Duo Security

This document provides the steps required to configure the Duo Security Inspector.

👍

Quick Details:

Recommended Agent: On-Demand
Supported Agents: On-Demand or Self-Managed
Is Auto-Discovered By: N/A
Can Auto-Discover: Duo Child Accounts
Parent/Child Type Inspector: Yes
Inspection via: API
Data Summary: Here

Overview

See it in Action

Inspector Setup Preparation

📘

Accounts vs. Admin API

If you have a Parent MSP account with Child accounts set up for Duo, you need to set up both the Accounts API and Admin API in the Parent account in order for Liongard to provide auto-discovery and inspect the Child accounts

If you only want to inspect a single account, you only need to enable the Admin API.

Step 1: Set up Accounts API Access

To enable Accounts API and get the credentials needed, follow the directions provided by Duo

Step 2: Set up Admin API Access

To enable Admin API and get the credentials needed, please follow the directions provided by Duo

Minimum permissions required:

  • Grant read information
  • Grant read log
  • Grant read resource

Additional permissions you can provide:

  • If you wish to gather Duo settings on an account, such as password policies, enable the the Grant settings permission
  • If you wish to gather a list of the Administrator users for a Duo account, enable the Grant administrators permission

❗️

Applications/Integrations

Liongard will not pull application/integration details at this time, regardless of the whether the Grant applications permission is enabled, due to security concerns about the level of details which are exposed on Duo's API endpoint.

Liongard Inspector Setup

Step 1: Parent Inspector Setup

Since Duo Security is a multi-tenant system where a single portal is used to manage many Environments, you will set up a single "Parent" Inspector with the API Key that will then auto-discover "Child" Inspectors for each Environment.

In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Duo Security* Inspector > Add System**.

Fill in the following information:

  • Type of Inspector: Parent
  • Environment: Select your MSP's Environment
  • Friendly Name: Suggested Naming: [MSP Name] Duo Security Parent
  • Agent: Select On-Demand Agent
  • Inspector Version: Latest
  • API Hostname: The Hostname of the API as provided in the Integrations console for the API(s).
    • Both the Accounts and Admin API will have the same Hostname in your Parent account.
  • Accounts Integration Key: The Accounts API integration Key as provided in the Integration console under the Accounts API application.
  • Accounts Secret Key: The Accounts API integration Secret as provided in the Integration console under the Accounts API application.
  • Admin Integration Key: The Admin API Integration Key as provided in the Integration console under the Admin API application.
  • Admin Secret Key The Admin API Integration Secret as provided in the Integration console under the Admin API application.
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule

Select Save. The Inspector will now be triggered to run within the minute.

Step 2: Child Inspector Setup

After the first run of the Parent Inspector, your client Duo Security organizations will be Auto-Discovered in the Discovered Systems tab on the Inspectors > Duo Security page.

Navigate to the Discovered Systems tab in your Inspectors > Duo Security page

  • Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints

🚧

Parent Inspector is working, but Child Inspectors are failing.

First, verify you have set up both the Accounts API and Admin API for your DUO Parent Inspector. If you have, generate a new set of API keys.

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

Inspector FAQs