Cisco Duo logs.

  1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials.
  2. In Step 1: Enter Credentials, click New to create a Cisco Duo credential.
  3. Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.

    SettingValue
    NameEnter a name for the credential.
    Device TypeCisco Duo Security
    Access ProtocolCisco Duo Admin REST API
    Pull Interval (minutes)2
    Integration KeyEnter the integration key you obtained from Cisco Duo.
    Secret KeyEnter the secret key you obtained from Cisco Duo.
    DescriptionEnter an optional description for the credential.
  4. In Step 2: Enter IP Range to Credentials Associations, click New to create a new association between the credential and the API hostname.
    1. Select the name of the Cisco Duo credential created from the Credentials drop-down list.
    2. Enter the host into the IP/Host Name field.
    3. Click Save.
  5. Click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the connectivity results.
  6. Go to the Analytics page and check for Cisco Duo logs.

Sample Events

These events are collected via API:

FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_version":"uninstalled","location":{"city":"Your City","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Your City","country":"United States","state":"Michigan"},"name":"My iPhone X (555-555-0001)"},"event_type":"authentication","factor":"duo_push","reason":"user_approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"key":"DU3KC77WJ06Y5HIV7XKQ","name":"johndoe@example.com"}}

Cisco Duo

Cisco Duo

What is Discovered and Monitored

Protocol Information Discovered

Metrics/LOGs Collected

Used For
API Host name and Device Type from LOG, Login Audit Trail

4 log types

Security and Compliance

Event Types

Go to Admin > Device Type > Event Types and search for “Cisco-Duo”.

Rules

None

Reports

None

Configuration

Configuring Cisco Duo

Follow these steps to configure Cisco Duo to send logs to FortiSIEM.

  1. Contact Cisco Duo support to enable the Admin API.
  2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API.
  3. Select the Integration key, Secret key, and API hostname options.

Configuring FortiSIEM

Follow these steps to configure FortiSIEM to receive Cisco Duo logs.

  1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials.
  2. In Step 1: Enter Credentials, click New to create a Cisco Duo credential.
  3. Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.

    SettingValue
    NameEnter a name for the credential.
    Device TypeCisco Duo Security
    Access ProtocolCisco Duo Admin REST API
    Pull Interval (minutes)2
    Integration KeyEnter the integration key you obtained from Cisco Duo.
    Secret KeyEnter the secret key you obtained from Cisco Duo.
    DescriptionEnter an optional description for the credential.
  4. In Step 2: Enter IP Range to Credentials Associations, click New to create a new association between the credential and the API hostname.
    1. Select the name of the Cisco Duo credential created from the Credentials drop-down list.
    2. Enter the host into the IP/Host Name field.
    3. Click Save.
  5. Click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the connectivity results.
  6. Go to the Analytics page and check for Cisco Duo logs.

Sample Events

These events are collected via API:

FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_version":"uninstalled","location":{"city":"Your City","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Your City","country":"United States","state":"Michigan"},"name":"My iPhone X (555-555-0001)"},"event_type":"authentication","factor":"duo_push","reason":"user_approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"key":"DU3KC77WJ06Y5HIV7XKQ","name":"johndoe@example.com"}}