Okta Workflows
02/2024
Fetch end user information and react to Identity Intelligence threat detection using Cisco Identity Intelligence.
Authorization
Prerequisites
Generate client API credentials:
From the Integrations tab, click Add Integration.
Scrolls down and click Add API Client.
Provide a Name and Description.
Click Save and generate credentials.
Click Copy all to copy the credentials to your clipboard.
Create a connection
When you add a Cisco Identity Intelligence card to a flow for the first time, you'll be prompted to configure the connection. This will enable you to connect your Cisco Identity Intelligence account, save your account information, and reuse the connection for future Cisco Identity Intelligence flows.
To create a new connection from an Action card:
Click New Connection.
Enter a Connection Name. This is useful if you plan to create multiple Cisco Identity Intelligence connections to share with your team.
Enter the Client ID, Client Secret and Audience values from the integration created earlier.
Select the appropriate geographical region in the Region dropdown.
Click Create.
Connector cards
Cisco Identity Intelligence event cards
| Event | Description |
|---|---|
Triggers a flow when a specific check has new users failing the check in Cisco Identity Intelligence. |
Cisco Identity Intelligence action cards
| Action | Description |
|---|---|
Fetch a concise summary of end-user information, including key fields and relevant details. | |
Retrieve users associated with a specified IP address. |
Events
Identity Intelligence Webhook
Triggers a flow when a specific check has new users failing the check in Cisco Identity Intelligence.
Options
| Field | Definition | Type | Required |
|---|---|---|---|
Shared Secret | A secret string for verifying the source of webhooks. It is sent by Cisco Identity Intelligence events in a header named "x-api-client-token" in the webhook payload | Text | TRUE |
Check ID | A Cisco Identity Intelligence check ID to send events from to the webhook. This can be later updated in the Cisco Identity Intelligence dashboard. | Text | FALSE |
Output
| Field | Definition | Type |
|---|---|---|
detail | Webhook payload. | Object |
detail -> title | The check title. | Text |
detail -> id | The the event ID | Text |
detail -> checkId | The ID of the failed check in the Cisco Identity Intelligence that triggered the event | Text |
detail -> usersFailing | List of email addresses of users that are failing the check. | List of Text |
detail -> published | Timestamp the payload was generated. | Text |
detail -> description | List of sentences that describe the check. | List of Text |
detail -> recommended Actions | List of sentences that describe the recommended action to mitigate risk. | List of Text |
detail -> severity | The check severity in Cisco Identity Intelligence. | Text |
detail-type | Indicator if the webhook payload is for "failed check" or "direct message on failure". The value will be empty for "failed check" payloads. | Text |
region | The Cisco Identity Intelligence deployment region from which the event originated | Text |
id | The webhook event ID | Text |
time | The Date/Time the event was triggered | Text |
Actions
Get End User State
Fetch a concise summary of end-user information, including key fields and relevant details.
Input
| Field | Definition | Type | Required |
|---|---|---|---|
Login | User's email address. | Text | TRUE |
Output
| Field | Definition | Type |
|---|---|---|
Status Code | HTTP response code. | Number |
EndUser State | Summary of end-user information. | Object |
id | The user ID in Cisco Identity Intelligence. | Text |
displayName | The user's display name. | Text |
login | User's email address. | Text |
employeeID | The user ID Employee ID in the Identity Provider or HR system. | Text |
status | The aggregated user status in the identity providers. | Text |
userTypeClassification | The user classification in Cisco Identity Intelligence | Text |
managerLogin | User's manager email address. | Text |
ipAddresses | List of IP Addresses used by the user. | List of Objects |
ipAddresses -> ipAddress | IP Address used by the user. | Text |
ipAddresses -> location -> city | IP Geolocation city of the IP Address. | Text |
ipAddresses -> location -> state | IP Geolocation state of the IP Address. | Text |
ipAddresses -> location -> country | IP Geolocation country of the IP Address. | Text |
lastSignInLocation | The last sign in geolocation information for the user. | Object |
lastSignInLocation -> city | The city the user last signed in from. | Text |
lastSignInLocation -> state | The state the user last signed in from. | Text |
lastSignInLocation -> country | The country the user last signed in from. | Text |
phoneNumber | User's phone number. | Text |
unusedApplications | Names of applications the user has access and did not access in the past 30 days. | List of Text |
usedApplications | Names of applications the user has access and accessed in the past 30 days. | List of Text |
usedFactors | Authentication factors used by the user. | List of Text |
referenceUrl | User's URL in Cisco Identity Intelligence. | Text |
registeredLocationDetails | The user's registered location | Object |
registeredLocationDetails -> city | The registered location city. | Text |
registeredLocationDetails -> state | The registered location state. | Text |
registeredLocationDetails -> country | The registered location country. | Text |
workingLocationDetails | List of the locations the user works in. | List of Object |
workingLocationDetails -> userLocationPrevalence | The prevalence of the working location for the user, as a percentage. | Number |
workingLocationDetails -> location -> city | The working location city. | Text |
workingLocationDetails -> location -> state | The working location state. | Text |
workingLocationDetails -> location -> country | The working location country. | Text |
Errors | List of errors that might have occurred in the request. | List of Object |
path | Paths that had errors in the request. | List of Text |
errorType | Type of the error. | Text |
message | Error message. | Text |
errorInfo | Information about the error | List of Object |
data | Data about the error | List of Object |
Get End Users By IP
Retrieve users associated with a specified IP address.
Input
| Field | Definition | Type | Required |
|---|---|---|---|
IP Address | IP Address. | Text | TRUE |
Output
| Field | Definition | Type |
|---|---|---|
Status Code | HTTP response code. | Number |
End Users IPs | Itemized list of Users associated with a specified IP address. | Object |
id | The user ID in Cisco Identity Intelligence. | Text |
displayName | The user display name in Cisco Identity Intelligence | Text |
login | User's email address. | Text |
referenceURL | User's URL in Cisco Identity Intelligence. | Text |
Errors | List of errors that might have occurred in the request. | List of Object |
path | Paths that had errors in the request. | List of Text |
errorType | Type of the error. | Text |
message | Error message. | Text |
errorInfo | Information about the error | List of Object |
data | Data about the error | List of Object |
Last updated