Duo Logging Pre-Requisites

Configure Duo Security to work with Blumira using the Duo Admin API event logs, following these steps:

1. Request Duo API access by following the “First Steps” section here: https://duo.com/docs/adminapi#first-steps
2. Once you have the Duo Integration Key, Duo Secret Key, and Duo API Hostname, you can proceed to configure the Blumira sensor to poll and ingest this data via the below steps.

You should grant permissions commensurate to your needs, for Blumira we are looking for read access to the data within the Duo environment.

Configuring Blumira

1. Once you have chosen or installed a sensor you’d like to add Duo log collection to, when looking at the sensor detail page for the sensor, click the “Add Module” button near the bottom right of the page.
2. In the Module drop-down find the Duo Module and select the latest available version.
3. Fill in the New Module form, shown here (the version number near top may be higher):

1. For “Log Source Name,” optionally enter a string to identify this Duo log deployment. This is especially useful if you may have additional Duo modules collecting data for different integrations/deployments and want to distinguish them. (Note: The string may only contain alphanumeric characters, periods, and hyphens; no spaces are allowed.) When querying raw event data, the value you enter here will be displayed in the “device_address” column. It will default to “duo,” if you do not enter another value here. For Integration Key, Secret Key, and API Hostname, paste the Duo-provided values for these three strings, which you obtained in the “Preparing Duo” steps above. Ensure they match exactly what Duo provided, as this form does not validate that they are correct.
2. Click “Install.” The screen may pause for a few seconds as the install is registered, after which the Duo Module should be listed in the module table at the bottom of your sensor detail page.”
3. Within minutes, the module will be operational and collect the last 90 days worth of Duo logs into the Blumira platform. It will then poll Duo every minute for the latest available logs and pass those into the platform. Please note that logs take several minutes between the time they are generated by Duo, ingested into Blumira by the sensor, and fully processed and visible in the UI.

Footnotes:

[1] To add the basic “Logger” module, if you haven’t already during your Blumira onboarding, simply click “Add Module” on a sensor without one, select the latest available version of the “Logger Module”, and click “Install” (leaving the two TLS fields blank, unless you intend to collect TLS syslog).

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.