By bringing the logs from Duo’s cloud-based two-factor authentication services to LimaCharlie, companies can increase their visibility into the environment, meet compliance requirements and identify security risks.
Duo Sensor collects two types of Duo logs:
Authentication Logs provide visibility into where and how users authenticate, including usernames, location, time, type of authentication factor, and more. This allows you to understand the normal behavior and identify potentially abnormal activity.
Administrator Logs track the username, time, and type of administrator activity, including groups, user, integration, and device management. This allows you to track any admin changes and identify suspicious activity.
Note that Duo is a usage-based sensor.
To get started, you will first need to obtain the integration key, secret key, and API hostname from your Duo account. Follow the instructions from Duo on how to do it.
After the Duo part of the setup is complete, navigate to the Sensors page in the LimaCharlie web app & Add Sensor. From the list of Sensors, select Duo.
Select or create an installation key.
Download the executable for your architecture.
Set the ingestion method to Duo Admin API.
Give a unique name to this sensor (the name that will be displayed on the Sensors view).
Then, provide the integration key, secret key, and API hostname for the Admin API from your Duo account.
When complete, run the adapter with the command line copied from the web app.