It is not that easy to deploy built-in Sentinel Connector to your Sentinel environment.
Although there is a one-click button to deploy to Azure, then there is a guide to enter all realted parameters, you might still not able to receve any logs.
Cisco DUO Connector Deployment
Deployment Option 1 – Azure Resource Manager (ARM) Template
Use this method for automated deployment of the data connector using an ARM Template.
-
Click the Deploy to Azure button below.
-
Select the preferred Subscription, Resource Group and Location.
-
Enter the Cisco Duo Integration Key, Cisco Duo Secret Key, Cisco Duo API Hostname, Cisco Duo Log Types, Microsoft Sentinel Workspace Id, Microsoft Sentinel Shared Key
-
Mark the checkbox labeled I agree to the terms and conditions stated above.
-
Click Purchase to deploy.
Deployment Option 2 – Manual Deployment of Azure Functions
STEP 1 – Obtaining Cisco Duo Admin API credentials
- Follow the instructions to obtain integration key, secret key, and API hostname. Use Grant read log permission in the 4th step of the instructions.
STEP 2 – Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function
Manual Deployment of Azure Functions
Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).
- In the Function App, select the Function App Name and select Configuration.
- In the Application settings tab, select + New application setting.
- Add each of the following application settings individually, with their respective string values (case-sensitive):
CISCO_DUO_INTEGRATION_KEY
CISCO_DUO_SECRET_KEY
CISCO_DUO_API_HOSTNAME
CISCO_DUO_LOG_TYPES
WORKSPACE_ID
SHARED_KEY
logAnalyticsUri (Optional)
- Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format:
https://WORKSPACE_ID.ods.opinsights.azure.us
.
- Once all application settings have been entered, click Save.
Issue
After deployment, you will be able to find this Function App:
The issue is, even with all settings required by configuration page, the logs are still not able to ingest into Sentinel.
After looking into the function monitor logs, you will find out following errors:
“
Result: Failure Exception: RuntimeError: Received 403 Access forbidden Stack: File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py”, line 604, in _handle__invocation_request call_result = await self._loop.run_in_executor( File “/usr/local/lib/python3.8/concurrent/futures/thread.py”, line 57, in run result = self.fn(*self.args, **self.kwargs) File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py”, line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File “/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/extension.py”, line 215, in _raw_invocation_wrapper result = function(**args) File “/home/site/wwwroot/AzureFunctionCiscoDuo/main.py”, line 57, in main process_trust_monitor_events(admin_api, state_manager=state_manager, sentinel=sentinel) File “/home/site/wwwroot/AzureFunctionCiscoDuo/main.py”, line 117, in process_trust_monitor_events for event in admin_api.get_trust_monitor_events_iterator(mintime=mintime, maxtime=maxtime): File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 441, in json_cursor_api_call (response, metadata) = self.parse_json_response_and_metadata( File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 482, in parse_json_response_and_metadata raise_error(‘Received %s %s’ % ( File “/home/site/wwwroot/.python_packages/lib/site-packages/duo_client/client.py”, line 468, in raise_error raise error
“
Cause & Solution
After a quick google and based on this post:
- https://techcommunity.microsoft.com/t5/microsoft-sentinel/cisco-duo/m-p/3275211#M9298
The cause of this issue is because of not all log types supported by our environment.
Default configuration for the log types is: trust_monitor,authentication,administrator,telephony,offline_enrollment
After removed trust_monitor, the function can be executed successfully.
Log is coming
Leave a Reply