Duo is a multi-factor authentication (MFA) tool.
You can integrate it with Sophos Central so that it sends data about users' authentication attempts to the Sophos Data Lake.
This is an API-based integration. You must get details of Duo's Admin API (integration key, security key and hostname), and change permissions in Duo.
The key steps are as follows:
- Get details from Duo.
- Add an integration in Sophos Central.
Get details from Duo
To get the Duo details you need for integration, do as follows:
- Sign in to the Duo Admin Panel and go to Applications.
- Click Protect an Application and find Admin API in the list.
- Click Protect and save the integration key, secret key and hostname to use later in Sophos Central.
- Set the Permission to Grant read log.
Next you add an integration in Sophos Central.
Add an integration
To integrate Duo with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center and click Integrations.
Click Cisco Duo.
If you've already set up integrations of this type, you see them here.
In Integrations, click Add integration.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
In Integration steps, do as follows:
- Enter the Integration name and Integration description.
Enter the Hostname, Secret key, and Integration key you got from Duo.
The hostname must be of the form
api-xxxxxxxx.duosecurity.com. Don't add
https://to the front of the URL.
We create the integration and it appears in your list.
If your integration shows as Connected, your data should appear in the Sophos Data Lake after validation.