Create SecureX Casebook and Sigthings based on Cisco Secure Access by Duo Auth DENIED or FRAUD logs.
Use cases :
For any questions or comments/bugs please reach out to me at alexandre@argeris.net or aargeris@cisco.com
This workflow will fetch Duo FRAUD logs detail from a Duo Fraud Email alert and Deny logs every 1hour. Detail will be parse to create a casebook and sigthings in SecureX platform.
Refence for best practice and documentation https://ciscosecurity.github.io/sxo-05-security-workflows/
Create an Admin API application in Duo and save the credentials.
https://duo.com/docs/adminapi
Copy these credentials into Cisco SecureX Orchestration variable section:
From the Duo Admin portal, configure Fraud Email Alert to be send to your IMAP account
Create the Duo Target based on the hostname in the Cisco SecureX Orchestration.
Create a IMAP target and event
Threat Response v2 - Generate Access Token.json from https://github.com/CiscoSecurity/sxo-05-security-workflows/tree/Main/Atomics
This Atomic workflow action will get CTR access token.
Threat Response v2 - Create Casebook.json from https://github.com/CiscoSecurity/sxo-05-security-workflows/tree/Main/Atomics
This Atomic workflow actions will create Casebook.
Duo Admin - Get DENIED or FRAUD Auth Logs.json from this repo
This Atomic workflow action will fetch Duo auth denied and fraud logs.
Duo Admin - Block User By Username.json
This Atomics action block a Duo user based on username. (Work only if the Duo user is local - not sync with Azure AD or Win AD)
credit to https://github.com/Gyuri1/duo-sxo
Quarantine Duo User.json
This workflow give you access to quarantine user in Duo from the SecureX AO contextuel menu.
Azure AD - lockdown user (not documented yet)
It is of great interest to many companies to have an integrated Security architecture. That means gathering data from various sources, and bringing it together on 1 platform. This use case describes how you can bring in valuable, and crucial information from Cisco Secure Access by Duo into SecureX. It does that by leveraging SecureX orchestration, which is a low-to-no-code orchestrator, built-in to SecureX. Duo is Cisco's adapative Multi Factor Authentication solution.
Some highlights of the use case:
For more information about Cisco Duo, you can check out this DevNet site.
Check out the Learning Labs on DevNet:
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community