Cisco DUO Connector Issue in Microsoft Sentinel - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, May 13, 2024

Cisco DUO Connector Issue in Microsoft Sentinel

It is not that easy to deploy built-in Sentinel Connector to your Sentinel environment. 


Although there is a one-click button to deploy to Azure, then there is a guide to enter all realted parameters, you might still not able to receve any logs. 
 


Cisco DUO Connector Deployment


Deployment Option 1 - Azure Resource Manager (ARM) Template

Use this method for automated deployment of the data connector using an ARM Template.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred Subscription, Resource Group and Location.

  3. Enter the Cisco Duo Integration Key, Cisco Duo Secret Key, Cisco Duo API Hostname, Cisco Duo Log Types, Microsoft Sentinel Workspace Id, Microsoft Sentinel Shared Key

  4. Mark the checkbox labeled I agree to the terms and conditions stated above.

  5. Click Purchase to deploy.


Deployment  Option 2 - Manual Deployment of Azure Functions

STEP 1 - Obtaining Cisco Duo Admin API credentials

  1. Follow the instructions to obtain integration key, secret key, and API hostname. Use Grant read log permission in the 4th step of the instructions.

STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).

  1. Download the Azure Function App file. Extract archive to your local development computer.
  2. Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode.
  3. After successful deployment of the function app, follow next steps for configuring it.
  1. In the Function App, select the Function App Name and select Configuration.
  2. In the Application settings tab, select + New application setting.
  3. Add each of the following application settings individually, with their respective string values (case-sensitive):
    CISCO_DUO_INTEGRATION_KEY
    CISCO_DUO_SECRET_KEY
    CISCO_DUO_API_HOSTNAME
    CISCO_DUO_LOG_TYPES
    WORKSPACE_ID
    SHARED_KEY
    logAnalyticsUri (Optional)
  • Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://WORKSPACE_ID.ods.opinsights.azure.us.
  1. Once all application settings have been entered, click Save.

Issue


After deployment, you will be able to find this Function App:



The issue is, even with all settings required by configuration page, the logs are still not able to ingest into Sentinel. 

After looking into the function monitor logs, you will find out following errors:
"
Result: Failure Exception: RuntimeError: Received 403 Access forbidden Stack: File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py", line 604, in _handle__invocation_request call_result = await self._loop.run_in_executor( File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py", line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/extension.py", line 215, in _raw_invocation_wrapper result = function(**args) File "/home/site/wwwroot/AzureFunctionCiscoDuo/main.py", line 57, in main process_trust_monitor_events(admin_api, state_manager=state_manager, sentinel=sentinel) File "/home/site/wwwroot/AzureFunctionCiscoDuo/main.py", line 117, in process_trust_monitor_events for event in admin_api.get_trust_monitor_events_iterator(mintime=mintime, maxtime=maxtime): File "/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py", line 441, in json_cursor_api_call (response, metadata) = self.parse_json_response_and_metadata( File "/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py", line 482, in parse_json_response_and_metadata raise_error('Received %s %s' % ( File "/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py", line 468, in raise_error raise error
"




Checking Fuction APP error:



Cause & Solution

After a quick google and based on this post:
  • https://techcommunity.microsoft.com/t5/microsoft-sentinel/cisco-duo/m-p/3275211#M9298

The cause of this issue is because of not all log types supported by our environment. 

Default configuration for the log types is: trust_monitor,authentication,administrator,telephony,offline_enrollment

After removed trust_monitor, the function can be executed successfully.




Issue Fixed

 




Log is coming




References








No comments:

Post a Comment