What this integration is
This integration ingests Duo authentication and admin logs into your SOCFortress SIEM stack via the Duo Admin API. Vendor reference:- Duo Admin API overview: https://duo.com/docs/adminapi#overview
What data you get (high level)
- Authentication logs
- Telephony logs
- Administrator action logs
Prerequisites
- Duo Admin Panel access
- Owner role (required to create/modify Admin API applications)
Credentials you’ll need
From the Duo Admin Panel “Admin API” application:- Integration key
- Secret key
- API hostname
- Grant the Admin API application read log permissions at minimum.
CoPilot setup (recommended workflow)
- Provision the customer.
- Add the Duo integration under the customer.
- Paste the integration key/secret key/API hostname.
- Validate logs appear in the SIEM.
Security notes
Treat the Duo secret key like a password:- store it in a secure secrets manager
- rotate if exposure is suspected
Troubleshooting
- Confirm the Admin API application has the required permissions.
- Confirm the API hostname is correct for your Duo tenant.
- Check for clock drift on the collector (Duo auth is time-sensitive).