Automate Global

Secure Access with

Prisma Access and
Cortex XSOAR
Benefits
• Coordinate remote access and
incident monitoring actions via
automated playbooks
Thousands of users connect to organizations’ networks
• Improve security administrator
productivity by eliminating from different geographic locations and many types
repetitive, manual tasks
of endpoints, all of them accessing different types of
• Scale to support thousands of applications. The net result is too many logs and alerts
remote users efficiently and quickly
for security operations centers (SOCs) and network
Compatibility administrators to deal with. Security teams are not
Prisma Access, Cortex XSOAR 5.5 adequately resourced to ramp up quickly to triage these
alerts, and they don’t have enough context into these alerts
to ensure they take the right action. In addition, remediation
actions are mostly manual, resulting in delayed action—or
no action at all—and putting the organization at risk.

Palo Alto Networks | Automate Global Secure Access with Prisma Access and Cortex XSOAR | Brief 1
Integration Features
As organizations newly depend on largely remote w ­ orkforces,
Prisma™ Access provides cloud-delivered security and a ­ ccess
for employees anywhere in the world. It ­ rapidly enables
remote workers without the need for additional hardware
­ When you deploy workloads in a public cloud, it is a security
or infrastructure deployment, and it automatically scales as
the workforce grows. At Palo Alto Networks, our own ­global
workforce of more than 7,000 employees across 39 office
­locations is now entirely remote, leveraging our own solu-
tions. Moreover, we’ve successfully transitioned our inter-
nal SOC to a fully operational remote model, which continues
to monitor for threats, protecting our user population with
­Prisma Access and Cortex™ XSOAR.
Cortex XSOAR consumes feeds from Prisma Access and ­Cortex
Data Lake. These feeds can include alerts (e.g., egress IP
­notifications) or indicators of compromise (e.g., malicious or
anomalous user behavior) that are relevant to a SOC analyst or
network administrator. Upon receiving these triggers, Cortex
XSOAR can automatically correlate data from other sources,
enrich the data, and take the right actions, such as whitelisting
egress IPs, logging out a user, or disabling a user account. All
these actions are performed by way of automated playbooks for
quick and consistent incident response.
Cortex XSOAR enables organizations to:
• Automate triage of remote connectivity and user activity
alerts.
• Manage indicator blocklists (add, access, delete) auto-
matically in real time.
• Leverage hundreds of third-party product integrations to
coordinate response across security functions based on
insights from Prisma Access and Cortex Data Lake.
• Run hundreds of commands (including for Prisma Access)
interactively via a ChatOps interface while collaborating
with other analysts and the Cortex XSOAR chatbot.
Automate Source IP-Based
­Whitelisting
Challenge
best practice to enforce source IP-based restrictions by setting
up appropriate security groups or firewall rules—for ­instance,
a rule to only allow SSH access to a cloud instance from a spe-
cific set of IP addresses. To allow your users to access this
­instance via Prisma Access, you need to whitelist Prisma Access
egress IPs.
Prisma Access can auto-scale in response to surge in remote
workers. Whenever there is an auto-scale event, or when new
Prisma Access locations are provisioned, these new egress IPs
need to be whitelisted to ensure continuous user c
­ onnectivity
to those workloads. Using legacy security, administrators
have to manually update all their security groups and fire-
wall rules when such events happen, making it hard to scale
­quickly or respond in real time to any changes.
Solution
With Prisma Access and Cortex XSOAR, when an auto-scaling
or new provisioning event comes in, the related Cortex XSOAR
playbook immediately picks up the new list of Prisma Access
egress IPs and automatically updates the relevant security
groups or firewall rules on the cloud platform. This ensures
business continuity with no loss or interruption for your users
who need access to these workloads or software-as-a-service
(SaaS) applications.

