Providing Duo Credentials to Arctic Wolf

Configuration Guide

Updated Nov 30, 2022

Providing Duo Credentials to Arctic Wolf

Overview Direct link to this section

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the Duo Admin API. After you complete this configuration, Arctic Wolf can monitor logs from your Cisco Secure Access by Duo (Duo) environment.

As part of this configuration, you must provide the following information for your Duo environment Admin API to Arctic Wolf using the Arctic Wolf Portal:

Before you begin Direct link to this section

This process requires that you are an administrator with the Owner role for the Duo environment that you want Arctic Wolf to monitor.

Verify Admin API access permissions Direct link to this section

To check for admin API access permissions:

  1. Sign in to the Duo console.

  2. Select Applications from the navigation menu.

  3. Select Protect an Application to open the list of applications.

  4. Verify if there is an Admin API in the list of applications:

    • If there is an Admin API - Proceed to Configure Admin API.

    • If there is not an Admin API - Contact Duo support to request Admin API access. See the Duo Admin API documentation on the Cisco website for more information about this process.

    Note: You are unable to proceed until you have Admin API access.

Configure the Admin API Direct link to this section

To configure the Admin API application to protect your Duo environment:

  1. Within the list of applications, find Admin API, and click Protect. This opens the Admin API page.

  2. Enter a memorable name for the protected application in the Name text box.

  3. Under Permissions, select these checkboxes and leave the others unselected:

    • Grant read information

    • Grant read log

    • Grant read resource

  4. Under Details, take note of these values:

    • Integration Key

    • Secret Key

    • API Hostname

    Note: You need to provide these values to Arctic Wolf as part of Provide credentials to Arctic Wolf.

  5. Click Save Changes.

  6. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your Duo Admin API details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Duo from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values from step 4 of Configure the Admin API:

      • Integration Key

      • Secret Key

      • API Hostname

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.