Skip to content
Find out how we support MDR.

Cisco Duo

API

You must have the Identity integrations license pack to use this feature.

You can integrate Duo with Sophos Central so that it sends data about users' authentication attempts to Sophos for analysis.

This is an API-based integration. You must get details of Duo's Admin API (integration key, security key and hostname), and change permissions in Duo.

The key steps are as follows:

  • Get details from Duo.
  • Configure an integration in Sophos Central.

Get details from Duo

To get the Duo details you need for integration, do as follows:

  1. Sign in to the Duo Admin Panel and go to Applications.
  2. Click Protect an Application and find Admin API in the list.
  3. Click Protect and save the integration key, secret key and hostname to use later in Sophos Central.
  4. Set the Permission to Grant read log.

Next, you configure an integration in Sophos Central.

Configure an integration

To integrate Duo with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Cisco Duo.

    The Cisco Duo page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

  4. In Integration steps, do as follows:

    1. Enter the Integration name and Integration description.
    2. Enter the Hostname, Secret key, and Integration key you got from Duo.

      The hostname must be of the form api-xxxxxxxx.duosecurity.com. Don't add https:// to the front of the URL.

  5. Click Save

We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.

More information