Cisco DUO Connector Issue in Microsoft Sentinel – 51 Security

Cisco DUO Connector Issue in Microsoft Sentinel – 51 Security

Posted on By Puoka No Comments on Cisco DUO Connector Issue in Microsoft Sentinel – 51 Security


It is not that easy to deploy built-in Sentinel Connector to your Sentinel environment. 

Although there is a one-click button to deploy to Azure, then there is a guide to enter all realted parameters, you might still not able to receve any logs. 
 

Cisco DUO Connector Deployment

Deployment Option 1 – Azure Resource Manager (ARM) Template

Use this method for automated deployment of the data connector using an ARM Template.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred SubscriptionResource Group and Location.

  3. Enter the Cisco Duo Integration KeyCisco Duo Secret KeyCisco Duo API HostnameCisco Duo Log TypesMicrosoft Sentinel Workspace IdMicrosoft Sentinel Shared Key

  4. Mark the checkbox labeled I agree to the terms and conditions stated above.

  5. Click Purchase to deploy.

Deployment  Option 2 – Manual Deployment of Azure Functions

STEP 1 – Obtaining Cisco Duo Admin API credentials

  1. Follow the instructions to obtain integration keysecret key, and API hostname. Use Grant read log permission in the 4th step of the instructions.

STEP 2 – Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).

  1. In the Function App, select the Function App Name and select Configuration.
  2. In the Application settings tab, select + New application setting.
  3. Add each of the following application settings individually, with their respective string values (case-sensitive):
    CISCO_DUO_INTEGRATION_KEY
    CISCO_DUO_SECRET_KEY
    CISCO_DUO_API_HOSTNAME
    CISCO_DUO_LOG_TYPES
    WORKSPACE_ID
    SHARED_KEY
    logAnalyticsUri (Optional)
  • Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://WORKSPACE_ID.ods.opinsights.azure.us.
  1. Once all application settings have been entered, click Save.

Issue

After deployment, you will be able to find this Function App:

The issue is, even with all settings required by configuration page, the logs are still not able to ingest into Sentinel. 

After looking into the function monitor logs, you will find out following errors:

Result: Failure Exception: RuntimeError: Received 403 Access forbidden Stack: File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py”, line 604, in _handle__invocation_request call_result = await self._loop.run_in_executor( File “/usr/local/lib/python3.8/concurrent/futures/thread.py”, line 57, in run result = self.fn(*self.args, **self.kwargs) File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py”, line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/extension.py”, line 215, in _raw_invocation_wrapper result = function(**args) File “/home/site/wwwroot/AzureFunctionCiscoDuo/main.py”, line 57, in main process_trust_monitor_events(admin_api, state_manager=state_manager, sentinel=sentinel) File “/home/site/wwwroot/AzureFunctionCiscoDuo/main.py”, line 117, in process_trust_monitor_events for event in admin_api.get_trust_monitor_events_iterator(mintime=mintime, maxtime=maxtime): File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 441, in json_cursor_api_call (response, metadata) = self.parse_json_response_and_metadata( File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 482, in parse_json_response_and_metadata raise_error(‘Received %s %s’ % ( File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 468, in raise_error raise error

Checking Fuction APP error:

Cause & Solution

After a quick google and based on this post:

  • https://techcommunity.microsoft.com/t5/microsoft-sentinel/cisco-duo/m-p/3275211#M9298

The cause of this issue is because of not all log types supported by our environment. 

Default configuration for the log types is: trust_monitor,authentication,administrator,telephony,offline_enrollment

After removed trust_monitor, the function can be executed successfully.

Log is coming

Computer Networking

More Related Articles

Tenable Lab Steps and Notes – Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis) – 51 Security Tenable Lab Steps and Notes – Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis) – 51 Security Computer Networking
Free VPS Collections – 51 Security Free VPS Collections – 51 Security Computer Networking
AWS Cloud Practitioner Practice Exams – Just .99 AWS Cloud Practitioner Practice Exams – Just $9.99 Computer Networking
How to Surpress Microsoft Sentinel Log Ingestion – 51 Security How to Surpress Microsoft Sentinel Log Ingestion – 51 Security Computer Networking
Record Computer Screen From Your Browser, No Limitation – 51 Security Record Computer Screen From Your Browser, No Limitation – 51 Security Computer Networking
Supercharge Your Work with Windows 11 File Explorer Tabs Supercharge Your Work with Windows 11 File Explorer Tabs Computer Networking

Leave a Reply

Your email address will not be published. Required fields are marked *