Configure Cisco Duo for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform identity-based response actions in your network using Cisco Duo®.

Cisco Duo supports these response actions:
  • Disable/Enable a user
    Note:
    • Disabling a user also closes the user session.
    • Arctic Wolf cannot take this action on users who are managed by directory sync processes.
  • Add/Remove a user from a security group

For more information, see Response action descriptions.

Note:

Configure this integration with your primary identity provider in a cloud-based environment. Arctic Wolf does not support hybrid or on-premises environments for identity-based response actions.

These resources are required:

  • A Duo Premier, Duo Advantage, or Duo Essentials plan with Admin API access.

  • Administrator permissions and the Owner role for the Cisco Duo environment that you are configuring.

  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Configure the Admin API for Duo response actions

  1. Sign in to the Duo Admin Panel .
  2. In the navigation menu, click Applications > Application Catalog.
  3. In the Applications list, find Admin API, and then click +Add.
    Note: If Admin API is not visible, contact Cisco Duo support to request Admin API access.

    The Admin API page opens.

  4. In the Application name and Name fields, enter a name for the protected application.

    We recommend using the same value for both the Application name and Name fields.

  5. In the Permissions section, select these checkboxes:
    • Grant read resource
    • Grant write resource
  6. Click Save Changes.
  7. On the Applications page for the Admin API, in the Details section, copy the Integration Key, Secret Key, and API Hostname values to a safe, encrypted location.

    You will provide them to Arctic Wolf later.

Configure the Auth API for Duo response actions

  1. Sign in to the Duo Admin Panel .
  2. In the navigation menu, click Applications > Application Catalog.
  3. In the Applications list, find Auth API, and then click +Add.
    Note: If Auth API is not visible, contact Cisco Duo support to request Auth API access.

    The Auth API page opens.

  4. In the Name field, enter a name for the protected application.
  5. Click Save Changes.
  6. On the Applications page for the Auth API, in the Details section, copy the Integration Key, Secret Key, and API Hostname values to a safe, encrypted location.

    You will provide them to Arctic Wolf later.

Provide Cisco Duo Active Response credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After a polling failure, Arctic Wolf can't perform actions until the updated credentials are provided.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Cisco Duo.
  5. On the New Active Response Integration page, configure these settings:
  6. Click Save Integration.