Overview
Blumira integrates with Duo Security to stream authentication and endpoint logs and alerts to Blumira for threat detection and actionable response. We then apply threat intelligence and user entity behavior analytics to detect malicious and high-risk logins, such as geo-impossible logins.
Important: Dedicate a specific Admin API application in Duo to your Blumira integration. Do not reuse the same Duo Admin API credentials for multiple applications. Rate limits for Duo's API will cause logging delays or disruption if too many requests are processed with the same credentials.
Before you begin
Required: You must be a Duo Security Administrator with the Owner role to create or modify an Admin API application in the Duo Admin Panel.
Before you can add the Duo Security Cloud Connector in Blumira, you must gather your Duo Admin API credentials:
- Duo integration key
- Duo secret key
- Duo API hostname
To obtain your Duo Admin API information complete the steps in Duo Admin API: First Steps.
In Step 4, ensure that you check the boxes next to these permissions:
- Grant read information
- Grant read log
Providing your API credentials to Blumira
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.
To configure your integration with Blumira Cloud Connector:
- In the Blumira app, navigate to Settings > Cloud Connectors.
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector that you want to add.
- If you want to change the name of the connector, type the new name in the Cloud Connector Name box.
- Enter the API credentials that you collected in the "Before you begin" section above.
- Click Connect.
- On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
Important: If you previously deployed a sensor module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.
Testing a Duo Detection
- Have the Duo Admin Panel and Blumira app open.
- Go to an application protected by Duo Security.
- Once on the Duo Prompt (MFA) screen, select Send Me a Push to send a prompt to your mobile device or tablet.
- Deny the push notification by tapping the red X.
- Tap Report as Fraud.
- Within minutes, a finding alert appears in Blumira.