Cortex XSOAR has been a game changer when it comes to helping SOC teams orchestrate and automate security operations. But what if you could use your XSOAR platform for more than just standard security tasks and incident response? This week, we will veer slightly off the SOC beaten path to share how our ITOps team has used XSOAR to automate the daily provisioning of end users.
In this week’s playbook highlight, we’ll go into how you can use Cortex XSOAR’s extensive pre-integrated connections to effectively manage user identity lifecycle and access provisioning, primarily for:
Figure 1: Cortex XSOAR uses for managing user identity lifecycle and access provisioning
The process of provisioning users, whether it’s onboarding or offboarding employees or granting access to various internal groups or apps can be arduous and error prone. If updates to an employee status and information are not always propagated from the HR system across relevant IT and business applications, this leads to out-of-date information that can pose a security risk or impact employee productivity and leaves security teams without visibility into the employee lifecycle process.
The Cortex XSOAR Identity Lifecycle Management (ILM) content pack enables you to provision and sync users from HR applications and supported applications used by your organization. With this pack, you can assign users the necessary roles and grant them access to all of the applications they need for daily work.
The playbooks in the ILM pack helps you automate the following tasks:
For instance, HR uses Workday to manage operations for employees in the organization. It is standard practice for HR to generate a report for these maintenance operations, such as running a weekly report that captures all new and terminated employees, or a daily report that captures updates to existing employee profiles (e.g., new mailing address or phone number).
Cortex XSOAR uses the Workday integration to fetch report updates and create XSOAR incidents that correspond to the management operation(s) in the report. Based on the report from Workday, the integration determines what operation needs to be performed, such as:
Group sync—sync user memberships in groups to applications based on group creations in Okta.
Group membership update—provides automated provisioning of user permissions derived from Okta groups that the user is assigned to or unassigned from.
App sync—sync users to applications based on app assignments in Okta. When implementing the app-sync workflow, users are assigned to, or unassigned from, applications in Okta, or when users are added or removed from Okta groups—the app-sync playbook will create, update, enable, or disable the user in the corresponding Cortex XSOAR instance.
Our Palo Alto Networks’s IT and HR department utilized a version of this content pack to automate the user onboarding/offboarding management and overall governance of tens of thousands of employees’ user identity access. By using XSOAR, we saw a 20% reduction in operational tasks since automating previously manual operations, as well as a cost savings of 40% on third-party user identity license renewal costs, equaling over $300K in savings.
Figure 2: Various uses for Cortex XSOAR for ILM and User Provisioning
Using an array of out-of-the-box and customized playbooks within Cortex XSOAR, Palo Alto Networks’ user provisioning process is automated and managed from beginning to end:
With this pack, you can bring automation to more than just your security operations teams. With Cortex XSOAR, you can reduce the time your teams spend on HR and IT tasks and standardize the way you manage user provisioning by automating tasks to:
The Identity Lifecycle Management pack is available via our Cortex XSOAR Marketplace with a free one-month trial! Want to learn more about this content pack?
For more information, visit ILM subscription on Cortex XSOAR Marketplace.
For more in-depth Playbook information, visit the Identity Lifecycle Management (ILM) Developer Article.
Don’t have Cortex XSOAR? Download our free Community Edition to explore these playbooks and hundreds more.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.