Cloud SIEM for Duo Security

Duo Security is a zero-trust security platform that provides identity-based security services, including two-factor authentication, endpoint security and single sign-on (SSO).


Blumira is a certified Duo Ready Partner under Duo’s Detection and Response category. Blumira integrates with Duo Security to stream authentication and endpoint logs and alerts to the Blumira service for threat detection and actionable response. Blumira applies threat intelligence and user entity behavior analytics to detect malicious and high-risk logins such as geo-impossible logins.


See a demo of Duo + Blumira in action:



Learn more in our blog post, “Duo + Blumira: Better Identity, Access Monitoring & Threat Detection Together.”


Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.


Free Trial

Configuration Instructions

Duo Logging Pre-Requisites

Configure Duo Security to work with Blumira using the Duo Admin API event logs, following these steps:

  1. Request Duo API access by following the “First Steps” section here: https://duo.com/docs/adminapi#first-steps
  2. After you have the Duo Integration KeyDuo Secret Key, and Duo API Hostname, you can proceed to configure the Blumira sensor to poll and ingest this data via the below steps.You should grant permissions commensurate to your needs. For Blumira, we need read access to the data within the Duo environment.

Configuring Blumira

After you have your Duo API information, you must configure Blumira to collect Duo logs. You can do this through a Cloud Connector or a Duo Module, if you want to use an existing sensor.

You can use the sections below to guide you through either process.

Adding a Cloud Connector with Duo

Cloud Connectors automates the configuration of your Duo integration without requiring you to use a sensor. After you obtain the Duo configuration parameters, you can then enable Blumira to collect Duo logs.

  1. In the Blumira app, go to the Cloud Connectors page (Infrastructure > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them.
  6. Enter the API credentials that you collected in the section above.
  7. Click Connect.
    On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
  8. Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Infrastructure > Sensors) to avoid log duplication.

Adding a Duo Module

To collect Duo logs on an existing or new sensor in the sensor UI, you must add the Duo Module (note that the typical “Logger” module must also be present on this sensor for logs to flow; it will be listed at the bottom of your sensor detail page, if present [1]).

To add the Duo Module:

  1. Once you have chosen or installed a sensor you’d like to add Duo log collection to, when looking at the sensor detail page for the sensor, click the “Add Module” button near the bottom right of the page.
  2. In the Module drop-down find the Duo Module and select the latest available version.
  3. Fill in the New Module form, shown here (the version number near top may be higher):

  1. (Optional) For “Log Source Name,” you can enter a string to identify this Duo log deployment. This is especially useful if you may have additional Duo modules collecting data for different integrations/deployments and want to distinguish them. (Note: The string may only contain alphanumeric characters, periods, and hyphens; no spaces are allowed.) When querying raw event data, the value you enter here will be displayed in the “device_address” column. It will default to “duo,” if you do not enter another value here. For Integration Key, Secret Key, and API Hostname, paste the Duo-provided values for these three strings, which you obtained in the “Preparing Duo” steps above. Ensure they match exactly what Duo provided, as this form does not validate that they are correct.
  2. Click “Install.” The screen may pause for a few seconds as the install is registered, after which the Duo Module should be listed in the module table at the bottom of your sensor detail page.”
  3. Within minutes, the module will be operational and collect the last 90 days worth of Duo logs into the Blumira platform. It will then poll Duo every minute for the latest available logs and pass those into the platform. Please note that logs take several minutes between the time they are generated by Duo, ingested into Blumira by the sensor, and fully processed and visible in the UI.


[1] To add the basic “Logger” module, if you haven’t already during your Blumira onboarding, simply click “Add Module” on a sensor without one, select the latest available version of the “Logger Module”, and click “Install” (leaving the two TLS fields blank, unless you intend to collect TLS syslog).