This article contains information on configuring the Duo Integration with Mimecast to enhance visibility into identity-related threats, including setup steps, supported events, prerequisites, and permissions.
Overview
The Duo Integration provides Mimecast customers with enhanced visibility into identity-related attacks targeting users. By ingesting event data from Duo’s Identity and Access Management (IAM) platform, organizations can detect and respond to threats such as credential stuffing, unusual logins, and other suspicious activities. The integration sends Duo event data to the Mimecast Human Risk Platform, linking each event with a user and updating their identity attack factor.
The Duo Integration is available to all Engage customers on Cloud Gateway, including Engage trial users, and all Email Security Cloud Gateway customers with the Human Risk Command Center.
Considerations
- The integration imports only events that occur after you enable it; historical events are not imported. This ensures that existing attack factor scores remain unchanged and makes setup easier.
- The integration supports two types of Duo events:
-
- Authentication events (e.g., country code mismatch, credential stuffing, device distance, novel ASN, push harassment, tampered cookie).
- Trust Monitor events (if licensed), such as unrealistic geovelocity, unusual device or factor, and user-marked fraud.
- Identity-related events affect a user’s attack factor, not their Human Risk Score, as these events may not be directly attributable to the user’s actions.
- Mimecast Human Risk uses Duo events to monitor user authentication and access, helping organizations identify and manage risky behaviors along with the following events:
-
-
- Risk events triggering the entity risk policy (Duo Identity Threat Protection)
- Detection of or change in user risk (Duo Identity Threat Protection)
- Security threat detected (Duo Threat Insight)
- Leaked password detected (Duo Identity Engine)
- System Log events with a HIGH risk level (Duo Identity Engine)
-
Prerequisites
To use the Duo Integration, you must have:
Mimecast License:
-
-
- Email Security Cloud Gateway with accepted Human Risk Command Center (HRCC) terms and conditions, or Mimecast Engage
-
Duo License:
-
-
- A valid Duo IAM license (Trust Monitor is optional)
-
Permissions
- To configure the integration, users must have one of the following roles in Mimecast:
-
-
- Global Sys Admin
- Sys Admin - SD Full
- Super Administrator
- Full Administrator
- Basic Administrator
- Partner Administrator
- Custom role with Integrations Marketplace Read/Write enabled
-
- To configure the integration, users must have the following roles in Duo:
-
-
- Owner role - Only Duo administrators with the Owner role may create and manage other Duo administrator accounts, including assignment of admin roles.
-
Integration Configuration
The step by step integration and configuration process is designed to be straightforward and secure.
Duo Platform
To authenticate to the Duo integration API, we need a base URL, integration key, and integration secret.
To retrieve these values, you must first create an application by following these steps:
-
Log in to Duo Admin Panel
Navigate to Applications | Add Application
- Locate the entry for Admin API in the catalog.
- Click +Add button to create the application, and get your integration key, secret key, and API hostname.
- In the following page, you can select the permissions and for Trust Monitor, we require Grant read log permissions:
Your Duo secret key is as sensitive as a password—treat it accordingly. Never share it, email it, or store it in plaintext. Instead:
- Restrict access to only authorized personnel and systems
- Rotate your key regularly and audit usage logs
A compromised skey can let attackers bypass your multi-factor authentication—secure it at all costs.
Mimecast Platform
- Log in to Mimecast Administrator Console.
- Navigate to Integrations | Integrations Hub.
- Click Configure New on the Duo tile.
- Fill in the following information
Details:
-
- Application Name
- Description
Active (The API credentials provided by Duo)
-
- Integration Key (The integration key can be found on your API provider).
- Secret key (The Secret Key can be found on your API provider's site).
- API Host Name (The consistent part or the root of your API's website address); also include the https:// portion of the address."
- After filling in the details, click Save.
- A pop-up message confirms the success of the integration.
- Once the integration succeeds, refresh the Integration Hub, return to the Duo tile, and click View. The status updates to Connected, and you can proceed to the next setup step.
- Return to the Mimecast Administrator Console,
- Navigate to Human Risk Command Center | Dashboard
- The integration appears in Human Risk Behaviors under Identity events.
- Click the drop-down to expand Identity events under Human Risk Behaviors.
- Then, once expanded, click View Details.
- You can view a list of Events over time, individual performance, score breakdown, and the latest events for Identity.
- Clicking on the Latest Events tab allows the administrator to view the Individual Risk Profile by clicking on one user under the individual list.
- In the Individual Risk Profile, click on the Identity tab.
- In the events page, you can view individual risk profile Events.
Comments
Please sign in to leave a comment.