Panorama Prisma Access Cortex Data Lake

PN
Manage Logs

Alerts
Indicators of
Cortex XSOAR compromise

Automated response

Enriched data

Other enforcement WildFire, AutoFocus,

points and other sources

Figure 1: Prisma Access and Cortex XSOAR integration

Figure 2: Playbook automating IP whitelisting

Palo Alto Networks | Automate Global Secure Access with Prisma Access and Cortex XSOAR | Brief 2
Automate Multi-Factor
­Authentication ­Enforcement
Challenge
Your remote access policy probably includes multi-factor
­authentication (MFA) for users connecting from untrusted or
unknown IPs. This is configured in your identity and access
management (IAM) solution, such as Okta, where you define
trusted IPs. For example, when a user connects from head-
quarters, from a branch office, or through Prisma Access—all
considered trusted networks—MFA is not required. However,
when that same user connects from a public Wi-Fi hotspot,
MFA is required.
With auto-scaling or provisioning of new locations, the list of
Prisma Access IPs assigned for your organization will change.
Whitelisting these new egress IPs is done manually (and thus
often slowly), so a user connected to these new Prisma Access
instances may still be required to do MFA even if accessing
their SaaS applications via a trusted network. This results in
poor user experience and less-than-seamless connectivity.
Solution
A Cortex XSOAR playbook triggered by an incoming
­auto-scaling or new provisioning event immediately picks
up the new list of Prisma Access egress IPs and a
­ utomatically
updates your IAM. So, when users connected to these new
Automate M ­ alicious User
Activity Response
Challenge
Many modern organizations allow users to connect from
­corporate-managed devices as well as their personal devices.
When the security posture of an endpoint cannot be trusted,
or when your users visit phishing sites or malicious domains,
you want to track those endpoints and users so that you can
take corrective actions. Manually tracking user logins and
­triaging malicious logins is repetitive and time-­consuming,
and high volumes of threat logs and alerts are difficult to
parse and address in a timely manner, presenting attackers
with a window of opportunity.
Solution
Alerts such as threat logs or compromised endpoints talking
to command-and-control servers can trigger Cortex XSOAR
playbooks to automatically pull user details from a directory
such as Active Directory, log the user out, and enforce MFA
and/or disable the user’s account. This playbook can moni-
tor active users and take actions—such as logging users out
if there is unauthorized activity, or updating user tags on the
firewall—all from the Cortex XSOAR interface.
Panorama Prisma Access Cortex Data Lake

Prisma Access instances access SaaS applications, the IAM

PN
Manage Logs
correctly identifies them as users connecting from a trusted
network and does not force them to perform MFA. There is no
longer lag time due to manual intervention. 2
1
Log out user and Cortex XSOAR
enforce MFA Identify malicious
user activity

SaaS 3
Disable user account

No MFA No MFA No MFA Directory Server

• No MFA required from trusted IPs

Figure 4: Automated triage of malicious user activity
• Trusted IPs: IP1, IP2, IP3

Egress IPs
IP1 IP2 IP3

Prisma Access Cortex XSOAR

HQ/Branch Prisma Access user Prisma Access user

WFH WFH

Figure 3: Automated enforcement of MFA

Palo Alto Networks | Automate Global Secure Access with Prisma Access and Cortex XSOAR | Brief 3
­ onitor and Alert on Broken
M Solution
­Tunnels Between Branches
Challenge
In a security team’s busy day, there is no time to proactively
monitor for potential connectivity downtime as staff is usually
busy firefighting and triaging critical incidents. Among other
things, this makes it difficult to keep track of the health status
of all VPN tunnels to ensure 100% uptime for users.
Figure 5: Tunnel health check playbook
About Prisma Access
Prisma Access is a secure access service edge (SASE) that helps
organizations embrace cloud and mobility by providing net-
working and network security services from the cloud. With
growing numbers of users, branch offices, and services—and
massive amounts of data—located outside the protection of
traditional network security appliances, organizations need a
cloud-based infrastructure that converges these capabilities.
Prisma Access provides consistent security services and access
to cloud applications (including public clouds, private clouds,
and software as a service), delivered through a common frame-
work for a seamless user experience. Prisma Access is delivered
as a cloud service from more than 100 locations in 76 countries,
enabling connectivity and security for mobile users, branch
offices, and retail locations.
3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
Enter Jobs, a Cortex XSOAR feature that runs playbooks and
helps SOCs automate proactive security operations. An auto-
mated VPN tunnel monitoring playbook can be scheduled to
poll Prisma Access connection statuses on a regular basis and
send a Slack® alert for remediation actions if a tunnel is down.
About Cortex XSOAR
Cortex XSOAR unifies case management, automation,
­real-time collaboration, and Threat Intel Management in the
industry’s first extended security orchestration, automation,
and response offering. SOC teams can supercharge their effi-
ciency with the world’s most comprehensive operating plat-
form for enterprise security, enabling them to manage alerts
across all sources, standardize processes with playbooks, take
action on threat intelligence, and automate response for any
security use case, resulting in 90% faster response times and a
95% reduction in alerts requiring human intervention.
© 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
automate-global-secure-access-with-prisma-access-and-cortex-
xsoar-b-060820