Supported Cortex XSOAR versions: 6.8.0 and later.
Collects Auth and Audit events for Duo using the API.
Navigate to Settings > Integrations > Servers & Services.
Search for Duo Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server Host The URL for the API. True First fetch timestamps The first time fetch date range, for example: 2 days, 1 month, 3 years. True Integration key The integration key for the admin API from Duo. True Secret key The secret key for the admin API from Duo. True XSIAM request limit The maximum number of events to collect from the API in each cycle. True Request retries The number of times to retry a failed too many requests 429 HTTP error. False Use system proxy settings Enable proxy support for running the collector. False logs_type_array The type of APIs that this instance will use in the collector. False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Manual command to fetch events and display them.
|should_push_events||Set this argument to True in order to create events, otherwise the command will only display them. Possible values are: True, False. Default is False.||Required|
- As suggested by the DUO ADMIN API documentation "We recommend requesting logs no more than once per minute".
- Recomended fetch time interval 1 minute and limit of up to 1000 per fetch.
- The returned logs are available ranging from the last 180 days up to as recently as two minutes before the API request.
There is no context output for this command.