It is not that easy to deploy built-in Sentinel Connector to your Sentinel environment.Â
Although there is a one-click button to deploy to Azure, then there is a guide to enter all realted parameters, you might still not able to receve any logs.Â
Â
Cisco DUO Connector Deployment
Use this method for automated deployment of the data connector using an ARM Template.
Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group and Location.
Enter the Cisco Duo Integration Key, Cisco Duo Secret Key, Cisco Duo API Hostname, Cisco Duo Log Types, Microsoft Sentinel Workspace Id, Microsoft Sentinel Shared Key
Mark the checkbox labeled I agree to the terms and conditions stated above.
Click Purchase to deploy.
STEP 1 - Obtaining Cisco Duo Admin API credentials
- Follow the instructions to obtain integration key, secret key, and API hostname. Use Grant read log permission in the 4th step of the instructions.
STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function
Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).
- Download the Azure Function App file. Extract archive to your local development computer.
- Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode.
- After successful deployment of the function app, follow next steps for configuring it.
- In the Function App, select the Function App Name and select Configuration.
- In the Application settings tab, select + New application setting.
- Add each of the following application settings individually, with their respective string values (case-sensitive):
CISCO_DUO_INTEGRATION_KEY
CISCO_DUO_SECRET_KEY
CISCO_DUO_API_HOSTNAME
CISCO_DUO_LOG_TYPES
WORKSPACE_ID
SHARED_KEY
logAnalyticsUri (Optional)
- Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format:Â
https://WORKSPACE_ID.ods.opinsights.azure.us
.
- Once all application settings have been entered, click Save.
Issue
Cause & Solution
- https://techcommunity.microsoft.com/t5/microsoft-sentinel/cisco-duo/m-p/3275211#M9298
No comments:
Post a Comment