Cisco Secure Access by Duo - SecureX Orchestration workflows

Create SecureX Casebook and Sigthings based on Cisco Secure Access by Duo Auth DENIED or FRAUD logs.

Use cases :

Track compromised Duo accounts
Track Access Device and Auth Device IP and or country mismatch
Track the potential source IP of guessing password scan
Block Duo user in CTR
Link cybercriminals IP(s) from a NGIPS event to a Duo denied authentication log during an investigation

For any questions or comments/bugs please reach out to me at alexandre@argeris.net or aargeris@cisco.com

Main workflows:

Events - Cisco Secure Access Fraud _ Deny auth.json

This workflow will fetch Duo FRAUD logs detail from a Duo Fraud Email alert and Deny logs every 1hour. Detail will be parse to create a casebook and sigthings in SecureX platform.

Prerequisites:

Refence for best practice and documentation https://ciscosecurity.github.io/sxo-05-security-workflows/

Create an Admin API application in Duo and save the credentials.
https://duo.com/docs/adminapi
Copy these credentials into Cisco SecureX Orchestration variable section:
- Admin Integration Key (iKey), Host as a string variables [duo_admin_ikey], [duo_host]
- Admin Secret Key (sKey) as a Secure string variable [duo_admin_skey]
From the Duo Admin portal, configure Fraud Email Alert to be send to your IMAP account
Create the Duo Target based on the hostname in the Cisco SecureX Orchestration.
- Give a name, like "Duo"
- No account keys: True
- HTTPS protocol, host/IP address: API hostname
- Proxy: Ignore Proxy
Create a IMAP target and event

Import these workflows into SecureX Orchestration as atomic workflows:

Threat Response v2 - Generate Access Token.json from https://github.com/CiscoSecurity/sxo-05-security-workflows/tree/Main/Atomics

This Atomic workflow action will get CTR access token.
Threat Response v2 - Create Casebook.json from https://github.com/CiscoSecurity/sxo-05-security-workflows/tree/Main/Atomics

This Atomic workflow actions will create Casebook.
Duo Admin - Get DENIED or FRAUD Auth Logs.json from this repo

This Atomic workflow action will fetch Duo auth denied and fraud logs.

Remediation workflows

Duo Admin - Block User By Username.json

This Atomics action block a Duo user based on username. (Work only if the Duo user is local - not sync with Azure AD or Win AD)
credit to https://github.com/Gyuri1/duo-sxo
Quarantine Duo User.json
This workflow give you access to quarantine user in Duo from the SecureX AO contextuel menu.
Azure AD - lockdown user (not documented yet)

Use Case

Cisco Secure Access by Duo integration with SecureX

It is of great interest to many companies to have an integrated Security architecture. That means gathering data from various sources, and bringing it together on 1 platform. This use case describes how you can bring in valuable, and crucial information from Cisco Secure Access by Duo into SecureX. It does that by leveraging SecureX orchestration, which is a low-to-no-code orchestrator, built-in to SecureX. Duo is Cisco's adapative Multi Factor Authentication solution.

Some highlights of the use case:

Track compromised Duo accounts (has an employee been "hacked"?);
Track Access Device and Auth Device IP and or country mismatch (find anomalies that could indicate compromises);
Track the potential source IP of guessing password scan (find out where the attack is coming from);
Block Duo user in SecureX threat response (take mitigation actions to minimize impact of a compromise);
Link cybercriminals IP(s) from a NGIPS event to a Duo denied authentication log during an investigation (integrate other threat intel source (Firepower) to find out more about potential threats).

Duo DevNet Microsite

For more information about Cisco Duo, you can check out this DevNet site.

Links to DevNet Learning Labs

Check out the Learning Labs on DevNet:

Secure the Access to all your Applications using Duo