← all work
SOAR · XSOAR 6.5+ · 2026 PLAYBOOK

Foreign-Travel SOAR Playbook.

End-to-end automation that hardens devices for international travel: identity resolution, parallel control rollouts, vulnerability scan, and rollback on return.

Cortex XSOAR 6.5+ Azure AD / Intune Rapid7 InsightVM ThreatLocker Cisco XDR Live Terminal Cisco Umbrella

Problem

When an employee travels internationally, their endpoint’s risk profile changes overnight: stricter app allowlists, fresher vuln-scan baseline, regional DNS policy, and a rolled-out endpoint posture for the trip duration. Doing this by hand is slow and error-prone.

Approach

A Cortex XSOAR 6.5+ playbook (playbook-ForeignTravel.yml) triggered by webhook. The flow:

  1. Parse the travel request payload
  2. Resolve Azure AD + Intune identifiers from the user
  3. Fan out in parallel:
    • Rapid7 InsightVM ad-hoc scan
    • Intune ThreatLocker Win32 app assignment + sync gate
    • Cisco XDR Live Terminal Umbrella MSI update
  4. Reconvene + report

The playbook ships with a README so SOC analysts and IT can pick it up and tweak per-tenant.

What I shipped

  • playbook-ForeignTravel.yml (XSOAR v6.5+ format)
  • README documenting trigger payload, integrations, and operator runbook
  • Identity-resolution sub-flow reusable across other travel-/access-related playbooks
⚜   highlights   ⚜
  • Webhook-triggered: parse → resolve identities → parallel control changes
  • Intune ThreatLocker Win32 app assignment + sync gate
  • Live Terminal MSI update for endpoint posture
  • Documented playbook + README for handoff
← all engagements