When you configure Duo Security to send log data to USM Anywhere, you can use the Duo Two-Factor Authentication CEF plugin to translate the raw log data into normalized events for analysis.
|Device Type||Authentication and DHCP|
Integrating Duo Security
Duo Security does not have a connector or integration specific for USM Anywhere. However, there is a duo-log-grabber on GitHub that "grabs the administrator and authentication logs from the Duo Security API and sends CEF-formatted syslog." You can use it to send logs to USM Anywhere instead.
Before you configure the integration, you must have the IP Address of the USM Anywhere Sensor. You also need to obtain account information for the Duo Auth API.
To send CEF-formatted syslog messages to USM Anywhere
- Download the utility from https://github.com/libresec/duo-log-grabber.
Install the utility.
pip install -r requirements.txt
Update the conf.ini file.
- Update the [api] section with your Duo Security API credentials.
- In the [syslog] section, replace <syslog_server> with the IP address of the USM Anywhere Sensor.
- Run the utility or schedule it to run at an interval to import Duo Security logs into USM Anywhere.
The Duo Two-Factor Authentication CEF plugin automatically processes all messages when the raw message contains \|Duo Security\|Two-factor\|.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
Note: The field event_receipt_time must be selected before it is available in any reports.
To select the Event Receipt Time field
- Go to Activity > Events and click the icon.
- Use the Available Columns selector to add Event Receipt Time.
- Click Apply.
Once this change is applied, the field is displayed for all events.
For troubleshooting, refer to the vendor documentation: