Duo¶
Duo provides audit logging for user authentication and resource access. Cyderes utilizes this information to track user behaviors.
Chronicle also supports user context and aliasing for this data source. This functionality aliases different identities together using automated data sources to provide a unified timeline of combined endpoint and network activity. This functionality will be turned on with initial deployment of the Duo data source integration.
IMPORTANT: Please verify if Duo Admin API is enabled prior to configuration. In the Applications section, press the Protect an Application link. See if the Admin API application is in the list. If Admin API application is missing, a ticket will need to be filed with Duo support to enable.
Chronicle Data Types¶
- DUO_AUTH
- DUO_USER_CONTEXT (for user context and aliasing)
Configuration¶
- Navigate to the Duo Admin Dashboard
- On the sidebar, Select Applications
- Select Protect an Application
- Search for Admin API and select Protect this Application
- Make note of the following information:
- Integration key
- Secret key
- API hostname
- Select the following permissions:
- Grant read information
- Grant read log
- Grant read resource (required for user context)
- Click Save Changes
Gather Information¶
Provide the following information to Cyderes to complete implementation of both the integration and user context and aliasing feature for this data source:
- Integration key
- Secret key
- API hostname