Cisco Duo

Pull Cisco Duo's authentication telemetry.

Overview

In this guide, you will create integration keys in Cisco Duo to pull authentication telemetry. This telemetry identifies successful and failed multi-factor authentication attempts.

To do this, you’ll need to complete the following steps:

• Generate the integration keys
• Add the data connector in Radiant Security

At the end of this configuration, you will provide Radiant Security with the following values:

• API Hostname
• Integration Key
• Secret Key

Prerequisites

To create an API token with permissions to query Duo Authentication Logs, you need to be logged in as an administrator user with at least Owner permissions.

Generate the integration keys

1. Log in to the Duo Admin Panel as an Owner.
2. Click Applications on the left sidebar.
3. Click Protect an Application and locate the entry for Admin API.
   
4. Click Protect to get the integration key, secret key and API hostname.
   
5. Document and store the Integration key, Secret key, and the API hostname before proceeding to the next step.
6. Select the Grant read log permission.
7. Click Save.

Add the data connector in Radiant Security

1.   Log in to Radiant Security.
2.   From the navigation menu, select Settings > Data Connector and click + Add Connector.
3.   Select the Cisco Duo vendor from the list and click Data Feeds.
4.   Under Select your data feeds, select Cisco Duo Authentication Logs and click Credentials.
5.   Under Credential Name, give the credential an identifiable name (e.g.Duo - Credentials). 6.   Under Required Credentials, add the following that you copied from the previous section: API hostname Important note: The domain should be in the following format (without https://): api-XXXXXXXX.duosecurity.com Secret key Integration Key 7.    Click Add Connector to save the changes.