User Lifecycle Management (LCM) Using Cortex XSOAR

By Bibu Mohapatra and Rashmi Bilgundi

3 min read

Palo Alto Networks is growing at a rapid pace and now has over 10,000 employees. In recent years we’ve also acquired quite a number of companies. All this means that we have an increasing number of services and applications that we need to support for our enterprise users. 

We want to provide a great day-one experience for new employees by ensuring they have the required access to be effective in their job. We also have to update or revoke employee access in a timely manner as part of the HR process. 

We need a workflow integration and orchestration platform that is developer friendly and provides flexibility to apply our business logic, and at the same time help us achieve zero trust privilege.

For anyone looking for an agile IAM platform, see how we are using Cortex XSOAR for our IAM needs. It has not always been a smooth ride – but a worthy one for sure.

Why Cortex XSOAR

Cortex XSOAR has a pliant framework that has pre-integrated connections to 600+ applications. We expanded the platform for Palo Alto Network’s internal use case to effectively manage user identity lifecycle, primarily for:

  • New or future hire (onboarding)
  • Update (e.g., job changes, internal transfers)
  • Termination (offboarding)

We partnered with the XSOAR product team on this implementation. We used the features available on Cortex XSOAR and updated some of those to support user lifecycle management. 

We integrated with multiple HR data sources for employee and contingent worker data feeds, and around 20 target applications (including enterprise directory) for user identity and access provisioning.

The architecture

The process flow

Here’s a brief description of how we used the platform to support our use case.

  • Fetch events from HR data source on a periodic basis
  • Using “Classification & Mapping”, map the HR data to the User profile field (i.e., Indicator Field) for each incident
  • Run the playbook that analyses each user profile and classifies the event into  “New Hire”, “Update User”, or “Terminated User”
  • Based on the incident type, a specific playbook is then triggered to sync the user account to the corporate directory and various applications that are configured.
  • “Create User” process flow:

    • Create the account in enterprise directory (e.g., Active Directory)
    • Create user account to various target applications based on predefined business logic and user profile/role
    • Sample playbook 

  • “Terminate User” process flow:

    • Disable the account in Enterprise data store (e.g., Active Directory)
    • Disable user account in the target applications that are linked to user’s XSOAR profile
    • Sample playbook

What’s next

We have been steadily adding more applications and services to the Cortex XSOAR IAM for managing user identity lifecycle, and have a happy set of IAM developers who are now integrating business requirements while staying within the XSOAR framework and less customization. If you are looking for an intuitive IAM platform, visit ILM subscription on Cortex XSOAR Marketplace for more information.

In the future, we plan to expand the XSOAR IAM framework to help with our other identity needs in the identity governance and administration (IGA) space.

Read More

IoT Security: From Nightmares to Methodology

By Yousuf Hasan

Jul 01, 20218 min read

Shaping the Future of Work Through Technology

By Naveen Zutshi

Jul 01, 20216 min read

Using Deception to Complement the SOC

By George Finney

Jul 01, 20216 min read