Cisco Duo protocol configuration options

To receive authentication events from Cisco Duo, configure a log source to use the Cisco Duo protocol.

The Cisco Duo protocol is an active outbound protocol that collects authentication logs from the Cisco Duo Admin API, and sends authentication events to IBM QRadar.

Important: Before you configure a log source to use the Cisco Duo protocol, you must obtain your keys from the Cisco Duo admin portal.
  1. Log in to the Cisco Duo admin portal (https://admin.duosecurity.com/).
  2. From the dashboard, go to the Applications tab, and then click Protect an Application.
  3. Navigate to the Admin API application, and then click Protect.
  4. In the Permissions menu, select Grant read log so that Cisco can collect other authentication logs from the Admin API.
  5. Copy the values for Integration key, Secret key, and API hostname. You need these values when you configure the Cisco Duo protocol parameters.
Important: Because Cisco Duo has rate limits on API calls, you can create only one log source per customer account.

The following table describes the protocol-specific parameters for the Cisco Duo protocol:

Table 1. Cisco Duo protocol parameters
Parameter Description
Log Source Type Cisco Duo
Protocol Configuration Cisco Duo
Log Source Identifier

Type a unique name for the log source as an identifier for events from Cisco Duo.

The value of the Log Source Identifier parameter must match the Host parameter when you are using the Cisco Duo default workflow. If the Cisco Duo default workflow is modified, then the Log Source Identifier must match the Source value - source="${/host}" that is used under the PostEvents section. For more information, see Cisco Duo protocol workflow.
Host

The API hostname in the Cisco Duo portal that is used to authenticate with the Cisco Duo Admin API. Review the preceding procedure for obtaining this information from Cisco Duo.
Integration Key

The integration key that is used to authenticate with the Cisco Duo Admin API. Review the preceding procedure for obtaining this information from Cisco Duo.
Secret Key

The secret key that is used to authenticate with the Cisco Duo Admin API. Review the preceding procedure for obtaining this information from Cisco Duo.
Use Proxy If the API is accessed by using a proxy, select this checkbox.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
Recurrence Specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days. The default is 5 minutes.
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.
Enable Advanced Options

Select this checkbox to enable the following configuration options: Allow Untrusted Certificates, Override Workflow, Workflow, and Workflow Parameters.

These parameters are only visible if you select this checkbox.
Allow Untrusted If you enable this parameter, the protocol can accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer.

The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file.

If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used.
Override Work Flow Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters fields appear.
Workflow

The XML document that defines how the protocol instance collects events from the target API.

For more information about the default workflow, see Cisco Duo protocol workflow.

Workflow Parameters

The XML document that contains the parameter values used directly by the workflow.

For more information about the default workflow parameters, see Cisco Duo protocol workflow.

Enabled By default, the checkbox is selected to enable the log source to communicate with QRadar.
Credibility

Select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector Select the Target Event Collector to use as the target for the log source.
Coalescing Events

Select this checkbox to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this checkbox to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.