0.11 Guided Walkthrough: Automation Assessment

Part 1: maturity assessment

Apply the eight-dimension scoring from Section 0.10 to NE's current state from Section 0.6. For each dimension, reference the specific evidence from the audit.

Enrichment. NE has zero enrichment playbooks. All enrichment is manual: five queries per alert, two minutes each, consuming 24 analyst-hours per day. Score: 1. The 90-day target is Level 3 (full enrichment pipeline covering all incident types with five or more data sources). The gap is absolute: NE needs to go from zero enrichment playbooks to a complete pipeline in Month 1.

Evidence collection. NE has zero auto-collection. Volatile evidence (session tokens, running processes, network connections) expires before analysts reach the incident. Average triage delay is 45 minutes. Azure AD access tokens expire in one hour. Score: 1. The 90-day target is Level 3 (auto-collection for the top three incident types: AiTM identity evidence, endpoint volatile state, and email header data).

Notification. The SOC notifies stakeholders by manually composing emails during active incidents. No Teams integration, no ticket creation, no escalation routing, no after-hours mechanism. Score: 1. The 90-day target is Level 3 (Teams adaptive cards plus ServiceNow tickets plus severity routing).

Containment. Platform-only automation from Defender attack disruption. Zero Sentinel-initiated containment. All manual identity and endpoint containment taking 15 to 25 minutes per incident. Score: 1. The 90-day target is Level 2 (false positive auto-close plus one containment playbook with safeguards for the highest-confidence detection type).

Governance. No version control, no monitoring, no runbooks, no review cadence. Four automation rules with no documentation. One dead playbook undetected for six months. Score: 1. The 90-day target is Level 2 (monitoring configured for all playbooks, ARM templates in a shared repository).

Platform coordination. The SOC is unaware of Defender XDR's automated actions. 847 actions in 90 days with zero review. No coordination between Sentinel playbooks and Defender responses. Score: 1. The 90-day target is Level 2 (weekly Action Center review, awareness of both platforms).

Metrics. No automation metrics tracked. No MTTA or MTTR measurement. No dashboard. Score: 1. The 90-day target is Level 2 (basic counts: playbook executions, success/fail rates).

Continuous improvement. No improvement process. The dead playbook demonstrates that failures go undetected indefinitely. Score: 1. The 90-day target is Level 2 (reactive improvement with monitoring alerts configured).

Overall score: 8/8 = Level 1.0. 90-day target: 19/8 = Level 2.4.

The gap between 1.0 and 2.4 is the work this course teaches. Level 1.0 means the SOC has no operational automation — everything depends on manual execution by analysts who are already at capacity. Level 2.4 represents a SOC where enrichment runs automatically for every incident, evidence is preserved for critical alert types, notification routing is consistent, and the first containment playbook is operational with proper governance. It is not the end state. The remaining course modules (SA8 through SA13) push the maturity toward Level 3 and eventually Level 4, but Level 2.4 is the milestone that transforms daily operations: analysts open pre-enriched incidents instead of raw alerts, evidence is captured at alert time instead of investigation time, and the first containment workflow executes in seconds instead of minutes. The measurable change is in MTTA (from minutes to seconds for enriched incidents) and evidence availability (from partial to complete for critical alert types).

Part 2: automation candidate identification

NE's top five alert types by weekly volume determine the automation priority sequence. Each alert type maps to specific automation across the three tiers.

The priority sequencing follows the maturity model. Month 1 builds enrichment playbooks for all five alert types, starting with the enrichment sources that apply to multiple types (IP reputation, user risk, device compliance). Month 2 adds evidence collection for AiTM (highest impact) and endpoint (highest volume). Month 3 deploys the first containment playbook for AiTM session revocation, which has the highest confidence scoring and the clearest blast radius boundary.

Part 3: blast radius classification

NE's critical systems map to the blast radius categories from Section 0.5. The classification determines which containment actions can be automated and which require human approval.

