What Changed
Updated retry delay in Cisco Duo Function App connector from 60 seconds to 120 seconds across all log retrieval functions when encountering HTTP 429 throttling responses.
Security Impact (Visibility & Fidelity)
The previous 60-second retry delay was insufficient for Duo API throttling requirements, causing the connector to repeatedly fail API calls after hitting rate limits. This created visibility gaps for:
- Authentication logs monitoring MFA bypass attempts
- Administrative logs tracking privilege escalation
- Activity logs covering user access patterns
- Telephony logs monitoring voice/SMS authentication events
Deployments experiencing API throttling had incomplete log ingestion, creating blind spots in identity security monitoring.
Technical Details
Modified retry logic in all log retrieval functions (process_auth_logs, get_auth_logs, process_admin_logs, get_admin_logs, process_offline_enrollment_logs, get_offline_enrollment_logs, get_activity_logs, get_tele_logs) to wait 120 seconds instead of 60 seconds when receiving HTTP 429 responses from Duo API.
The change ensures compliance with Duo API documented throttling expectations, reducing connector failures and improving data collection reliability.
Affected Files
Solutions/CiscoDuoSecurity/Data Connectors/AzureFunctionCiscoDuo/main.py
(packaging artefacts: CiscoDuoSecurity_func.zip)