If you're having trouble at any stage please contact us at firstname.lastname@example.org.
Duo security application verifies the identity of the organization's users with additional two-factor authentication and security health of their devices before they connect to the organization's applications.
Duo security application is delivered as a cloud service. Duo security helps organizations move faster and more securely with infinite scalability and lower cost for their application authentication needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Duo security account
- Retrieve the Duo security account activities as users’ access to protected applications, 2fa policies assigned to apps or unassigned, phone based 2fa step visibility and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation Cloud Connector for Duo security, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Duo security account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Duo security retrieves the events from the Duo security service through its APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Duo Security Audit Sources & Events Supported
|Audit Source (API)||Service/Module Covered||Event Types||Events included|
|Authentication Logs||Authentication||duo admin logged in, 2fa authentication succes/failure from duo factors as U2F Token, Duo Push, SMS refresh etc||Represents authentication/2FA events from the supported duo factors|
|Administrator Logs||Active Directory Sync||ad sync started, completed, configuration downloaded etc||Represents events relate to the ActiveDirectory sync module in duo|
|Azure Integration||azure directory created/modified/deleted, azure directory sync started/completed etc||Represents events relate to the azure directory integration in duo|
|Admin Management||admin added/deleted, admin updated etc||Represents events relate to admin accounts management in duo app|
|Bypass Codes Management||bypass code created/deleted etc||Represents events relate to bypass codes management and configuration in duo app|
|Customers Management||child customer created, customer added/removed, child customer created/removed etc||Represents events relate to customers management in duo app|
|Directory Management||directory added/deleted/modified, directory group updated etc||Represents events relate to duo directory management|
|Duo Edition & Features||edition updated, feature added/deleted etc||Represents events relate to the duo app edition and features management|
|Group Management||group added/deleted/updated||Represents events relate to the duo groups management|
|Integrated Application||integrated app added/removed/updated etc||Represents events relate to the duo integrated applications|
|Application Policies||app policy added/removed, application group policy added/removed/updated, application policy un/assigned etc||Represents events relate to the duo app policies management|
|App Users Management||user added/removed, user imported, user marked for deletion, deleted user restored etc||Represents events relate to users management in duo apps|
|Tokens & Enrollment||enroll code sent, u2ftoken created/deleted, user bulk enrollment, bulk mobile activation sent etc||Represents events relate to u2f tokens and enrollment of devices|
|Phones||phone added/deleted/modified, phone diss/associated, etc||Represents events relate to user’s phones management activities|
|Telephony Logs||Telephony Verification Logs||sms and phone verification events||Represents phone factor authentication relate events|
How to on-board Duo Security Connector to SkyFormation