Cisco Identity Intelligence: Threat Hunt Failed Check - Webhook
This workflow will be triggered by the configured CII failed checks, parse it and will do a threat hunt for it. It will always create a Sighting for the CII event. Based on the results, it will create a new XDR Incident with that Sighting, if new Sightings were found in the Investigation, or if the input variable was set to True. It will also link the Investigation that was used for the threat hunt with the Incident. If an existing "non-closed" Incident was found, it will instead add the Sighting to the existing one.
Description
Note: a native integration between Cisco XDR and Cisco Identity Intelligence is on the roadmap. This workflow is to show the art of the possible via an Automation Workflow.
- Click Install on the Workflow
- If you always want an incident to be created for a failed check, set this to True. This is not recommended as it may produce noise.
- When prompted, you can skip the Automate it! button, unless you want to manually create a Webhook which can be used in CII (not recommended).
- Instead of adding a Webhook manually, you can now "bootstrap" the workflow by manually running the workflow once after completing the installation. It will then automatically add the XDR Webhook Listener, the Automation Rule and the CII Webhook, and enable all of this for the Workflow. This save a lot of steps and you can always edit it later.
- In the Incident Manager in Cisco XDR, you should be able to see Incidents being generated.
This workflow requires the following targets to be available before it can be run.
Integration targets
- Cisco XDR
- Cisco Identity Intelligence