Playbook of the Week: Cortex XSOAR Automated Identity Lifecycle Management

Jun 03, 2022
6 minutes
... views


Cortex XSOAR has been a game changer when it comes to helping SOC teams orchestrate and automate security operations. But what if you could use your XSOAR platform for more than just standard security tasks and incident response? This week, we will veer slightly off the SOC beaten path to share how our ITOps team has used XSOAR to automate the daily provisioning of end users.

In this week’s playbook highlight, we’ll go into how you can use Cortex XSOAR’s extensive pre-integrated connections to effectively manage user identity lifecycle and access provisioning, primarily for:

  • New or future hires (onboarding)
  • Updates (e.g., job changes, internal transfers)
  • Terminations (offboarding)

Figure 1: Cortex XSOAR uses for managing user identity lifecycle and access provisioning

Figure 1: Cortex XSOAR uses for managing user identity lifecycle and access provisioning

Cortex XSOAR for Identity Lifecycle Management

The process of provisioning users, whether it’s onboarding or offboarding employees or granting access to various internal groups or apps can be arduous and error prone. If updates to an employee status and information are not always propagated from the HR system across relevant IT and business applications, this leads to out-of-date information that can pose a security risk or impact employee productivity and leaves security teams without visibility into the employee lifecycle process.

The Cortex XSOAR Identity Lifecycle Management (ILM) content pack enables you to provision and sync users from HR applications and supported applications used by your organization. With this pack, you can assign users the necessary roles and grant them access to all of the applications they need for daily work.

The playbooks in the ILM pack helps you automate the following tasks:

  • User provisioning—provision users from an HR system (e.g. Workday) into all supported applications used by the organization such as Active Directory and/or Okta by performing management operations like creating, reading, updating, and deleting users.

For instance, HR uses Workday to manage operations for employees in the organization. It is standard practice for HR to generate a report for these maintenance operations, such as running a weekly report that captures all new and terminated employees, or a daily report that captures updates to existing employee profiles (e.g., new mailing address or phone number).

Cortex XSOAR uses the Workday integration to fetch report updates and create XSOAR incidents that correspond to the management operation(s) in the report. Based on the report from Workday, the integration determines what operation needs to be performed, such as:

  • Is this a new hire who needs to be added to the system?
  • Does a user’s personal information need to be updated?
  • Has the user left the company and needs to be disabled in sensitive systems?

Group sync—sync user memberships in groups to applications based on group creations in Okta.

Group membership update—provides automated provisioning of user permissions derived from Okta groups that the user is assigned to or unassigned from.

App sync—sync users to applications based on app assignments in Okta. When implementing the app-sync workflow, users are assigned to, or unassigned from, applications in Okta, or when users are added or removed from Okta groups—the app-sync playbook will create, update, enable, or disable the user in the corresponding Cortex XSOAR instance.

SOAR Beyond the SOC: How Palo Alto Networks Uses Cortex XSOAR for ILM

Our Palo Alto Networks’s IT and HR department utilized a version of this content pack to automate the user onboarding/offboarding management and overall governance of tens of thousands of employees’ user identity access. By using XSOAR, we saw a 20% reduction in operational tasks since automating previously manual operations, as well as a cost savings of 40% on third-party user identity license renewal costs, equaling over $300K in savings.

Figure 2: Various uses for Cortex XSOAR for ILM and User Provisioning

Figure 2: Various uses for Cortex XSOAR for ILM and User Provisioning


Using an array of out-of-the-box and customized playbooks within Cortex XSOAR, Palo Alto Networks’ user provisioning process is automated and managed from beginning to end:

  • User Lifecycle Management—The ILM framework connects to the Palo Alto Networks HR systems and pulls events that are classified into four key categories—new hires, updates, terminations, and rehires. This allows for a single source of truth for user identity and the playbook-driven workflow takes care of keeping it in sync within all the systems.
  • Security and Compliance—We have playbooks that take care of detecting inactive user accounts and suspending them, as well as an automated way to add IP allow-list to critical applications and restrict access based on those IPs. This is used for our source code management (SCM) platform and some other critical apps.
  • Password Self-Service Bot—We have a Slack bot that is integrated with XSOAR to make it easy for users to reset/change passwords in a secure manner within a given time period.
  • Audit Automation/Identity Governance—The audit automation framework we have triggers a periodic review for the configured critical applications. This includes making sure that the application owners or administrator reviews the list of privileged users and provides evidence of necessary approval. There is also access certification automation for some applications, which eliminates the need for manually gathering evidence.


With this pack, you can bring automation to more than just your security operations teams. With Cortex XSOAR, you can reduce the time your teams spend on HR and IT tasks and standardize the way you manage user provisioning by automating tasks to:

  • Pull Workday reports and Okta application events with user updates.
  • Create incidents for each user update in the system.
  • Determine which action needs to be performed based on the information in the Workday report. Each action has its designated playbook to add, update, or remove users from the system.
  • Allow the user to determine the account creation and activation dates relative to the hire date.
  • Identify if a hire is an employee being rehired or a first-time hire.
  • Communicate with the relevant stakeholders to inform them of any errors that arose in the process.
  • Communicate with the relevant stakeholders to obtain necessary credentials.

The Identity Lifecycle Management pack is available via our Cortex XSOAR Marketplace with a free one-month trial! Want to learn more about this content pack?

For more information, visit ILM subscription on Cortex XSOAR Marketplace.

For more in-depth Playbook information, visit the Identity Lifecycle Management (ILM) Developer Article.

Don’t have Cortex XSOAR? Download our free Community Edition to explore these playbooks and hundreds more.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.