Skip to content
KYRA MDR KYRA MDR Docs

Cisco Duo MFA

Overview

Cisco Duo provides multi-factor authentication and device trust for secure access. KYRA MDR collects authentication, administrator, and telephony logs via the Duo Admin API to detect credential abuse, MFA bypass attempts, and unauthorized administrative changes.

Prerequisites

  • KYRA MDR account (MDR tier or above)
  • KYRA Collector installed with outbound HTTPS access to api-*.duosecurity.com
  • Duo Admin Panel access (Owner or Administrator role)
  • Duo Beyond, Access, or MFA edition
  • Admin API application credentials (integration key, secret key, API hostname)

Configuration

Step 1: Create a Duo Admin API Application

  1. Log in to the Duo Admin Panel at https://admin.duosecurity.com
  2. Navigate to Applications > Protect an Application
  3. Search for Admin API and click Protect
  4. Grant permissions:
    • Grant read log — authentication and telephony logs
    • Grant read resource — user and device inventory
  5. Record the Integration key, Secret key, and API hostname

Step 2: Configure KYRA Collector

/etc/kyra-collector/sources.d/duo.yaml
source:
  type: duo
  api_hostname: "api-XXXXXXXX.duosecurity.com"
  integration_key: "<INTEGRATION_KEY>"
  secret_key: "<SECRET_KEY>"
  poll_interval: 120  # seconds (minimum 120 due to Duo log delay)
  collect:
    - authentication  # MFA auth attempts
    - administrator   # admin panel actions
    - telephony       # phone call and SMS events
Terminal window
kyra-collector reload
kyra-collector status

Step 3: API Endpoints Used by KYRA Collector

# Authentication logs (MFA attempts) - v2 with pagination
GET https://api-{hostname}.duosecurity.com/admin/v2/logs/authentication
  ?mintime=<unix_timestamp_ms>&maxtime=<unix_timestamp_ms>&limit=1000


# Administrator logs (admin panel actions)
GET https://api-{hostname}.duosecurity.com/admin/v1/logs/administrator
  ?mintime=<unix_timestamp>


# Telephony logs (phone calls, SMS)
GET https://api-{hostname}.duosecurity.com/admin/v1/logs/telephony
  ?mintime=<unix_timestamp>


# User inventory (for enrichment)
GET https://api-{hostname}.duosecurity.com/admin/v1/users

Step 4: Verify API Connectivity

Terminal window
pip install duo_client


python3 -c "
import duo_client, json
admin_api = duo_client.Admin(
    ikey='<INTEGRATION_KEY>',
    skey='<SECRET_KEY>',
    host='api-XXXXXXXX.duosecurity.com'
)
logs = admin_api.get_authentication_log(mintime=0)
for log in logs[:3]:
    print(json.dumps({
        'user': log.get('user', {}).get('name'),
        'result': log.get('result'),
        'factor': log.get('factor'),
        'ip': log.get('access_device', {}).get('ip')
    }, indent=2))
"

Step 5: Verify on KYRA Collector

Terminal window
kyra-collector logs --source duo --tail 10

Collected Log Types

Log TypeDescriptionSecurity Use
Authentication LogsMFA push, call, passcode, WebAuthn results per userCredential abuse, MFA fatigue detection
Administrator LogsAdmin panel login, user changes, policy edits, integration changesPrivilege escalation, insider threat
Telephony LogsPhone calls placed, SMS sent, costsTelephony fraud detection
Offline AccessOffline authentication eventsOffline MFA auditing
Trust MonitorRisk-based authentication eventsAnomalous access detection
User/Device InventoryEnrolled users, devices, OS versions, trust statusAsset inventory, endpoint compliance

Security-Critical Duo Events

EventIndicatorDescription
result: FRAUDUser-reported fraudUser pressed “Deny” and reported the push as fraudulent
Multiple result: DENIED in short windowMFA fatigue attackAttacker spamming push notifications to wear down user
result: BYPASSPolicy bypassUser authenticated without MFA via bypass status
Admin log: user_delete or bypass_createAccount tamperingUnauthorized admin removing MFA or creating bypass codes
Auth from new access_device.ip in unusual geoAccount takeoverSuccessful auth from unexpected location
factor: remembered_device excessive useTrust abuseDevice trust being exploited to skip MFA

Troubleshooting

  • 401 Invalid signature: The secret key may be incorrect or system clock is drifted. Duo requires clock accuracy within 60 seconds. Check with ntpdate -q pool.ntp.org.
  • Empty authentication logs: Duo logs have a 2-minute delay. Set poll_interval to at least 120 seconds. Logs older than 180 days are unavailable.
  • Rate limiting (429): Duo allows 1200 requests/minute. Stagger poll intervals if collecting from multiple sources.
  • Missing telephony logs: Requires the Grant read log permission. Re-check the Admin API application settings.
  • No admin logs: Requires separate Grant read log permission. Edit the Admin API application.

Contact kyra@seekerslab.com for integration support.