- Supported Cloud Connectors
- Armis Cloud Connector
- AWS Cloud Connector
- AWS Multi-Tenant Cloud Connector
- Azure Cloud Connector
- Azure Cloud Connector Overview
- Azure Audit Source and Event Support
- Prerequisites to Configure the Azure Cloud Connector
- Configure the Azure Cloud Connector
- Collect EventHub Information for Azure EventHub Endpoints
- Collect all Microsoft Defender ATP Events
- Configure Azure to Monitor Security Center Events in Azure VMs
- Bitglass Cloud Connector
- Box Cloud Connector
- Centrify Cloud Connector
- Cisco AMP for Endpoints Cloud Connector
- Cisco Meraki Cloud Connector
- Cisco Umbrella Cloud Connector
- Citrix ShareFile Cloud Connector
- Cloudflare Cloud Connector
- Code42 Incydr Cloud Connector
- CrowdStrike Falcon Cloud Connector
- Cybereason Cloud Connector
- CylanceProtect Cloud Connector
- Dropbox Business Cloud Connector
- Duo Security Cloud Connector
- Egnyte Cloud Connector
- Fidelis Cloud Connector
- GitHub Cloud Connector
- Google Cloud Platform (GCP) Cloud Connector
- Google Cloud Pub/Sub Cloud Connector
- Google Workspace (Formerly G Suite) Cloud Connector
- LastPass Enterprise Cloud Connector
- Mimecast Email Security Cloud Connector
- Netskope Cloud Connector
- Office 365 Cloud Connector
- Okta Cloud Connector
- OneLogin Cloud Connector
- Palo Alto Networks SaaS Security Cloud Connector
- Ping Identity Cloud Connector
- Proofpoint Cloud Connector
- Rapid7 InsightVM Cloud Connector
- Salesforce Cloud Connector
- SentinelOne Cloud Connector
- ServiceNow Cloud Connector
- Slack App Cloud Connector
- Slack Classic App Cloud Connector (Formerly known as Slack Enterprise Grid Cloud Connector)
- Snowflake Cloud Connector
- Sophos Central Cloud Connector
- Symantec CloudSOC Cloud Connector
- Symantec Endpoint Protection (SEP) Mobile Cloud Connector
- Symantec Email Security.cloud Cloud Connector
- Symantec WSS Cloud Connector
- Tenable.io Cloud Connector
- VMware Carbon Black Cloud Endpoint Standard Cloud Connector
- Workday Cloud Connector
- Zoom Cloud Connector
- Custom Cloud Connector
- Webhook Cloud Connector
Duo Security Cloud Connector
Prerequisites to Configure the Duo Security Cloud Connector
Before you configure the Duo Security connector you must complete the following prerequisites:
Ensure that you have the Administrator with Owner role.
Note
Only the administrators with the owner role can create and edit the Duo Admin API application.
To verify the owner permissions, after logging in to the Duo Admin portal, click your name. In the Permissions section, select the Owner role.
Ensure that you enabled the Duo Admin API application for your organization’s Duo account.
Ensure that the https://*.duosecurity.com:443 service is open for communication with the Exabeam Cloud Connector platform.
Ensure that the time is configured correctly on the computer on which you run the Exabeam cloud connector, for a secure communication channel.
Enable the Duo Admin API Application
The Admin API enables the developers to integrate with Duo Security’s platform. Using the Admin API, developers can create and edit objects in Duo and read Duo account’s logs and update account settings.
To verify if the Admin API application is enabled for your Duo account:
Log in to the Duo admin console.
Navigate to Dashboards> Applications > Protect an Application. If the list displays Admin API, this indicates that the Admin API has been enabled for the Duo account. If the list does not display Admin API, this indicates that Admin API has not been enabled for your organization. To enable the Admin API, contact Duo support. For more information, see Duo Admin API.
Obtain an Integration key, Secret Key, and API Hostname
Duo Security APIs are authenticated via application keys. To obtain an Integration key, Secret Key, and the API Hostname, you must create a new Admin API protected application.
To create a new API protected application:
Log in to the Duo Admin console.
Navigate to Applications > Protect an Application.
