Integrate Cisco Duo with Red Canary

Before you start the Duo integration, please make sure the following requirements are met.

• You have a Cisco Duo administrator account with the Owner role

• You’re licensed for one of the following Cisco Duo editions:

  • Duo Essentials

  • Duo Advantage

  • Duo Premier

Note that for Trust Monitor alerts, you need the Advantage or Premier edition. For more information about Duo licensing, see Cisco’s Editions and Pricing page.

The first step is to add the new integration in Red Canary.

1. From your Red Canary homepage, go to the Integrations page then click Add Integration.
   

2. On the Add integration dialog, search for the Cisco Duo integration then click Configure.
   

3. On the configuration page, enter a name for the integration.
   
   If you don’t supply a name, the API hostname value will be used by default.

In order to feed the necessary logs and alerts to Red Canary, you need to set up an Admin API application in your Duo environment.

1. Sign in to your Duo Admin Panel as an Administrator with Owner access.

2. Go to Applications > Manage > Application Catalog.
   

3. Use the filter bar to locate the Admin API application then click Add.
   

4. Give the application a unique name and copy the Integration key, Secret key, and API hostname values from the Details section. You’ll enter them into Red Canary later.
   

5. In the Settings section, give the application the following permissions:

   • Grant read log

   • Grant resource - Read

   • Grant resource - Write

   See the FAQ section for an explanation of these permissions and why Red Canary needs them.

   

6. Click Save Changes.

Once you’ve configured the Duo application, enter the copied credentials into Red Canary.

1. In the Record the API credentials section, enter the Integration key, Secret key, and API hostname from the Duo Admin API application.
   

1. In the Configure permissions for the API credentials section, check the I’ve configured the permissions box. (This confirms that you’ve completed the Configure a Duo Admin API Application steps above.)
   

2. Optional: Under the Advanced Configuration dropdown:

   • Deselect Ingest Trust Monitor alerts if you don’t have Cisco Duo’s Advantage or Premier Edition, or if you don’t want Red Canary to ingest your Trust Monitor alerts.

   • Exclude selected Cisco Duo identity groups from being counted as monitored identities. Note that excluded groups and identities may still be included in investigations and threats, but will not be included in the MDR Identities count on the License Usage page.

3. Click Save to activate the integration.

   The Cisco Duo integration is now live!

   You should start to see Duo data being ingested on your Red Canary dashboard within 24 hours.

Once the integration is active, there are no routine maintenance tasks to perform. However, you’ll need to modify the configuration if you want to delete the integration.

To modify the configuration:

1. From your Red Canary homepage, go to the Integrations page then click on the name of the integration you want to modify.
   

Deleting the Integration

To remove the integration from Red Canary, click the button then click OK to confirm.

Important

If you delete the integration, no new alerts will be sent to Red Canary and all processed alerts will be deleted. This action cannot be undone.