Domain controllers (SRV-NGE-DC01, SRV-NGE-DC02) are critical infrastructure. Automatic containment is never appropriate for domain controllers. Any containment action on a DC requires IR lead approval, regardless of confidence score. The blast radius of isolating a DC is total authentication failure for all 810 users.

Database server (SRV-NGE-DB01) is a business-critical system. Automatic isolation requires 98%+ confidence and approval gate routing. The blast radius includes all applications dependent on the database, which at NE includes the ERP system used by the manufacturing floor.

File server (SRV-NGE-FS01) is a standard server with moderate blast radius. Automatic isolation is permitted at 98%+ confidence for ransomware indicators. The blast radius is file access disruption, which is recoverable from backup, making isolation a lower-cost containment action than database or DC isolation.

Standard workstations (DESKTOP-NGE-*) are low blast radius. Automatic isolation is permitted at 95%+ confidence for confirmed malware or ransomware indicators. The user loses access to the device until the SOC releases the isolation. Impact is one user, one device.

Standard user accounts have moderate blast radius. Session revocation is permitted at 95%+ confidence. Account disablement requires 97%+ confidence. VIP accounts (defined in the Sentinel VIP watchlist) always route to human approval regardless of confidence score. NE's VIP list includes 14 accounts: the CEO, CFO, CTO, CISO, the four board members with M365 access, the manufacturing operations director, the HR director, the legal counsel, and three service desk administrators with Global Admin privileges. These accounts are protected not because their security is less important, but because the business impact of a false-positive containment action on any of them justifies the 30-second delay of human approval over the risk of automated action.

Service accounts (svc_sql, svc_backup, svc_exchange_hybrid) are never automatically disabled. Service account containment requires dependency analysis that automation cannot perform reliably. The blast radius of disabling svc_sql is a cascading failure across every application that authenticates through that account — at NE, that includes the ERP system, the manufacturing floor reporting dashboard, and the customer portal. Service account alerts route to human triage with enrichment data (dependency map, recent authentication activity, risk score) pre-populated by the enrichment playbook. The enrichment ensures the analyst has the information needed to make a rapid decision, even though the decision itself requires human judgment about application dependencies.

Part 4: the 90-day roadmap

The roadmap sequences the module build order based on the maturity progression, the candidate prioritization, and the blast radius classifications.

Month 1 deploys six enrichment playbooks (SA1 and SA2): IP reputation from threat intelligence feeds, user risk from Entra ID Protection, device compliance from Intune, alert correlation history from Sentinel, geographic anomaly analysis from SigninLogs, and mailbox rule audit from Exchange Online. Governance: ARM templates committed, monitoring configured, runbooks published. Success metric: 100% of incidents enriched within 30 seconds of creation.

Month 2 deploys three evidence collection playbooks (SA3) and the notification pipeline (SA4): AiTM identity evidence (session tokens, MFA state, sign-in context), endpoint volatile state (process list, network connections, scheduled tasks), and email transport data (headers, attachment hashes, recipient list). Notification channels: Teams adaptive card for all incidents, email to CISO for Critical severity, ServiceNow ticket for tracking. Success metric: volatile evidence captured for 100% of High and Critical incidents.

Month 3 deploys the first containment playbook (SA5): AiTM session revocation with MFA method reset, gated by the composite confidence threshold (97% minimum) and blast radius assessment (VIP watchlist check, account classification). The playbook runs in approval mode for the first two weeks — it calculates the confidence score, performs the blast radius check, and routes an approval request to the SOC Teams channel with the enrichment summary and recommended action. Analysts approve or reject each recommendation, and the approval/rejection data feeds back into the confidence calibration. After two weeks with a 95%+ approval rate and zero false-action incidents, the playbook promotes to fully automated execution for non-VIP standard user accounts. VIP accounts remain in approval mode permanently.

Rollback playbook verified in staging before containment goes live. SOC team briefed on the automation behavior, approval flow, and escalation path for false-action incidents. Deploy gate from SA0.9 passed with documented test results. Success metric: MTTC for AiTM incidents reduced from 25 minutes (manual) to under 60 seconds (automated for standard accounts) or under 3 minutes (approval flow for VIP accounts).