Duo security is a user-centric access security platform with two-factor authentication to protect access to sensitive data for all users, devices, and applications.

Connecting with Duo with Devo SOAR

1. Navigate to Automations > Integrations.

2. Search for Duo.

3. Click Details, then the + icon. Enter the required information in the following fields.

4. Label: Enter a connection name.

5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

8. API Hostname: The API Hostname to connect to the Duo.

9. Integration Key: The Integration key to connect to the Duo.

10. Secret Key: The Secret key to connect to the Duo.

11. After you've entered all the details, click Connect.

Actions for Duo

Get Authentication Logs

Retrieves a list of authentication log events.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: List of events.

``` {json}{ "access_device": { "browser": "Chrome", "browser_version": "85.0.4183.102", "flash_version": null, "hostname": null, "ip": "10.177.127.101", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": { "city": "ddd", "country": "dd", "state": "ddddd" }, "os": "Mac", "os_version": "15" }, "alias": "unknown", "application": { "key": "DI4IPHM9IA46JVQNRYRQN0", "name": "portal" }, "auth_device": { "ip": null, "location": { "city": null, "country": null, "state": null }, "name": null }, "email": null, "error": null, "event_type": "enrollment", "factor": "not_available", "has_error": false, "isotimestamp": "2020-10-06T16:07:11.555020+00:00", "ood_software": null, "reason": null, "result": "success", "timestamp": 1602000431, "txid": "771ac38f-7b77-4bfb-8822-d53f464964af1e", "user": { "groups": [], "key": "DU6V6DU9GQFD2R8W9D2U2G", "name": "aaaaa" } }

## Get Administrator Logs

Retrieves a list of administrator log events.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description | Required |
| : --------  | : --------  | : --------  |
| Start Time | Enter the value for the start time in ISO 8601 format (default is Batch start time).  
Example: 2020-09-01T22:02:24-07:00. | Optional |
| End Time | Enter the value for end time in ISO 8601 format (default is Batch end time).  
Example: 2020-09-02T22:02:24-07:00. | Optional |
| Maximum Results | The maximum number of records returned. Must be greater than zero (Default is 100000). As API returns a maximum of 1000 records at a time so for a higher value of limit (Example 10,000) this action requires multiple API calls. | Optional |


### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: List of events.


``` {json}{
  "action": "integration_skey_view",
  "description": null,
  "error": null,
  "has_error": false,
  "isotimestamp": "2020-10-13T09:54:57+00:00",
  "object": "Admin API",
  "timestamp": 1602582897,
  "username": "ghhh bh"
}

Get Telephony Logs

Retrieves a list of telephony log events.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: List of events.

``` {json}{ "context": "administrator login", "credits": 5, "error": null, "has_error": false, "isotimestamp": "2020-10-05T13:51:00+00:00", "phone": "+167676655", "timestamp": 1601905860, "type": "sms" }

## Get Offline Enrollment Logs

Returns a list of Duo Authentication for Windows Logon offline enrollment events.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description | Required |
| : --------  | : --------  | : --------  |
| Start Time | Enter the value for the start time in ISO 8601 format (Default is Batch start time).  
Example: 2020-09-01T22:02:24-07:00. | Optional |
| End Time | Enter the value for end time in ISO 8601 format (Default is Batch end time).  
Example: 2020-09-02T22:02:24-07:00. | Optional |
| Maximum Results | The maximum number of records returned. Must be greater than zero (Default is 100000). As API returns a maximum of 1000 records at a time so for a higher value of limit (Example 10,000) this action requires multiple API calls. | Optional |


### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: List of events.


``` {json}{
  "action": "o2fa_user_provisioned",
  "description": "{user_agent: DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server), hostname: WKSW10x64, factor: duo_otp}",
  "isotimestamp": "2019-08-30T16:10:05+00:00",
  "object": "Acme Laptop Windows Logon",
  "timestamp": 1567181405,
  "username": "narroway"
}

Release Notes

• v2.0.0 - Updated architecture to support IO via filesystem