Cisco Duo connector configuration options
To receive authentication events from Cisco Duo, configure a data source to use the Cisco Duo connector.
The Cisco Duo connector is an active outbound connector that collects authentication logs from the Cisco Duo Admin API, and sends authentication events to the QRadar® product.
- Log in to the Cisco Duo admin portal (https://admin.duosecurity.com/).
- From the dashboard, go to the Applications tab, and then click Protect an Application.
- Navigate to the Admin API application, and then click Protect.
- In the Permissions menu, select Grant read log so that Cisco can collect other authentication logs from the Admin API.
- Copy the values for Integration key, Secret key, and API hostname. You need these values when you configure the Cisco Duo connector parameters.
The following table describes the connector-specific parameters for the Cisco Duo connector:
| Parameter | Description |
|---|---|
| Name | Cisco Duo |
| Connector type | Cisco Duo |
| Data source identifier |
Type a unique name for the data source. The Data source identifier can be any valid value and does not need to reference a specific server. The Data source identifier can be the same value as the Name parameter. If you have more than one Cisco Duo data source, ensure that you give each one a unique name. |
| Host |
The API hostname in the Cisco Duo portal that is used to authenticate with the Cisco Duo Admin API. Review the preceding procedure for obtaining this information from Cisco Duo. |
| Integration Key |
The integration key that is used to authenticate with the Cisco Duo Admin API. Review the preceding procedure for obtaining this information from Cisco Duo. |
| Secret Key |
The secret key that is used to authenticate with the Cisco Duo Admin API. Review the preceding procedure for obtaining this information from Cisco Duo. |
| Use Proxy | If the API is accessed by using a proxy, select this checkbox.
Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank. |
| Recurrence | Specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days. The default is 5 minutes. |
| EPS Throttle | The limit for the maximum number of events per second (EPS) for events that are received from the API. The default is 5000. |
| Enable Advanced Options |
Select this checkbox to enable the following configuration options: Allow Untrusted Certificates, Override Workflow, Workflow, and Workflow Parameters. These parameters are only visible if you select this checkbox. |
| Allow Untrusted | If you enable this parameter, the connector can accept
self-signed and otherwise untrusted certificates that are located within the
/opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter,
the scanner trusts only certificates that are signed by a trusted signer. The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file. If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used. |
| Override Work Flow | Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters fields appear. |
| Workflow |
The XML document that defines how the connector instance collects events from the target API. For more information about the default workflow, see Cisco Duo connector workflow. |
| Workflow Parameters |
The XML document that contains the parameter values used directly by the workflow. For more information about the default workflow parameters, see Cisco Duo connector workflow. |
| Enabled | By default, the checkbox is selected to enable the data source to communicate with the QRadar product. |
| Credibility |
Select the Credibility of the data source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. |
| Target Event Collector | Select the Target Event Collector to use as the target for the data source. |
| Coalescing Events |
Select this checkbox to enable the data source to coalesce (bundle) events. By default, automatically discovered data sources inherit the value of the Coalescing Events list from the System Settings in the QRadar product. When you create a data source or edit an existing configuration, you can override the default value by configuring this option for each data source. |
| Store Event Payload |
Select this checkbox to enable the data source to store event payload information. By default, automatically discovered data source inherit the value of the Store Event Payload list from the System Settings in the QRadar product. When you create a data source or edit an existing configuration, you can override the default value by configuring this option for each data source. |