Cisco Duo integration

You can integrate Cisco Duo with Sophos Central so that it sends it sends data about users' authentication attempts to Sophos for analysis.

This page gives you an overview of the integration.

Cisco Duo product overview

Cisco Duo's multi-factor authentication (MFA) solution is a cloud-based platform designed to confirm the identity of users before granting them access to applications. It does this by adding an additional layer of security, ensuring that users provide two or more verification methods to authenticate their identity.

Sophos documents

Integrate Cisco Duo

What we ingest

We ingest alerts where the reason is denied or fraud.

Sample alerts seen by Sophos:

• deny_unenrolled_user
• invalid_device
• user_marked_fraud
• country_code_mismatch

Alerts ingested in full

We ingest all alerts where the reason is denied or fraud.

For a full list of alerts, see the "reasons" section of the table in [Authentication logs]](https://duo.com/docs/adminapi#authentication-logs)

We don’t ingest alerts with the reason success due to the high volume of succesful login activity.

Filtering

We query the authentication logs endpoint. See Authentication logs

We filter the results to confirm the format only.

Sample threat mappings

If the field "reason" is empty, we use the value of "event_type". Otherwise, we use the value of "reason" - "=> isEmpty(fields.reason) ? fields.event_type : fields.reason"

{"alertType": "touch_id_disabled", "threatId": "T1562.001", "threatName": "Disable or Modify Tools"}
{"alertType": "invalid_device", "threatId": "T1200", "threatName": "Hardware Additions"}
{"alertType": "anomalous_push", "threatId": "T1111", "threatName": "Two-Factor Authentication Interception"}

Vendor documentation

Configure permissions and credentials