Skip to main content

NG SIEM - CISCO DUO

Overview

This guide provides step-by-step instructions for integrating Cisco DUO multi-factor authentication (MFA) with Elastic Fleet for centralized log collection and security monitoring.

Cisco DUO is a cloud-based access security platform that provides multi-factor authentication, device health checks, and zero-trust access policies. Elastic Fleet, part of the Elastic Stack (ELK), provides a centralized management interface for deploying and managing Elastic Agents across your infrastructure.

By integrating DUO authentication logs into Elastic Fleet, security teams gain:

  • Real-time visibility into authentication events across all users and devices

  • Centralized log aggregation from DUO's Admin API into Elasticsearch

  • Pre-built dashboards for authentication analytics and anomaly detection

  • Correlation of DUO events with other security telemetry in the Elastic SIEM

Prerequisite

Before beginning the integration, ensure all of the following prerequisites are met. Incomplete prerequisites are the most common cause of integration failures.

Cisco DUO Requirements

  • Active Cisco DUO account with Administrator privileges

  • DUOVerify Admin API access enabled (Duo Admin Panel > Applications > Admin API)

  • Admin API application created with the following permissions:

    • credentials:
    • Hostname:

      Grant read log access

    • Grant read resource access (optional but recommended)

  • Noteexactly the following credentials from the DUODuo Admin API application:

    • Integration Key (ikey)

    • Secret Key (skey)

    • API Hostnamehost (e.g., api-XXXXXXXX.duosecurity.com)

       as shown in Duo Admin Panel > Applications > Protect an Application > Admin API.
    • Integration key and Secret key: copy/paste fresh to rule out typos.
  • Ensure the Admin API application has the required permissions:
    • Grant read information” and “Grant read log” must be enabled for activity logs.
  • Duo IP allowlist:
    • If you have IP whitelisting in Duo, add this egress IP - 50.250.130.122(es-ui.cytechint.io)

Network Requirements

  • Outbound connectivity from the Elastic Agent host to DUO API hostname on port 443

  • Inbound/outbound connectivity between Elastic Agent and Fleet Server on port 8220

  • Firewall rules permitting HTTPS traffic to api-*.duosecurity.com

Installation & Configuration

To enable log collection from the Cisco DUO, provide the following information to CyTech Support:

  • API Hostname (e.g., api-XXXXXXXX.duosecurity.com)
  • Integration Key (ikey)
  • Secret Key (skey)
  • Initial Interval (how far back to pull logs on first run, e.g., 24h)
  • Interval (how often to poll for new logs, e.g., 5m)

Conclusion

The Cisco DUO integration with Elastic Fleet enables centralized visibility into authentication events across your environment. By leveraging DUO's Admin API alongside Elastic's log collection and SIEM capabilities, security teams can monitor, analyze, and respond to authentication activity in real time — all from a single platform.

Back to top