Configure Cisco Duo for Arctic Wolf monitoring

You can configure Cisco Duo® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • A Duo Premier, Duo Advantage, or Duo Essentials plan with Admin API access.

  • Administrator permissions and the Owner role for the Cisco Duo environment that you are configuring.

Configure the Admin API for monitoring

  1. Sign in to the Duo Admin Panel .
  2. In the navigation menu, click Applications > Application Catalog.
  3. In the Applications list, find Admin API, and then click +Add.
    Note: If Admin API is not visible, contact Cisco Duo support to request Admin API access.

    The Admin API page opens.

  4. In the Application name and Name fields, enter a name for the protected application.

    We recommend using the same value for both the Application name and Name fields.

  5. In the Permissions section, select these checkboxes:

    • Grant read information

    • Grant read log

    • Grant resource > Read

  6. In the Networks for API access section, add the Arctic Wolf Cloud Services IP addresses.
    Note: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  7. Click Save Changes.
  8. On the Applications page for the Admin API, in the Details section, copy the Integration Key, Secret Key, and API Hostname values to a safe, encrypted location.

    You will provide them to Arctic Wolf later.

Provide Cisco Duo credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Duo.
  5. Configure these settings:
  6. Click Test and submit credentials.