Cisco Duo protocol log source parameters for Cisco Duo

If QRadar does not automatically detect the log source, add a Cisco Duo log source on the QRadar Console by using the Cisco Duo protocol.

When you use the Cisco Duo protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect authentication events from the Cisco Duo Admin API:
Table 1. Cisco Duo log source parameters for the Cisco Duo DSM
Parameter Value
Log Source type Cisco Duo
Protocol Configuration Cisco Duo
Log Source Identifier Type a unique name for the log source as an identifier for events from Cisco Duo.

The value of the Log Source Identifier parameter must match the Host parameter when you are using the Cisco Duo default workflow. If the Cisco Duo default workflow is modified, then the Log Source Identifier must match the Source value - source="${/host}" that is used under the PostEvents section. For more information, see Cisco Duo protocol workflow.

For a complete list of Cisco Duo protocol parameters and their values, see Cisco Duo protocol configuration options.