{"id":110362,"date":"2020-04-27T15:00:55","date_gmt":"2020-04-27T22:00:55","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=110362"},"modified":"2020-08-03T07:19:14","modified_gmt":"2020-08-03T14:19:14","slug":"cortex-monitoring-remote-user-activity","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/04\/cortex-monitoring-remote-user-activity\/","title":{"rendered":"Manage a Remote SOC: Playbooks for Monitoring Remote User Activity"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">If your SOC is remote, the rest of your organization likely is as well, which means you\u2019re responsible for securing many remote end users as they connect to corporate or branch office networks. In this environment, the ability to monitor remote user activity is becoming more important than ever.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Cortex XSOAR uses playbooks \u2013 also known as runbooks \u2013 to automate security workflows. In this installment of our <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/tag\/remote-soc\/\"><span style=\"font-weight: 400;\">Manage a Remote SOC series<\/span><\/a><span style=\"font-weight: 400;\">, we want to share some soon-to-be-released Cortex XSOAR playbooks leveraging our <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/access\"><span style=\"font-weight: 400;\">Prisma Access<\/span><\/a><span style=\"font-weight: 400;\"> integration to help you monitor traffic and maintain connectivity uptime for all of your remote users. Prisma Access allows users, whether at branch offices or on the go, to safely access cloud and data center applications as well as the internet.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These playbooks can:<\/span><\/p>\n<ul>\n<li><b>Whitelist egress IPs in your cloud services automatically.<\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">See and whitelist all the IP addresses where traffic is exiting your secure network. This can be configured as a threat intel feed which you can use to periodically update other third party services with the whitelisted IP addresses.<\/span><\/p>\n<ul>\n<li><b>Monitor and alert you on broken tunnels between branch offices.<\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">An automated playbook can be scheduled to poll Prisma Access connection statuses and send a Slack alert for remediation actions if a tunnel is down.\u00a0<\/span><\/p>\n<ul>\n<li><b>Automatically remediate compromised user accounts.<\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This playbook can monitor active users and take actions, such as logging them out if there is unauthorized activity and updating user tags on the firewall, all from the Cortex XSOAR interface.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These automated playbooks take away the mundane and time consuming task of updating IP address lists and help you keep on top of any connectivity or user activity issues. The Prisma Access playbooks will be available in an upcoming biweekly Cortex XSOAR content release.<\/span><\/p>\n<figure id=\"attachment_110363\" aria-describedby=\"caption-attachment-110363\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:55.11%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-110363 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/taskdetails.png\" alt=\"Prisma Access - Tunnel Health Check - Work Plan\" width=\"900\" height=\"496\" \/><\/span><\/div><figcaption id=\"caption-attachment-110363\" class=\"wp-caption-text\">Tunnel health check playbook<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">Rishi Bhargava, vice president, product strategy, has created a seven-minute video on Cortex XSOAR and Prisma Access integration to give a more complete walkthrough of these capabilities and how to use them to monitor remote user activity.\u00a0<\/span><\/p>\n<p><div class=\"styleIt\" style=\"width:560px;height:315px;\"><lite-youtube videoid=\"uueKBhuwfD4\" ><\/lite-youtube><\/div><\/p>\n<p><span style=\"font-weight: 400;\">For more suggestions, check out our previous post on <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/04\/cortex-shift-management\/\"><span style=\"font-weight: 400;\">tips for better analyst shift management<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4><b>Turbocharge Your Remote SOC Operations\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">If you are new to Cortex XSOAR, we encourage you to take it for a test drive, and feel free to kick the tires while you are at it.\u00a0 Sign up for the free <\/span><a href=\"https:\/\/start.paloaltonetworks.com\/sign-up-for-community-edition.html\"><span style=\"font-weight: 400;\">Community Edition of Cortex XSOAR<\/span><\/a><span style=\"font-weight: 400;\"> today.<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">We hope you enjoyed learning about monitoring remote user activity in Cortex XSOAR. Watch for more useful tips and hints in the next post in our series on the <\/span><\/i><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/tag\/remote-soc\/\"><i><span style=\"font-weight: 400;\">remote SOC<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">.<\/span><\/i><\/p>\n<p><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:30.33%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter wp-image-111016 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/XSOARoffer.png\" alt=\"The free Cortex XSOAR Community Edition is helping more than 4,000 users accelerate incident response.\" width=\"900\" height=\"273\" \/><\/span><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The ability to monitor remote user activity is becoming more important than ever as many SOCs work to secure remote end users.<\/p>\n","protected":false},"author":663,"featured_media":109650,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6770],"tags":[7025,7223,7073],"coauthors":[7026],"class_list":["post-110362","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-future","tag-cortex-xsoar","tag-playbooks","tag-remote-soc","sec_ops_category-product-features"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/pan_generic-gtm-social_cortex-350x300-1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/110362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=110362"}],"version-history":[{"count":7,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/110362\/revisions"}],"predecessor-version":[{"id":111029,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/110362\/revisions\/111029"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/109650"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=110362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=110362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=110362"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=110362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}