Duo Security Logging for Threat Detection

Duo Security is a zero-trust security platform that provides identity-based security services, including two-factor authentication, endpoint security and single sign-on (SSO).

 

Blumira is a certified Duo Ready Partner under Duo’s Detection and Response category. Blumira integrates with Duo Security to stream authentication and endpoint logs and alerts to the Blumira service for threat detection and actionable response. Blumira applies threat intelligence and user entity behavior analytics to detect malicious and high-risk logins such as geo-impossible logins.

 

See a demo of Duo + Blumira in action:

 

 

Learn more in our blog post, “Duo + Blumira: Better Identity, Access Monitoring & Threat Detection Together.”

 

Configuration Instructions

Duo Logging Pre-Requisites

Configure Duo Security to work with Blumira using the Duo Admin API event logs, following these steps:

  1. Request Duo API access by following the “First Steps” section here: https://duo.com/docs/adminapi#first-steps
  2. Once you have the Duo Integration KeyDuo Secret Key, and Duo API Hostname, you can proceed to configure the Blumira sensor to poll and ingest this data via the below steps.

You should grant permissions commiserate to your needs, for Blumira we are looking for read access to the data within the Duo environment.

Configuring Blumira

Once you have the Duo configuration parameters, you’ll need to enable your Blumira sensor to actually collect Duo logs. To do this, on an existing or new sensor in the sensor UI, you must add the Duo Module (note that the typical “Logger” module must also be present on this sensor for logs to flow; it will be listed at the bottom of your sensor detail page, if present [1]).

To add the Duo Module:

  1. Once you have chosen or installed a sensor you’d like to add Duo log collection to, when looking at the sensor detail page for the sensor, click the “Add Module” button near the bottom right of the page.
  2. In the Module drop-down find the Duo Module and select the latest available version.
  3. Fill in the New Module form, shown here (the version number near top may be higher):

  1. For “Log Source Name,” optionally enter a string to identify this Duo log deployment. This is especially useful if you may have additional Duo modules collecting data for different integrations/deployments and want to distinguish them. (Note: The string may only contain alphanumeric characters, periods, and hyphens; no spaces are allowed.) When querying raw event data, the value you enter here will be displayed in the “device_address” column. It will default to “duo,” if you do not enter another value here. For Integration Key, Secret Key, and API Hostname, paste the Duo-provided values for these three strings, which you obtained in the “Preparing Duo” steps above. Ensure they match exactly what Duo provided, as this form does not validate that they are correct.
  2. Click “Install.” The screen may pause for a few seconds as the install is registered, after which the Duo Module should be listed in the module table at the bottom of your sensor detail page.”
  3. Within minutes, the module will be operational and collect the last 90 days worth of Duo logs into the Blumira platform. It will then poll Duo every minute for the latest available logs and pass those into the platform. Please note that logs take several minutes between the time they are generated by Duo, ingested into Blumira by the sensor, and fully processed and visible in the UI.

Footnotes:

[1] To add the basic “Logger” module, if you haven’t already during your Blumira onboarding, simply click “Add Module” on a sensor without one, select the latest available version of the “Logger Module”, and click “Install” (leaving the two TLS fields blank, unless you intend to collect TLS syslog).