Skip navigation
Product & Engineering

Simplifying identity security queries with AI

Headshot of Ted Kietzman, Duo Product Team
Ted Kietzman
3 minute read

Today's identity infrastructure is fragmented, siloed, and convoluted. This complexity creates blind spots where compliance issues, posture vulnerabilities, and even identity threats lurk unnoticed. Organizations need more comprehensive visibility and risk analysis when it comes to their identity environments. It should be simple to understand questions about:

  • MFA Usage

  • Dormant Accounts

  • Suspicious Access

  • Non-Compliant Users

Yet so often it takes days or even weeks to get the data required to answer these questions accurately.

Never fear! Cisco Identity Intelligence was built to solve this challenge by providing unified visibility across diverse identity sources, using AI to analyze information and empower organizations to evaluate the security posture of their identity environments and effectively detect and respond to identity-based threats.

However, there's been a catch. To unlock Identity Intelligence’s most powerful querying capabilities, users needed to understand Kibana Query Language (KQL)—a technical query syntax that, while robust, presents a steep learning curve. For security analysts, IT administrators, and business leaders who simply need answers, learning a new query language shouldn't stand between them and critical security insights.

AI-enabled natural language search for Cisco Identity Intelligence

To address this problem, the Cisco Identity Intelligence team leveraged specialized AI to eliminate the KQL barrier. Now, instead of crafting complex queries, users can simply ask questions in natural language—just as they would ask a colleague. To deliver the new functionality quickly and effectively, the Identity Intelligence team accelerated their work by using AWS and its powerful services (shoutout to AWS).

Want to find admin accounts without MFA enabled who've logged in from suspicious IP addresses? Instead of writing:

groupNames.keyword:"sg-gsuite-admins" AND
mfaEnabled:false AND lastActive:{now-7d TO now-1d} AND
ipAddressDetails.ipTags.name:(VPN OR TOR_Proxy)

An admin can simply type: "Show me GSuite admins without MFA who recently logged in from VPN or Tor proxies."

The real magic? Identity Intelligence displays both your results and the corresponding KQL query. This dual approach means users get immediate answers while simultaneously learning the underlying query structure—empowering them to grow their technical skills organically.

Real-world impact: From complexity to clarity

Consider these common security scenarios that become dramatically simpler:

  1. Identity Posture Management: A compliance officer needs to identify inactive service accounts that don't follow naming conventions. Rather than deciphering query operators and wildcards, they ask: "Find inactive users whose accounts start with 'sa.' and contain 'company.'" Instantly, they have actionable data for remediation.

  2. Threat Detection and Response: During an incident investigation, your SOC analyst needs to quickly identify users with recent authentication activity from a specific country. Instead of memorizing country codes and attribute syntax, they simply query: "Show users with recent IP activity from China." Time saved during critical response windows can mean the difference between containment and breach.

  3. Application Licensing Assessment: IT leadership wants to understand application usage by finding users with Salesforce assigned but unused in the past month. The natural language query—"Show users assigned to Salesforce SAML but haven't used it in 30 days"—makes this strategic analysis accessible to non-technical stakeholders.

Identity insights, now more accessible

Identity Intelligence should empower the team, not intimidate them. With natural language search, we're ensuring that anyone who needs identity insights can access them immediately—no advanced training required.

Ready to experience seamless access to accelerated identity insights? If you’re a customer, try the new search functionality in your instance today. If you’d like to get a feel for the feature, check out the functionality in the product tour or start a Duo trial to learn how Cisco Identity Intelligence can transform your organization’s identity security posture.