SOCFortress Integrations — Duo Security

SOCFortress
2 min readAug 22, 2023

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Duo Security (Auth) security events using a single pane of glass.

About Duo Security

Duo Security is a cybersecurity company that provides multi-factor authentication (MFA), endpoint security, and other related services to help organizations enhance their security posture and protect against cyber threats.

Duo Security’s solutions are widely used across industries to protect critical systems, applications, and data.

Duo Security’s flagship product, Duo Authentication, offers a comprehensive MFA solution that helps organizations ensure secure access to their digital systems and applications.

Some key features and offerings of Duo Security — Authentication include:

  • Multi-Factor Authentication (MFA): Duo’s MFA solution helps organizations implement strong authentication by requiring users to provide multiple factors of verification before accessing their accounts. This helps mitigate the risk of unauthorized access due to compromised passwords.
  • Two-Factor Authentication (2FA): Duo provides various 2FA methods, such as push notifications, SMS passcodes, phone callbacks, hardware tokens, and mobile app-generated codes, to add an extra layer of security to the login process.
  • Access Policies and Controls: Organizations can define access policies and controls through Duo’s platform. This allows them to set rules for different user groups, applications, and devices, enabling fine-grained security settings.
  • Adaptive Authentication: Duo’s adaptive authentication feature assesses the risk level of each login attempt based on various factors such as device, location, and user behavior. It then adapts the authentication requirements accordingly, requesting additional factors only when necessary.
  • Integration: Duo Security can integrate with a wide range of applications, platforms, and services, making it versatile and compatible with existing IT infrastructures.

Ingesting Duo Authentication Events

Reference: https://github.com/duosecurity/duo_client_python

Duo provides a python client + flask app suite that can be leveraged to connect to Duo’s API and stream the auth events into Wazuh’s socket/queue.

Wazuh detection rules matching the relevant metadata will allows display events by type, access device, authentication device, etc.

Visualizations

Duo Auths — Summary:

Failed Auths and GeoIP (access device and authentication/phone device):

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).