* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Product Features](https://www2.paloaltonetworks.com/blog/security-operations/category/product-features/)
* Manage a Remote SOC: Play...

# Manage a Remote SOC: Playbooks for Monitoring Remote User Activity

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fcortex-monitoring-remote-user-activity%2F)  
[](https://twitter.com/share?text=Manage+a+Remote+SOC%3A+Playbooks+for+Monitoring+Remote+User+Activity&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fcortex-monitoring-remote-user-activity%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fcortex-monitoring-remote-user-activity%2F&title=Manage+a+Remote+SOC%3A+Playbooks+for+Monitoring+Remote+User+Activity&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/04/cortex-monitoring-remote-user-activity/&ts=markdown)  
\[\](mailto:?subject=Manage a Remote SOC: Playbooks for Monitoring Remote User Activity)  
Link copied  
By [Jane Goh](https://www.paloaltonetworks.com/blog/author/jane-goh/?ts=markdown "Posts by Jane Goh")  
Apr 27, 2020  
3 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbooks](https://www.paloaltonetworks.com/blog/tag/playbooks/?ts=markdown)  
[Remote SOC](https://www.paloaltonetworks.com/blog/tag/remote-soc/?ts=markdown)

If your SOC is remote, the rest of your organization likely is as well, which means you're responsible for securing many remote end users as they connect to corporate or branch office networks. In this environment, the ability to monitor remote user activity is becoming more important than ever.

Cortex XSOAR uses playbooks -- also known as runbooks -- to automate security workflows. In this installment of our [Manage a Remote SOC series](https://www.paloaltonetworks.com/blog/tag/remote-soc/), we want to share some soon-to-be-released Cortex XSOAR playbooks leveraging our [Prisma Access](https://www.paloaltonetworks.com/prisma/access) integration to help you monitor traffic and maintain connectivity uptime for all of your remote users. Prisma Access allows users, whether at branch offices or on the go, to safely access cloud and data center applications as well as the internet.

These playbooks can:

* **Whitelist egress IPs in your cloud services automatically.**

See and whitelist all the IP addresses where traffic is exiting your secure network. This can be configured as a threat intel feed which you can use to periodically update other third party services with the whitelisted IP addresses.

* **Monitor and alert you on broken tunnels between branch offices.**

An automated playbook can be scheduled to poll Prisma Access connection statuses and send a Slack alert for remediation actions if a tunnel is down.

* **Automatically remediate compromised user accounts.**

This playbook can monitor active users and take actions, such as logging them out if there is unauthorized activity and updating user tags on the firewall, all from the Cortex XSOAR interface.

These automated playbooks take away the mundane and time consuming task of updating IP address lists and help you keep on top of any connectivity or user activity issues. The Prisma Access playbooks will be available in an upcoming biweekly Cortex XSOAR content release.
![Prisma Access - Tunnel Health Check - Work Plan](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/04/taskdetails.png)
Tunnel health check playbook

Rishi Bhargava, vice president, product strategy, has created a seven-minute video on Cortex XSOAR and Prisma Access integration to give a more complete walkthrough of these capabilities and how to use them to monitor remote user activity.

For more suggestions, check out our previous post on [tips for better analyst shift management](https://www.paloaltonetworks.com/blog/2020/04/cortex-shift-management/).

#### **Turbocharge Your Remote SOC Operations**

If you are new to Cortex XSOAR, we encourage you to take it for a test drive, and feel free to kick the tires while you are at it. Sign up for the free [Community Edition of Cortex XSOAR](https://start.paloaltonetworks.com/sign-up-for-community-edition.html) today.

*We hope you enjoyed learning about monitoring remote user activity in Cortex XSOAR. Watch for more useful tips and hints in the next post in our series on the* [*remote SOC*](https://www.paloaltonetworks.com/blog/tag/remote-soc/)*.*

![The free Cortex XSOAR Community Edition is helping more than 4,000 users accelerate incident response.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/04/XSOARoffer.png)

*** ** * ** ***

## Related Blogs

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Manage a Remote SOC: Micro-Surveys for Crisis Management](https://www2.paloaltonetworks.com/blog/2020/05/cortex-micro-surveys/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Manage A Remote SOC: Shift Management Tips](https://www2.paloaltonetworks.com/blog/2020/04/cortex-shift-management/)

### [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Introducing the Cortex XSOAR Marketplace](https://www2.paloaltonetworks.com/blog/2020/08/cortex-xsoar-marketplace/)

### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Block COVID-19 Phishing Emails at Machine Speed](https://www2.paloaltonetworks.com/blog/2020/07/cortex-phishing-emails/)

### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Launch a Remote SOC Today with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/2020/03/cortex-remote-soc/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automate Anything with the Default Playbook](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automate-anything-with-the-default-playbook/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language