Cisco Duo
What is Discovered and Monitored
Protocol | Information Discovered |
Metrics/LOGs Collected |
Used For |
---|---|---|---|
API | Host name and Device Type from LOG, Login Audit Trail |
4 log types |
Security and Compliance |
Event Types
Go to Admin > Device Type > Event Types and search for “Cisco-Duo”.
Rules
None
Reports
None
Configuration
Configuring Cisco Duo
Follow these steps to configure Cisco Duo to send logs to FortiSIEM.
- Contact Cisco Duo support to enable the Admin API.
- Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API.
- Select the Integration key, Secret key, and API hostname options.
Configuring FortiSIEM
Follow these steps to configure FortiSIEM to receive Cisco Duo logs.
- In the FortiSIEM UI, go to ADMIN > Setup > Credentials.
- In Step 1: Enter Credentials, click New to create a Cisco Duo credential.
- Use these Access Method Definition
settings to allow FortiSIEM to access Cisco Duo logs.
Setting Value Name Enter a name for the credential. Device Type Cisco Duo Security Access Protocol Cisco Duo Admin REST API Pull Interval (minutes) 2 Integration Key Enter the integration key you obtained from Cisco Duo. Secret Key Enter the secret key you obtained from Cisco Duo. Description Enter an optional description for the credential. - In Step 2: Enter IP Range to Credentials Associations, click New to create a new association between the credential and the API hostname.
- Select the name of the Cisco Duo credential created from the Credentials drop-down list.
- Enter the host into the IP/Host Name field.
- Click Save.
- Click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the connectivity results.
- Go to the Analytics page and check for Cisco Duo logs.
Sample Events
These events are collected via API:
FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_version":"uninstalled","location":{"city":"Your City","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Your City","country":"United States","state":"Michigan"},"name":"My iPhone X (555-555-0001)"},"event_type":"authentication","factor":"duo_push","reason":"user_approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"key":"DU3KC77WJ06Y5HIV7XKQ","name":"johndoe@example.com"}}