Okta Workflows
02/2024
Fetch end user information and react to Identity Intelligence threat detection using Cisco Identity Intelligence.
Authorization
Prerequisites
Generate client API credentials:
From the Integrations tab, click Add Integration.
Scrolls down and click Add API Client.
Provide a Name and Description.
Click Save and generate credentials.
Click Copy all to copy the credentials to your clipboard.
Create a connection
When you add a Cisco Identity Intelligence card to a flow for the first time, you'll be prompted to configure the connection. This will enable you to connect your Cisco Identity Intelligence account, save your account information, and reuse the connection for future Cisco Identity Intelligence flows.
To create a new connection from an Action card:
Click New Connection.
Enter a Connection Name. This is useful if you plan to create multiple Cisco Identity Intelligence connections to share with your team.
Enter the Client ID, Client Secret and Audience values from the integration created earlier.
Select the appropriate geographical region in the Region dropdown.
Click Create.
Connector cards
Cisco Identity Intelligence event cards
Triggers a flow when a specific check has new users failing the check in Cisco Identity Intelligence.
Cisco Identity Intelligence action cards
Fetch a concise summary of end-user information, including key fields and relevant details.
Retrieve users associated with a specified IP address.
Events
Identity Intelligence Webhook
Triggers a flow when a user is failing the check in Cisco Identity Intelligence.
Options
Shared Secret
A secret string for verifying the source of webhooks. It is sent by Cisco Identity Intelligence events in a header named "x-api-client-token" in the webhook payload
Text
TRUE
Check ID
A Cisco Identity Intelligence check ID to send events from to the webhook. This can be later updated in the Cisco Identity Intelligence dashboard.
Text
FALSE
Output
detail
Webhook payload.
Object
➥ id
The the event ID
Text
➥ checkId
The ID of the failed check in the Cisco Identity Intelligence that triggered the event
Text
➥ title
The check title.
Text
➥ severity
The check severity in Cisco Identity Intelligence.
Text
➥ login
The login identifier of the failing user
Text
➥ explainabilityDetails
List of objects of type {"key":<key>, "value":<value>} with explainability details about the failing check
List of Objects
➥ checkTopics
List of topic the check relates to (e.g. Compliance, Devices)
List of Text
➥ checkTags
List of tags applied to the check
List of Text
➥ frameworks
List of frameworks the check is a part of (e.g. NIST, MITRE)
List of Text
➥ published
Timestamp the payload was generated.
Date & Time
region
The Cisco Identity Intelligence deployment region from which the event originated
Text
id
The webhook event ID
Text
time
The Date/Time the event was triggered
Text
detail-type
Type of content in the event
Text
source
Identifier of the CII instance
Text
Actions
Get End User State
Fetch a concise summary of end-user information, including key fields and relevant details.
Input
Login
User's email address.
Text
TRUE
Output
Status Code
HTTP response code.
Number
EndUser State
Summary of end-user information.
Object
id
The user ID in Cisco Identity Intelligence.
Text
displayName
The user's display name.
Text
login
User's email address.
Text
employeeID
The user ID Employee ID in the Identity Provider or HR system.
Text
status
The aggregated user status in the identity providers.
Text
userTypeClassification
The user classification in Cisco Identity Intelligence
Text
managerLogin
User's manager email address.
Text
ipAddresses
List of IP Addresses used by the user.
List of Objects
➥ ipAddress
IP Address used by the user.
Text
➥ location.city
IP Geolocation city of the IP Address.
Text
➥ location.state
IP Geolocation state of the IP Address.
Text
➥ location.country
IP Geolocation country of the IP Address.
Text
phoneNumber
User's phone number.
Text
unusedApplications
Names of applications the user has access and did not access in the past 30 days.
List of Text
usedApplications
Names of applications the user has access and accessed in the past 30 days.
List of Text
usedFactors
Authentication factors used by the user.
List of Text
referenceUrl
User's URL in Cisco Identity Intelligence.
Text
registeredLocationDetails
The user's registered location
Object
➥ city
The registered location city.
Text
➥ state
The registered location state.
Text
➥ country
The registered location country.
Text
workingLocationDetails
List of the locations the user works in.
List of Object
➥ userLocationPrevalence
The prevalence of the working location for the user, as a percentage.
Number
➥ location.city
The working location city.
Text
➥ location.state
The working location state.
Text
➥ location.country
The working location country.
Text
Errors
List of errors that might have occurred in the request.
List of Object
path
Paths that had errors in the request.
List of Text
errorType
Type of the error.
Text
message
Error message.
Text
errorInfo
Information about the error
List of Object
data
Data about the error
List of Object
Get End Users By IP
Retrieve users associated with a specified IP address.
Input
IP Address
IP Address.
Text
TRUE
Output
Status Code
HTTP response code.
Number
End Users IPs
Itemized list of Users associated with a specified IP address.
Object
id
The user ID in Cisco Identity Intelligence.
Text
displayName
The user display name in Cisco Identity Intelligence
Text
login
User's email address.
Text
referenceURL
User's URL in Cisco Identity Intelligence.
Text
Errors
List of errors that might have occurred in the request.
List of Object
path
Paths that had errors in the request.
List of Text
errorType
Type of the error.
Text
message
Error message.
Text
errorInfo
Information about the error
List of Object
data
Data about the error
List of Object
Last updated