Cisco Duo Monitoring

Updated Aug 31, 2023

Configure Cisco Duo monitoring

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the Duo Admin API. After you complete this configuration, Arctic Wolf can monitor logs from your Cisco Secure Access by Duo® (Duo) environment.

As part of this configuration, you must provide the following information for your Duo environment Admin API to Arctic Wolf using the Arctic Wolf Portal:

Before you begin

This process requires that you are an administrator with the Owner role for the Duo environment that you want Arctic Wolf to monitor.

Verify Admin API access permissions

  1. Sign in to the Duo console.

  2. In the navigation menu, click Applications.

  3. Click Protect an Application to open the list of applications.

  4. Verify if there is an Admin API in the list of applications:

    Note: You are unable to proceed until you have Admin API access.

Configure the Admin API to protect your Duo environment

  1. Within the list of applications, find Admin API, and click Protect. This opens the Admin API page.

  2. Enter a memorable name for the protected application in the Name field.

  3. Under Permissions, select these checkboxes and leave the others unselected:

    • Grant read information
    • Grant read log
    • Grant read resource
  4. Under Details, take note of these values:

    • Integration Key
    • Secret Key
    • API Hostname

    Note: You need to provide these values to Arctic Wolf as part of Provide credentials to Arctic Wolf.

  5. Click Save Changes.

  6. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Duo.

  6. On the Add Account page, do the following steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. For each of these fields, paste the appropriate value from Configure the Admin API to protect your Duo environment:
      • Integration Key
      • Secret Key
      • API Hostname
    3. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.