Configure Cisco Duo Log Collector

The Alert Logic Cisco Duo Collector is an AWS-based API Poll (PAWS) log collector library mechanism designed to collect logs from the Cisco Duo platform. You can find Cisco Duo logs collected with keyword search in the Alert Logic console Search: Log Messages page. Alert Logic also generates security incidents from Cisco Duo logs in the Incidents page. For more information about authentication application security content, see Authentication Application Security Incidents.

The Alert Logic Cisco Duo collector polls the following APIs for various types of data:

You must complete the following to successfully configure your Cisco Duo Log Collector:

  1. Obtain an integration key, secret key, and API hostname from Cisco Duo
  2. Configuring collection from the Alert Logic console

Obtain an integration key, secret key, and API hostname from Cisco Duo

Create a Duo account to obtain an integration key (client ID), secret key, and API hostname. Only administrators with the Owner role have access to the Admin API. You must contact Duo support after you create an account to set it to the appropriate role.

To obtain an integration key, secret key, and API hostname:

  1. Create a Duo account, and then contact Duo support to request Admin API access.
  2. After you are granted the appropriate role, sign in to Duo Admin Panel, and then on the left panel, click Applications.
  3. Click Protect an Application, and then locate the entry for Admin API in the applications list.
  4. Click Protect to configure the application. Make a note of your integration key (client ID), secret key, and API hostname.
  5. In the Permissions section, select which permissions you want to grant to the Admin API application.
  6. Click Save Changes.

Configuring collection from the Alert Logic console

After you create the API secret key and an API ID, you must complete the log collection process in the Alert Logic console. This configuration is an account-level integration, which means you can configure more than one instance of Cisco Duo collection. This capability is useful when more than one instance of the Cisco Duo application exists in your organization.

To access the Application Registry page, click the menu icon () from the Dashboards page. Click Configure, and then click Application Registry.

To add a new application collection:

  1. On the Applications List tab, use the drop-down menu to select the application type you want to see.
  2. In the Cisco Duo tile, click GET STARTED.
  3. In the Application Name field, enter a name for this Cisco Duo collection instance.
  4. Under Collection Method and Policy, in the Cisco Duo Domain field, enter the Cisco Duo domain location.
  5. In the Client ID, enter the integration key you noted earlier
  6. In the Secret Key field, enter the API Key you noted earlier.
  7. Under Objective Names, select from which Cisco Duo resources you want to poll.
  8. (Optional) Enter a Collection Start time using a format such as (2020-01-01T16:00:00Z). If the Collection Start field is left blank, only logs generated after you configure this collection instance will be collected.

    The collection start time determines how far back you want Alert Logic to collect logs if data already exists in your account. Alert Logic can only collect logs up to 30 days prior to the date you configured this collection instance.

  9. Click ADD. Wait a few minutes for the application to create and appear in your application list. Do not click ADD again.

In the Applications List tab, if you configured your application correctly, within approximately 10 minutes you will Configured next to the application. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.

Security Content for incidents

Alert Logic builds collectors to capture data from Cisco Duo and various other applications to create security content that is used to generate incidents for key security use cases. The following security incidents are available for Cisco Duo:

  • Administrative Actions
  • User Login AD
  • User Behavior AD

For more information about authentication application security content, see Authentication Application Security Incidents.