51 Security

Learning, Sharing, Creating

SIEM

Cisco DUO Connector Issue in Microsoft Sentinel

Bynetsec

Jul 15, 2024

It is not that easy to deploy built-in Sentinel Connector to your Sentinel environment. 

Although there is a one-click button to deploy to Azure, then there is a guide to enter all realted parameters, you might still not able to receve any logs. 
 

Cisco DUO Connector Deployment

Deployment Option 1 – Azure Resource Manager (ARM) Template

Use this method for automated deployment of the data connector using an ARM Template.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred SubscriptionResource Group and Location.

  3. Enter the Cisco Duo Integration KeyCisco Duo Secret KeyCisco Duo API HostnameCisco Duo Log TypesMicrosoft Sentinel Workspace IdMicrosoft Sentinel Shared Key

  4. Mark the checkbox labeled I agree to the terms and conditions stated above.

  5. Click Purchase to deploy.

Deployment  Option 2 – Manual Deployment of Azure Functions

STEP 1 – Obtaining Cisco Duo Admin API credentials

  1. Follow the instructions to obtain integration keysecret key, and API hostname. Use Grant read log permission in the 4th step of the instructions.

STEP 2 – Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).

  1. Download the Azure Function App file. Extract archive to your local development computer.
  2. Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode.
  3. After successful deployment of the function app, follow next steps for configuring it.
  1. In the Function App, select the Function App Name and select Configuration.
  2. In the Application settings tab, select + New application setting.
  3. Add each of the following application settings individually, with their respective string values (case-sensitive):
    CISCO_DUO_INTEGRATION_KEY
    CISCO_DUO_SECRET_KEY
    CISCO_DUO_API_HOSTNAME
    CISCO_DUO_LOG_TYPES
    WORKSPACE_ID
    SHARED_KEY
    logAnalyticsUri (Optional)
  • Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://WORKSPACE_ID.ods.opinsights.azure.us.
  1. Once all application settings have been entered, click Save.

Issue

After deployment, you will be able to find this Function App:

The issue is, even with all settings required by configuration page, the logs are still not able to ingest into Sentinel. 
After looking into the function monitor logs, you will find out following errors:
Result: Failure Exception: RuntimeError: Received 403 Access forbidden Stack: File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py”, line 604, in _handle__invocation_request call_result = await self._loop.run_in_executor( File “/usr/local/lib/python3.8/concurrent/futures/thread.py”, line 57, in run result = self.fn(*self.args, **self.kwargs) File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py”, line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/extension.py”, line 215, in _raw_invocation_wrapper result = function(**args) File “/home/site/wwwroot/AzureFunctionCiscoDuo/main.py”, line 57, in main process_trust_monitor_events(admin_api, state_manager=state_manager, sentinel=sentinel) File “/home/site/wwwroot/AzureFunctionCiscoDuo/main.py”, line 117, in process_trust_monitor_events for event in admin_api.get_trust_monitor_events_iterator(mintime=mintime, maxtime=maxtime): File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 441, in json_cursor_api_call (response, metadata) = self.parse_json_response_and_metadata( File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 482, in parse_json_response_and_metadata raise_error(‘Received %s %s’ % ( File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 468, in raise_error raise error

Checking Fuction APP error:

Cause & Solution

After a quick google and based on this post:
  • https://techcommunity.microsoft.com/t5/microsoft-sentinel/cisco-duo/m-p/3275211#M9298
The cause of this issue is because of not all log types supported by our environment. 
Default configuration for the log types is: trust_monitor,authentication,administrator,telephony,offline_enrollment
After removed trust_monitor, the function can be executed successfully.

Issue Fixed

 

Log is coming

References

By netsec

Related Post

SIEM

How to Surpress Microsoft Sentinel Log Ingestion

Oct 6, 2024 netsec
SIEM

Azure Sentinel Onboarding All Kinds Of Log Sources

Jul 15, 2024 netsec
SIEM

Azure Sentinel Log Query Scripts Collection (Kusto Query Language)

Jul 15, 2024 netsec

Leave a Reply

You missed

Vulnerability Scan

Tenable Web Application Cerdential Scans For Web Appications and APIs

2024-10-30 netsec
CyberArk

Steps to Update/Renew Your CyberArk Infrastrucure Certificates (PSM)

2024-10-30 netsec
Vulnerability Scan

Tenable Lab Steps and Notes – Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)

2024-10-30 netsec
Vulnerability Scan

Tenable Lab Steps and Notes – Part 2 (Dashboards, Reports, Core, Nessus, NNM, Agent, Scanner Groups)

2024-10-30 netsec