* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Playbook of the Week: Cor...

# Playbook of the Week: Cortex XSOAR Automated Identity Lifecycle Management

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-cortex-xsoar-automated-identity-lifecycle-management%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Cortex+XSOAR+Automated+Identity+Lifecycle+Management&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-cortex-xsoar-automated-identity-lifecycle-management%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-cortex-xsoar-automated-identity-lifecycle-management%2F&title=Playbook+of+the+Week%3A+Cortex+XSOAR+Automated+Identity+Lifecycle+Management&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cortex-xsoar-automated-identity-lifecycle-management/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Cortex XSOAR Automated Identity Lifecycle Management)  
Link copied  
By [Yvonne Le](https://www.paloaltonetworks.com/blog/author/yvonne-le/?ts=markdown "Posts by Yvonne Le")  
Jun 03, 2022  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cloud Security automation](https://www.paloaltonetworks.com/blog/tag/cloud-security-automation/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[IAM](https://www.paloaltonetworks.com/blog/tag/iam/?ts=markdown)  
[identity and access management](https://www.paloaltonetworks.com/blog/tag/identity-and-access-management/?ts=markdown)  
[Identity Lifecycle Management](https://www.paloaltonetworks.com/blog/tag/identity-lifecycle-management/?ts=markdown)  
[ILM](https://www.paloaltonetworks.com/blog/tag/ilm/?ts=markdown)  
[Incident Reporting](https://www.paloaltonetworks.com/blog/tag/incident-reporting/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/tag/product-features/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[SOC automation](https://www.paloaltonetworks.com/blog/tag/soc-automation/?ts=markdown)  
[Threat Intelligence Management (TIM)](https://www.paloaltonetworks.com/blog/tag/threat-intelligence-management-tim/?ts=markdown)  
[User Access Provisioning](https://www.paloaltonetworks.com/blog/tag/user-access-provisioning/?ts=markdown)

## **Introduction**

Cortex XSOAR has been a game changer when it comes to helping SOC teams orchestrate and automate security operations. But what if you could use your XSOAR platform for more than just standard security tasks and incident response? This week, we will veer slightly off the SOC beaten path to share how our ITOps team has used XSOAR to automate the daily provisioning of end users.

In this week's playbook highlight, we'll go into how you can use Cortex XSOAR's extensive pre-integrated connections to effectively manage user identity lifecycle and access provisioning, primarily for:

* New or future hires (onboarding)
* Updates (e.g., job changes, internal transfers)
* Terminations (offboarding)

![Figure 1: Cortex XSOAR uses for managing user identity lifecycle and access provisioning](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-10.png)

*Figure 1: Cortex XSOAR uses for managing user identity lifecycle and access provisioning*

## **Cortex XSOAR for Identity Lifecycle Management**

The process of provisioning users, whether it's onboarding or offboarding employees or granting access to various internal groups or apps can be arduous and error prone. If updates to an employee status and information are not always propagated from the HR system across relevant IT and business applications, this leads to out-of-date information that can pose a security risk or impact employee productivity and leaves security teams without visibility into the employee lifecycle process.

The Cortex XSOAR Identity Lifecycle Management (ILM) content pack enables you to [provision and sync users](https://xsoar.pan.dev/docs/reference/articles/identity-lifecycle-management#group-sync) from HR applications and supported applications used by your organization. With this pack, you can assign users the necessary roles and grant them access to all of the applications they need for daily work.

The playbooks in the ILM pack helps you automate the following tasks:

* **User provisioning**---provision users from an HR system (e.g. Workday) into all supported applications used by the organization such as Active Directory and/or Okta by performing management operations like creating, reading, updating, and deleting users.

For instance, HR uses Workday to manage operations for employees in the organization. It is standard practice for HR to generate a report for these maintenance operations, such as running a weekly report that captures all new and terminated employees, or a daily report that captures updates to existing employee profiles (e.g., new mailing address or phone number).

Cortex XSOAR uses the Workday integration to fetch report updates and create XSOAR incidents that correspond to the management operation(s) in the report. Based on the report from Workday, the integration determines what operation needs to be performed, such as:

* Is this a new hire who needs to be added to the system?
* Does a user's personal information need to be updated?
* Has the user left the company and needs to be disabled in sensitive systems?

**Group sync**---sync user memberships in groups to applications based on group creations in Okta.

**Group membership update**---provides automated provisioning of user permissions derived from Okta groups that the user is assigned to or unassigned from.

