Cisco Identity Intelligence (CII): Ingest Critical Threat Checks

Instructions

1. Install the Workflow

   • Click Install

   • When prompted, you can skip “Automate it!”

     • Manual Webhook creation is possible but not recommended

2. Bootstrap (required, one-time)

   Important: no manual Workflow configuration is required, unless you want to include different CII checks than Critical Threat. To change this, modify the local variable called ⚠️ Configure CII Threat Check IDs [OPTIONAL] ⚠️.

   • After installation, run the Workflow manually once

   • This will automatically:

     • Create the XDR Webhook Listener
     • Configure the Automation Rule
     • Register the CII Webhook
     • Enable end-to-end ingestion

3. Post-bootstrap behavior

   • CII sends failed checks via Webhook

   • Workflow transforms them into Custom Security Events

   • Events are stored as Detection Findings

   • Findings automatically participate in:

     • Correlation
     • Incident generation

4. Verification

   • Navigate to Detection Findings Viewer in Cisco XDR

   • Confirm that:

     • Checks are being ingested as Detection Findings
     • Detection Findings may be correlated into Incidents

5. After updates

   • If updating to a new version:

     • Verify the Static Boolean variable remains set to True (if already bootstrapped)
     • This prevents re-running bootstrap logic unnecessarily

Notes

• This Workflow demonstrates the art of the possible using XDR Automate
• A native integration between Cisco XDR and Cisco Identity Intelligence is on the roadmap
• All generated configuration can be reviewed and modified after bootstrap if needed