SOC Automation & Security Operations
Automate security operations. Covers SIEM, SOAR, detection engineering, alert triage automation, threat intelligence integration, and building effective security operations centers.
Security Operation Centers (SOCs) drown in alerts. The average enterprise SOC receives 10,000+ alerts per day. Analysts manually investigate each one, resulting in burnout, missed threats, and hour-long response times. SOC automation uses SOAR (Security Orchestration, Automation, and Response) to automate the repetitive 80% — enrichment, triage, containment — so analysts focus on the complex 20% that requires human judgment.
SOC Architecture
Threat Sources Detection Response
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Endpoints├──┐ │ │ │ SOAR │
│ Network ├──┤ Logs │ SIEM │ Alerts │ Playbooks│
│ Cloud ├──┼─────────▶│ (Splunk/ │─────────▶│ (auto- │
│ Identity ├──┤ │ Sentinel)│ │ enrich, │
│ App Logs ├──┘ │ │ │ triage, │
└──────────┘ └──────────┘ │ contain)│
└──────────┘Detection Engineering
Detection-as-Code
# Sigma rule: detect brute force login attempts
title: Brute Force Login Attempt
status: production
description: Detects multiple failed login attempts from single source
author: Security Engineering
date: 2025/01/15
logsource:
product: authentication
service: login
detection:
failed_logins:
status: "failure"
timeframe: 5m
condition: failed_logins | count(source_ip) > 10
falsepositives:
- Automated health checks with wrong credentials
- Password rotation scripts
level: medium
tags:
- attack.credential_access
- attack.t1110.001SOAR Playbook: Phishing Response
def phishing_response_playbook(alert):
"""Automated phishing alert response."""
# Step 1: Enrich (automated)
email_metadata = extract_email_headers(alert.email)
sender_reputation = check_reputation(email_metadata.sender)
urls = extract_urls(alert.email_body)
url_verdicts = [check_url_reputation(url) for url in urls]
attachments = scan_attachments(alert.attachments)
# Step 2: Auto-triage (automated)
risk_score = calculate_risk(
sender_reputation=sender_reputation,
url_verdicts=url_verdicts,
attachment_verdicts=attachments,
)
if risk_score > 90: # Clearly malicious
# Step 3a: Auto-contain (automated)
block_sender(email_metadata.sender)
quarantine_email(alert.email_id)
disable_clicked_urls(urls)
# Check if user clicked any links
clicked = check_proxy_logs(alert.user, urls)
if clicked:
isolate_endpoint(alert.user)
reset_credentials(alert.user)
create_incident(severity="HIGH", auto_contained=True)
elif risk_score > 50: # Suspicious
# Step 3b: Analyst review (human)
escalate_to_analyst(
alert=alert,
enrichment={
"sender_reputation": sender_reputation,
"url_verdicts": url_verdicts,
"risk_score": risk_score,
},
recommended_action="Review and confirm containment",
)
else: # Likely benign
close_alert(alert, reason="Low risk score, likely legitimate")Key Metrics
| Metric | Target | Measures |
|---|---|---|
| MTTD (Mean Time to Detect) | < 1 hour | How fast you find threats |
| MTTR (Mean Time to Respond) | < 4 hours | How fast you contain threats |
| Automation Rate | > 80% of alerts | How much is automated vs manual |
| False Positive Rate | < 10% | Quality of detection rules |
| Analyst Workload | < 20 alerts/analyst/day | Is automation reducing burden? |
| Coverage | MITRE ATT&CK % | What techniques can you detect? |
Anti-Patterns
| Anti-Pattern | Problem | Fix |
|---|---|---|
| Alert on everything | 10,000 alerts/day, alert fatigue | Tune detections, reduce noise, tier alerts |
| Manual enrichment | Analysts manually check IPs, hashes, emails | SOAR auto-enrichment on every alert |
| No detection-as-code | Detections not version-controlled or tested | Git-managed Sigma/YARA rules with CI/CD |
| Buy tools, skip process | Tools deployed but no playbooks | Define response playbooks before buying tools |
| No metrics | Can’t prove SOC value or find improvements | Track MTTD, MTTR, automation rate |
Checklist
- SIEM deployed with all critical log sources ingested
- Detection rules: version-controlled, tested, mapped to MITRE ATT&CK
- SOAR platform: automated enrichment and triage
- Playbooks: phishing, malware, credential compromise, insider threat
- Threat intelligence: feeds integrated into detection
- Alert tuning: false positive rate < 10%
- Metrics: MTTD, MTTR, automation rate tracked
- Incident response: plan tested quarterly with tabletop exercises
- 24/7 coverage: on-call rotation or MSSP for off-hours
:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For security operations consulting, visit garnetgrid.com. :::
