QRoC SIEM integration DUO script

QRoC SIEM integration scripts

CyberHat publishes codes on open-source platform Github to improve global security

Within the cybersecurity community, IBM’s QRoC software is something of a catch-all when it comes to managing security information. QRoC (like other SIEM technologies) provides the ability to take information from multiple security tools and create rules that allow the data to be managed in a single space, analyzing them for correlations in real-time.

For this strategy to be effective, however, the security products used by the organization must be able to synchronize with IBM QRoC and forward the relevant logs. While IBM QRoC has made sure firewalls, antivirus software, security products, servers and databases are able to be integrated within their technology, there are still many tools that are falling through the cracks, which can affect an organization’s ability to properly secure its network.

The Issues: Correlation and Visibility

When a company invests in cyber defense tools, it is making those purchases with the assumption that these platforms will address pressing cyber-security needs. But for that to be true, those tools must be configured and integrated properly. This means synchronizing, optimizing, and properly managing all platforms. Ideally, this would be done by a knowledgeable team that sees the entire network topology, understands the security needs and is able to align them with the needs of the business.

The Solution:

We developed unique script for QRoC with MongoDB-Atlas.

We are now releasing those script to the public, allowing the cyber and IT security community to utilize them through step-by-step installation guides.


  1. Connect and configure Duo:

Note: Duo combines security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era. It’s simple and effective, you get the freedom to focus on your mission and leave protected.


Step 1. Log into duo account – Admin Panel: (Duo web console)

    1. Navigate to Applications:Click Protect an Application
    2. Locate Auth API or Create
    3. Get Integration Key
    4. Get Secret Key
    5. Get API Hostname

Step 2. Connect into the relevant QRadar collector by SSH.

Step 3. Prepper Linux ENV for the Duo script:

    1. get https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    2. yum install epel-release-latest-7.noarch.rpm
    3. yum install calendar
    4. yum install python-pip
    5. pip install calendar
    6. pip install duo_client

Step 4. Create new directory:

    1. mkdir duo_integration

Step 5. Upload duo_script and conf.ini configuration file into the relevant server by MobaXtern/WinSCP/etc into /root/duo_integration directory.

Step 6. Go to duo_integration directory:

    1. cd /root/ duo_integration

Step 7. Give executable option to script and conf.ini:

    1. chmod +x /root/duo_script
    2. chmod +x /root/conf.ini
    3. vi /root/duo_integration/conf.ini
    4. Click i
    5. At [api] field insert configuration from Step 1- Integration Key, Secret Key & API
  • Hostname
    1. Save & Exit crontab: ESC & type:
      1. :wq!

Step 8. Use Crontab to run the script to collect events from Duo every 10 min:

    1. Crontab -e
    2. Click i
    3. Insert the following commands:
    4. */10* * * * mkdir /root/duo_integration/DuoLogs.txt;
  • root/duo_integration/duo_script > root/duo_integration/DuoLogs.txt;

/opt/qradar/bin/logrun.pl -f /root/DuoScripts/DuoLogs.txt -u <Duo Identifier> 100;

rm- rf root/duo_integration/DuoLogs.txt;

    1. Save & Exit crontab: ESC & type:

1. :wq!

Sign Up for Updates