Perch Help
menu
close Browse All Contact Us

Integrations

Cisco Duo

Duo Integration

With the Duo integration for Perch, you can collect Duo events for review in the Perch SIEM. The Perch SOC will analyze your Duo events during the course of normal alert triaging. You can also visualize your Duo logs with custom reports, create custom event notifications, and store your Duo logs for as long as you like. Perch will pull all Duo event types available through the Duo API, which includes:

  • Administrator logs
  • Authentication logs
  • Endpoint logs - Duo Beyond and Duo Access plans only
  • Telephony logs

Enable Duo API

Log into the Duo Admin Panel as an administrator with the ‘Owner’ role and navigate to Applications.

Click Protect an Application and locate Admin API in the applications list. Click Protect this Application.

If Admin API isn’t in the list or available when searched for, you will need to enable Admin API for your account by contacting Duo Support. Once the Admin API is enabled you may continue with Protect this Application

Under the ‘Settings’ section for this application locate the ‘Permissions’ section and check the boxes next to Grant read information, Grant read log, and Grant read resource. These are the only permissions needed for the Perch integration to function. Do not check the boxes next to any other permissions. Save these settings.

Note:

You can optionally change the name of Admin API application on the settings page to something that helps you remember this is for Perch.

You can view your API hostname, integration key, and secret key at the top of the new Admin API application’s page. You will need this information to set up your Perch integration with Duo

Note:

This information should be considered sensitive information. With these three pieces of information, people can access the sensitive information within your Duo logs. Treat this as you would a password and do not share it over insecure channels.

Setup the Duo-Perch Integration

Now that you’ve enabled the Duo Admin API and gotten your API hostname, integration key, and secret key, you are ready to set up the Duo integration in Perch.

Login to Perch and navigate to Settings on the side-navigation. You will need to enable the Duo integration in Perch by clicking ‘Install’.

Once installed, click on the right facing chevron chevron_right to enter the Duo integration settings page.

On the Duo integration settings page, enter your API hostname, integration key, and secret key. Save and test the credentials. After a successful test you can enable Duo log collection and Save again.

That’s it! Now that your setup is complete Perch will begin collecting your Duo logs. This may take a few minutes to show up in the system, but you can check on integration health in the Integration Health section.

What can you do now?

Once you start seeing your Duo logs in Perch, you can:

  • Store your Duo logs for as long as you need
  • Search across Duo logs for all the accounts you have access to
  • Create custom reports with visualizations and dashboards
  • Export those reports as PDF or CSV
  • Get emails from or create alerts in Perch with the Event Notification system
  • Let the Perch SOC triage Duo data and escalate critical threats to your team
  • Create ConnectWise Manage tickets from Duo logs

Duo Logs

Still having trouble? Reach out to one or our specialists at help@perchsecurity.com