Cisco Identity Intelligence

In today’s digital environment, attackers no longer need to hack in - They can simply log in using stolen, legitimate credentials.

The front door is wide open, and the only way to stop them is through smarter identity security.

Cisco Identity Intelligence (CII) bridges the gap between authentication and access. Built on the foundation of Cisco Duo, CII offers deep visibility into identity activity to block high-risk access and respond faster to evolving identity-based threats.

Why Identity Intelligence Matters

Traditional security tools often lack the context needed to detect credential-based and insider threats. Cisco Identity Intelligence addresses this by layering behavior analysis and anomaly detection over a robust identity security strategy.

Deep Integration Across the Ecosystem

CII integrates with major IdPs, including Entra ID, Okta, Google Workspace, Auth0, and apps like Salesforce, GitHub, AWS, and Slack. Organizations can also stream identity-related data via AWS EventBridge and Azure Event Hub.

To build a comprehensive identity graph, CII requires integration of primary, secondary, and tertiary authentication flows, especially since most enterprises use multiple IdPs.

CII brings together identity data from these disparate sources, clearly displaying correlated intelligence from these sources to significantly reduce false positives and noise. It works especially well with Okta, Microsoft, and Duo, enabling proactive and reactive security measures.

Once connected, CII builds a dynamic map of users, groups, and directory structures, leveraging API and event data to determine who is accessing what, from where, and on which devices.

CII’s Key Unified Views

• Users View offers a unified inventory of users across all integrated providers. Duplicate accounts are merged for a holistic view
• User 360 View is a comprehensive profile including login activity, MFA usage, location patterns, device types, user trust level, and anomaly detection
• Activity Flow visualizes behavioral patterns to easily identify deviations or unusual behavior
• Combined Auth Log offers a centralized view of authentication events and MFA usage across all IdPs
• Location & Device Intelligence identifies suspicious locations and highlights inconsistencies in device usage. Not all IdPs provide the same level of device detail, but CII consolidates with what is available via connected integration points
• Application Access Overview lists which applications are being accessed, how often, and flags dormant or underutilized apps.

Identity Risk & Security Checks

CII runs continuous User Checks based on analytics and detection rules, including:

• Sign-ins from dormant accounts
• Weak or missing MFA
• New countries or locations
• Expired or soon-to-expire app keys
• Admin or VIP accounts with poor protection
  

These checks can also be mapped to industry frameworks, such as like CIS, NIS, as well as MITRE ATT&CK, and more.

Enhancing Identity Posture

By leveraging all this intelligence, Cisco Identity Intelligence helps you identify and act on identity threats, such as:

• Users without MFA
• Potential compromises (e.g., MFA flooding)
• Access from denied or high-risk countries
• Misconfigured admin or VIP accounts
• Inactive users with lingering access

Cisco Identity Intelligence is not just another monitoring tool—it's a strategic asset for identity-first security. With real-time insights, contextual access control, and threat detection capabilities, CII enables organizations to outsmart today’s credential-based attacks and take control of their identity landscape.