You must have the Identity integrations license pack to use this feature.
You can integrate Duo with Sophos Central so that it sends data about users' authentication attempts to Sophos for analysis.
This is an API-based integration. You must get details of Duo's Admin API (integration key, security key and hostname), and change permissions in Duo.
The key steps are as follows:
- Get details from Duo.
- Configure an integration in Sophos Central.
Get details from Duo
To get the Duo details you need for integration, do as follows:
- Sign in to the Duo Admin Panel and go to Applications.
- Click Protect an Application and find Admin API in the list.
- Click Protect and save the integration key, secret key and hostname to use later in Sophos Central.
- Set the Permission to Grant read log.
Next, you configure an integration in Sophos Central.
Configure an integration
To integrate Duo with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
Click Cisco Duo.
The Cisco Duo page opens. You can configure integrations here and see a list of any you've already configured.
In Data Ingest (Security Alerts), click Add Configuration.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
In Integration steps, do as follows:
- Enter the Integration name and Integration description.
Enter the Hostname, Secret key, and Integration key you got from Duo.
The hostname must be of the form
api-xxxxxxxx.duosecurity.com. Don't add
https://to the front of the URL.
We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.