SA0.11 Interactive Lab: Automation Assessment
Lab: Assess NE’s Automation Maturity and Design the Roadmap
In this lab, you apply the frameworks from SA0.1-SA0.10 to Northgate Engineering’s SOC. You assess the current automation maturity, identify the highest-value automation candidates, score the blast radius for critical systems, and produce the first draft of the 90-day automation roadmap.
Part 1: Maturity Assessment
Score Northgate Engineering’s SOC across all 8 dimensions using the information from SA0.6 (NE’s Automation Landscape).
Reminder — NE’s current state:
- 500 alerts/day, 3 analysts, MTTA 45 min, MTTR 4+ hours
- Defender AIR enabled but unmonitored (12 actions in 90 days, 3 on VIP accounts)
- 4 Sentinel automation rules (2 useful, 1 problematic, 1 fragile)
- 1 dead VirusTotal playbook (failed 6 months ago)
- Zero enrichment, collection, notification, or containment playbooks
- No version control, no monitoring, no runbooks
- BlueVoyant coordination: manual email only
Score each dimension 1-5 and calculate the overall level.
Part 2: Automation Candidate Identification
NE’s top 5 alert types by volume:
- Suspicious process creation (200/week)
- Impossible travel (120/week)
- AiTM credential phishing (35/week)
- Failed sign-in attempts (50/week)
- Suspicious inbox rule creation (20/week)
For each alert type, determine:
- What enrichment automation would help? (Tier 1)
- What evidence should be auto-collected? (Tier 2)
- Can containment be automated? If so, at what confidence level? (Tier 3)
- What is the estimated time saving per alert?
- What is the priority rank for the 90-day roadmap?
Part 3: Blast Radius Assessment
For each of NE’s critical systems (from SA0.5), confirm:
- SRV-NGE-DC01/DC02: blast radius category and containment rule
- SRV-NGE-DB01: blast radius category and containment rule
- SRV-NGE-FS01: blast radius category and containment rule
- DESKTOP-NGE* workstations: blast radius category and containment rule
- Standard user accounts: containment rule and VIP check requirement
- Service accounts (svc_sql, svc_backup): containment rule and dependency check
Part 4: 90-Day Roadmap Draft
Using your answers from Parts 1-3, draft the 90-day automation roadmap:
Month 1 — Enrichment:
- Which enrichment playbooks will you build first? (Hint: start with the enrichment that applies to the most alert types)
- What is the deployment sequence?
- How will you measure success?
Month 2 — Collection and Notification:
- Which evidence collection playbooks? (Hint: AiTM and endpoint are highest value)
- What notification pipeline? (Teams for SOC, email for CISO, tickets for tracking)
- How will you handle BlueVoyant coordination?
Month 3 — First Containment:
- Which containment playbook is safest to deploy first? (Hint: AiTM session revocation — highest confidence detection, lowest blast radius containment)
- What safeguards will you implement? (VIP check, confidence threshold, rollback playbook)
- What governance must be in place before containment goes live?
Self-Assessment
After completing the lab, check your work against these criteria:
- Maturity assessment uses all 8 dimensions with justified scores
- Each alert type has enrichment, collection, and containment mapped to the correct tier
- Blast radius categories are consistent with the SA0.5 framework
- The 90-day roadmap follows left-to-right progression (enrichment → collection → containment)
- Month 3 containment has safeguards identified (confidence threshold, VIP check, rollback)
- The roadmap is realistic for a 3-analyst team dedicating 25% of one analyst’s time
You're reading the free modules of this course
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.