Cisco DUO Connector Issue in Azure Sentinel

It is not that easy to deploy built-in Cisco Duo Data Connector to your Sentinel environment. I have met quite a few problems during this log source onboarding.

Although there is a one-click button to deploy to Azure, and ever there is an official guide to enter all realted parameters, you might still not able to receve any logs. 
 

Cisco DUO Configuration

1. Log in to the Duo Admin Panel and navigate to ‘Applications’.
2. Click ‘Protect an Application’ and locate the entry for ‘Admin API’ in the applications list.
3. Click ‘Protect’ to the far-right to configure the application and get your Integration Key, Secret Key and API Hostname.
   Grant ‘Grant read log’ permissions to the Admin API application.  The Admin API application can read authentication, offline access, telephony, and administrator action log information.

Cisco DUO Connector Deployment

Deployment Option 1 - Azure Resource Manager (ARM) Template

Use this method for automated deployment of the data connector using an ARM Template.

1. Click the Deploy to Azure button below.

   

2. Select the preferred Subscription, Resource Group and Location.

3. Enter the Cisco Duo Integration Key, Cisco Duo Secret Key, Cisco Duo API Hostname, Cisco Duo Log Types, Microsoft Sentinel Workspace Id, Microsoft Sentinel Shared Key

4. Mark the checkbox labeled I agree to the terms and conditions stated above.

5. Click Purchase to deploy.

Deployment  Option 2 - Manual Deployment of Azure Functions

STEP 1 - Obtaining Cisco Duo Admin API credentials

1. Follow the instructions to obtain integration key, secret key, and API hostname. Use Grant read log permission in the 4th step of the instructions.

STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).

1. Download the Azure Function App file. Extract archive to your local development computer.
2. Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode.
3. After successful deployment of the function app, follow next steps for configuring it.

1. In the Function App, select the Function App Name and select Configuration.
2. In the Application settings tab, select + New application setting.
3. Add each of the following application settings individually, with their respective string values (case-sensitive):
   CISCO_DUO_INTEGRATION_KEY: DIA1WDCCQJEBN7U8U7UC
   CISCO_DUO_SECRET_KEY: 0mhns1TpZ3eNiCGsoDj5mVc0P7UU6YrdIesgYdEO
   CISCO_DUO_API_HOSTNAME: 
   api-09555d31.duosecurity.com
   
   CISCO_DUO_LOG_TYPES: authentication,administrator,telephony,offline_enrollment,activity
   WORKSPACE_ID: 2d194fc2-6aab-3c1d-a46f-73d4cb1fc067
   SHARED_KEY: wHViqPYuQAB8VTUcmsuOYFL666CwIdUDQZ4P7wvy+6wKTmM1PrBzcBn6w6wNDTcse9JyHE5UbqiJmvbqsvA+nw==
   logAnalyticsUri (Optional)

• Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://WORKSPACE_ID.ods.opinsights.azure.us.

4. Once all application settings have been entered, click Save.

Issue

After deployment, you will be able to find this Function App:

searching function app:

The issue is, even with all settings required by configuration page, the logs are still not able to ingest into Sentinel. 

After looking into the function monitor logs, you will find out following errors:

"

Result: Failure Exception: RuntimeError: Received 403 Access forbidden Stack: File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/

dispatcher.py

", line 604, in _handle__invocation_request call_result = await self._

loop.run

_in_executor( File "/usr/local/lib/python3.8/concurrent/futures/

thread.py

", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/

dispatcher.py

", line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/

extension.py

", line 215, in _raw_invocation_wrapper result = function(**args) File "/home/site/wwwroot/AzureFunctionCiscoDuo/

main.py

", line 57, in main process_trust_monitor_events(admin_api, state_manager=state_manager, sentinel=sentinel) File "/home/site/wwwroot/AzureFunctionCiscoDuo/

main.py

", line 117, in process_trust_monitor_events for event in admin_api.get_trust_monitor_events_iterator(mintime=mintime, maxtime=maxtime): File "/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/

client.py

", line 441, in json_cursor_api_call (response, metadata) = self.parse_json_response_and_metadata( File "/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/

client.py

", line 482, in parse_json_response_and_metadata raise_error('Received %s %s' % ( File "/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/

client.py

", line 468, in raise_error raise error

"

Checking Fuction APP error:

Cause & Solution

After a quick google and based on this post:

• https://
  techcommunity.microsoft.com
  /t5/microsoft-sentinel/cisco-duo/m-p/3275211#M9298

The cause of this issue is because of not all log types supported by our environment. 

Default configuration for the log types is: trust_monitor,authentication,administrator,telephony,offline_enrollment

After removed trust_monitor, the function can be executed successfully.

Issue Fixed

 

Log is coming

References