**App sync**---sync users to applications based on app assignments in Okta. When implementing the app-sync workflow, users are assigned to, or unassigned from, applications in Okta, or when users are added or removed from Okta groups---the app-sync playbook will create, update, enable, or disable the user in the corresponding Cortex XSOAR instance.

## **SOAR Beyond the SOC: How Palo Alto Networks Uses Cortex XSOAR for ILM**

Our [Palo Alto Networks's IT and HR department](https://symphony.paloaltonetworks.com/panwsymphonyvideomodal?videoid=6306029502112&sfdcid=a2h4T000000jNgZQAU&brightcoveid=6266360586001&playerid=KGdPSLcHJ) utilized a version of this content pack to automate the user onboarding/offboarding management and overall governance of tens of thousands of employees' user identity access. By using XSOAR, we saw a 20% reduction in operational tasks since automating previously manual operations, as well as a cost savings of 40% on third-party user identity license renewal costs, equaling over $300K in savings.

![Figure 2: Various uses for Cortex XSOAR for ILM and User Provisioning](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-11.png)

*Figure 2: Various uses for Cortex XSOAR for ILM and User Provisioning*

Using an array of out-of-the-box and customized playbooks within Cortex XSOAR, Palo Alto Networks' user provisioning process is automated and managed from beginning to end:

* \*\*User Lifecycle Management---\*\*The ILM framework connects to the Palo Alto Networks HR systems and pulls events that are classified into four key categories---new hires, updates, terminations, and rehires. This allows for a single source of truth for user identity and the playbook-driven workflow takes care of keeping it in sync within all the systems.
* \*\*Security and Compliance---\*\*We have playbooks that take care of detecting inactive user accounts and suspending them, as well as an automated way to add IP allow-list to critical applications and restrict access based on those IPs. This is used for our source code management (SCM) platform and some other critical apps.
* \*\*Password Self-Service Bot---\*\*We have a Slack bot that is integrated with XSOAR to make it easy for users to reset/change passwords in a secure manner within a given time period.
* \*\*Audit Automation/Identity Governance---\*\*The audit automation framework we have triggers a periodic review for the configured critical applications. This includes making sure that the application owners or administrator reviews the list of privileged users and provides evidence of necessary approval. There is also access certification automation for some applications, which eliminates the need for manually gathering evidence.

## **Conclusion**

With this pack, you can bring automation to more than just your security operations teams. With Cortex XSOAR, you can reduce the time your teams spend on HR and IT tasks and standardize the way you manage user provisioning by automating tasks to:

* Pull Workday reports and Okta application events with user updates.
* Create incidents for each user update in the system.
* Determine which action needs to be performed based on the information in the Workday report. Each action has its designated playbook to add, update, or remove users from the system.
* Allow the user to determine the account creation and activation dates relative to the hire date.
* Identify if a hire is an employee being rehired or a first-time hire.
* Communicate with the relevant stakeholders to inform them of any errors that arose in the process.
* Communicate with the relevant stakeholders to obtain necessary credentials.

The Identity Lifecycle Management pack is available via our [Cortex XSOAR Marketplace](https://www.paloaltonetworks.com/cortex/cortex-xsoar/marketplace) with a free one-month trial! Want to learn more about this content pack?

For more information, visit [ILM subscription on Cortex XSOAR Marketplace](https://xsoar.pan.dev/marketplace/details/IAM).

*For more in-depth Playbook information, visit the* [*Identity Lifecycle Management (ILM) Developer Article*](https://xsoar.pan.dev/docs/reference/articles/identity-lifecycle-management#group-sync)*.*

**To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)**

**We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.**

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Sneak Peak at Symphony 2022](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/sneak-peak-at-symphony-2022/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Building a Modern SOC Starts at Symphony 2022](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/building-a-modern-soc-starts-at-symphony-2022/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Simplify Case Management Using Cortex XSOAR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/simplify-case-management-using-cortex-xsoar/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Playbook of the Week: Automated Ransomware Response with Cortex XSOAR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-ransomware-response-with-cortex-xsoar/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Playbook of the Week: Malware Investigation and Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-malware-investigation-and-response/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Introducing Cortex Canvas: Unleashing the Power of Visual Storytelling](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/introducing-cortex-canvas-unleashing-the-power-of-visual-storytelling/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language