Duo
The Duo Matano managed log source lets you ingest your Duo logs directly into Matano.
Usage
Use the managed log source by specifying the managed.type
property in your log_source
as DUO
.
name: duo
managed:
type: DUO
properties:
api_hostname: <MY_API_HOSTNAME> # e.g. api-eac94d5a.duosecurity.com
integration_key: <MY_INTEGRATION_KEY>
For the tables you would like to enable from this managed log source, under a tables/
subdirectory in your log source directory, create a file with the name <table_name>.yml>
. For example:
my-matano-dir/
└── log_sources/
└── duo/
└── log_source.yml
└── tables/
└── admin.yml
└── auth.yml
└── offline_enrollment.yml
└── summary.yml
└── telephony.yml
For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.
Tables
The Duo managed log source supports the following tables:
- admin
- auth
- offline_enrollment
- summary
- telephony
Ingest
Pull (default)
Matano integrates with your Duo account to automatically pull relevant logs on a regular basis (every 5 min).
To get started with the integration, specify the following properties in the log source configuration file:
managed:
type: DUO
properties:
api_hostname: <MY_API_HOSTNAME> # e.g. api-eac94d5a.duosecurity.com
integration_key: <MY_INTEGRATION_KEY>
After the first deployment, this log source will also generate a secret in AWS secret's manager to store secrets related to this integration.
Secret
To finish onboarding the log source, populate the secret_key
key in the secret generated by Matano in AWS Secrets Manager, with the value from your OAuth app.
Schema
Duo log data is normalized to ECS fields. Custom fields are normalized into the duo
field. You can view the complete mapping to see the full schema.