Overview
Duo Security is a cloud-based access security provider that offers multi-factor authentication (MFA), endpoint security, and remote access solutions to protect users and their devices against unauthorized access and cyber threats. It is designed to ensure that only authorized users and secure devices can access applications and data, regardless of where the applications or users are located.
Duo collector migration guide
This guide will walk you through the process of updating your configuration from versions <2.0.0 to version 2.0.0. This version introduces significant improvements and changes to the configuration style to enhance performance, usability, and security.
Version 2.0.0 is incompatible with previous versions. The new version needs some adjustments to the configuration file to ensure a smooth migration process. The following sections will guide you through the necessary steps to update your configuration.
Preparing for migration
Before starting the migration process, we recommend the following steps:
Backup your current configuration: Make sure you have a backup of your existing configuration files to prevent any data loss.
Review the new configuration documentation: Familiarize yourself with the new configuration options available in version 2.0.0.
Migration steps
Step 1: Update credentials
An example of the old and new configuration is shown below:
# Old version (<2.0.0) account: ikey: 'NQ0XXXABC69XXXXYZI0F' skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT' hostname: 'api-1a2b3c4d.duosecurity.com'
# New version (2.0.0) credentials: integration_key: NQ0XXXABC69XXXXYZI0F secret_key: Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT hostname: api-1a2b3c4d.duosecurity.com
Step 2: Update start date
An example of the new configuration is shown below:
services: administrator: start_datetime_utc: "<start_datetime_utc_value>" authentication: start_datetime_utc: "<start_datetime_utc_value>" telephony: start_datetime_utc: "<start_datetime_utc_value>"
The <start_datetime_utc_value>
has the format "YYYY-MM-DDTHH:MM:SS.000Z"
. For example, a valid start_datetime_utc_value would be "2024-07-01T00:00:00.000Z"
.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening pre-processing |
|
Allowed source events obfuscation |
|
Data source description
This collector extracts data from 3 log services available from Duo:
Administrator: Returns a list of administrator log events.
Authentication: Returns a paged list of authentication log events.
Telephony: Returns a list of telephony log events.
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Administrator | Returns a list of administrator log events. |
| administrator |
| v0.9 |
Authentication | Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two-minute delay in the availability of new authentications in the API response. Duo operates a large-scale distributed system, and this two-minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty. |
| authentication |
| v0.9 |
Telephony | Returns a list of telephony log events. |
| telephony |
| v0.9 |
API limits
Administrator:
Only the 1000 earliest events (maximum) will be returned with each page; the collector will be called multiple times to page through the entire log.
The recommended limit suggests requesting logs no more than once per minute.
Authentication:
Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.
The recommended limit suggests requesting logs no more than once per minute.
Telephony:
Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new telephony events in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.
The recommended limit suggests requesting logs no more than once per minute.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required for basic data pulling are below.
This minimum configuration refers exclusively to those specific parameters of this integration. Additional parameters related to the generic behavior of the collector are required. Check the setting sections for details.
Setting | Details |
---|---|
| The integration key is required to authenticate the requests. The integration key acts as the HTTP username |
| The secret key is required to authenticate the requests. The secret key acts as the HTTP password |
| The hostname is required to authenticate the requests. This is the URL for the different requests |
Accepted authentication methods
Authentication method | Details |
---|---|
| You will need your |
Vendor setup
You need the owner role to perform these steps. Learn more here.
Treat your secret key like a password
The security of your Duo application is tied to the security of your secret key (skey
). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Connectivity requirements
This application communicates with Duo's service on SSL TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337. Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).