Manage a Remote SOC: Playbooks for Monitoring Remote User Activity

If your SOC is remote, the rest of your organization likely is as well, which means you’re responsible for securing many remote end users as they connect to corporate or branch office networks. In this environment, the ability to monitor remote user activity is becoming more important than ever. 

Cortex XSOAR uses playbooks – also known as runbooks – to automate security workflows. In this installment of our Manage a Remote SOC series, we want to share some soon-to-be-released Cortex XSOAR playbooks leveraging our Prisma Access integration to help you monitor traffic and maintain connectivity uptime for all of your remote users. Prisma Access allows users, whether at branch offices or on the go, to safely access cloud and data center applications as well as the internet. 

These playbooks can:

• Whitelist egress IPs in your cloud services automatically.

See and whitelist all the IP addresses where traffic is exiting your secure network. This can be configured as a threat intel feed which you can use to periodically update other third party services with the whitelisted IP addresses.

• Monitor and alert you on broken tunnels between branch offices.

An automated playbook can be scheduled to poll Prisma Access connection statuses and send a Slack alert for remediation actions if a tunnel is down. 

• Automatically remediate compromised user accounts.

This playbook can monitor active users and take actions, such as logging them out if there is unauthorized activity and updating user tags on the firewall, all from the Cortex XSOAR interface. 

These automated playbooks take away the mundane and time consuming task of updating IP address lists and help you keep on top of any connectivity or user activity issues. The Prisma Access playbooks will be available in an upcoming biweekly Cortex XSOAR content release.

Rishi Bhargava, vice president, product strategy, has created a seven-minute video on Cortex XSOAR and Prisma Access integration to give a more complete walkthrough of these capabilities and how to use them to monitor remote user activity. 

For more suggestions, check out our previous post on tips for better analyst shift management. 

Turbocharge Your Remote SOC Operations 

If you are new to Cortex XSOAR, we encourage you to take it for a test drive, and feel free to kick the tires while you are at it.  Sign up for the free Community Edition of Cortex XSOAR today.

We hope you enjoyed learning about monitoring remote user activity in Cortex XSOAR. Watch for more useful tips and hints in the next post in our series on the remote SOC.