In the list of available applications, click Protect this Application link for Admin API. The new application’s Properties page appears. Note the secret key Integration key, Secret key, and API hostname that the Details section displays. The integration key and secret key uniquely identify a specific application to Duo. The API hostname is unique to your account and shared by all related applications. Use these values, represented by a string of letters and numbers, to configure the Duo Security cloud connector.
Specify a name for the application that you created.
Select the following options to give the required permissions to the Admin API protected application:
Grant administrators - For Exabeam to read administrator identifying properties.
Grant read log - For Exabeam to read the required audit logs.
Grant read resource – For Exabeam to read users and groups information.
Save the changes.
Note
By default, the Duo connector syncs groups and users for enrichment of events. To allow the Duo connector to sync groups and users for enrichment of events, the user must have Grant read resource permission. If you do not want to assign the Grant read resource permission to the user for this service, you must disable the groups and users’ sync by contacting Exabeam support.
Configure the Duo Security Cloud Connector
Duo Security is multi-factor authentication (MFA) and secure access provider that provides cloud based Two-Factor Authentication solution to ensure cloud security, endpoint security, and mobile security. Additionally, Duo Security offers solutions to protect users, data, and applications from breaches, and credential theft. For more information visit their website.
The following table displays audit source API and security events supported by the connector.
Audit Source (API) | Service or Module Covered | Event Types | Events Included |
|---|---|---|---|
Authentication | Duo admin logged in, Two Factor Authentication (2FA) success or failure from Duo factors such as U2F Token, Duo Push, and SMS refresh | Authentication or 2FA events from the supported Duo factors | |
Active Directory Sync | Ad sync started, completed, configuration downloaded | Events related to the Active Directory sync module in Duo | |
Azure Integration | Azure directory created or modified or deleted, Azure directory sync started or completed | Events related to the Azure directory integration in Duo | |
Admin Management | Admin added or deleted; admin updated | Represents events relate to admin accounts management in the Duo app | |
Bypass Codes Management | Bypass code created or deleted | Events relate to bypass codes management and configuration in the Duo app | |
Customers Management | Child customer created, customer added or removed, child customer created or removed | Events related to customer management in the Duo app | |
Directory Management | Directory added or deleted or modified, directory group updated | Events related to the Duo directory management | |
Duo Edition and Features | Edition updated, feature added or deleted | Events related to the Duo app edition and features management | |
Group Management | Group added or deleted or updated | Events related to the Duo groups management | |
Integrated Application | Integrated app added or removed or updated | Events related to the Duo integrated applications | |
Application Policies | App policy added or removed, application group policy added or removed or updated, application policy un/assigned | Events related to the Duo app policies management | |
App Users Management | User added or removed, user imported, user marked for deletion, deleted user restored | Events related to user management in the Duo apps | |
Tokens and Enrolment | Enrol code sent, u2ftoken created or deleted, user bulk enrolment, bulk mobile activation sent | Events related to u2f tokens and enrolment of devicesEvents related to user’s phones management activities | |
Phones | Phone added or deleted or modified, phone associated or disassociated | Events related to user’s phones management activitiesEvents related to user’s phones management activities | |
Telephony Verification Logs | SMS and phone verification events | Phone factor authentication related events |
To configure the Duo Security connector to import data into the Exabeam Cloud Connector platform:
Complete the Prerequisites to Configure the Duo Security Cloud Connector.
Log in to the Exabeam Cloud Connectors platform with your registered credentials.
Navigate to Settings > Accounts > Add Account.
Click Select Service to Add, then select Duo from the list.
In the Accounts section, enter the required information. Required fields are indicated with a red bar.
Account Name – Specify a name for the Duo Security connector. For example, Duo_Security_MFA.
Description – Describe the Duo Security connector (optional). For example, Duo SaaS application for access security to protect users, data, and applications.
API Hostname – Enter the API Hostname that you obtained while completing prerequisites. For example: api-4ef336ee.duosecurity.com
Integration Key – Enter the value for the integration key that you obtained while completing prerequisites. For example: DIMMTT229W44DZMQCHIW.
Secret Key – Enter the value for secret key that you obtained while completing prerequisites. For example: NqCCQjf33O22GGkkmmCk99cVVIGGaZ0t1dbpkeBM.
To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.
Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.
To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows
OK.