SA0.12 Module Summary

What You Built in This Module

This module established the operational framework for security automation — the judgment that determines whether automation helps or causes damage. Before building a single playbook, you now have three frameworks that every subsequent module builds on.

The Three-Tier Automation Model. Every automation action maps to a tier. Tier 1 (enrichment) is always safe and should be automated for every alert type. Tier 2 (collection and notification) has low risk and requires basic validation — severity routing for notifications, chain-of-custody for evidence. Tier 3 (containment) has high risk and requires confidence thresholds, VIP watchlist checks, blast radius assessment, human approval gates for high-impact actions, rollback playbooks, and post-containment verification. The tier determines the safeguards. The safeguards determine whether the automation is safe for production.

The Confidence Threshold Methodology. Detection confidence is measured, not guessed. Deploy the detection rule, track true positive / false positive / benign true positive classifications for 30 days, calculate the confidence level, and map it to the appropriate automation tier. At 95%+ confidence, auto-contain. At 80-95%, auto-contain with human approval gate. At 60-80%, auto-enrich and notify. Below 60%, auto-enrich only. The confidence level changes over time as you tune the detection — promoting automation from lower tiers to higher tiers as accuracy improves.

The Blast Radius Assessment. Every containment action has operational impact. Low blast radius (one user, one workstation) — auto-contain with VIP check. Medium blast radius (team, service) — auto-contain with confirmation checks. High blast radius (department, production server) — human approval required. Critical blast radius (entire organisation) — manual execution only, coordinated by IR lead. The blast radius assessment is embedded in containment playbooks as dynamic runtime checks, not static documentation.

What You Learned About Sentinel and Defender XDR

Sentinel provides three automation mechanisms: automation rules (lightweight, no code), playbooks (Logic Apps — powerful multi-step workflows), and analytic rule actions (fastest trigger, alert-level). Most automation uses playbooks triggered by automation rules on incident creation. The execution order matters: alert → analytic rule action → incident creation → automation rule → playbook.

Defender XDR provides three native capabilities: Auto Investigation and Response (AIR), attack disruption, and custom detection rules with auto-actions. These complement Sentinel automation — Defender handles fast, single-product responses while Sentinel handles cross-product orchestration and external integrations. Both platforms should be active and monitored.

What You Learned About Governance

Automation without governance degrades silently. The four pillars — version control (ARM templates in Git), testing (staging workspace with test incidents), monitoring (failed-run detection and health metrics), and documentation (runbooks answering six questions) — keep automation operational over months and years. Every playbook you build in this course will follow the governance checklist.

The Automation Maturity Model

You assessed NE’s SOC at Level 1 (ad hoc) across all 8 dimensions. The 90-day roadmap targets Level 2-3 through incremental deployment: enrichment in Month 1, collection and notification in Month 2, first containment playbook in Month 3. The maturity assessment is repeated at the end of the course to measure the quantified improvement.

What Comes Next

SA1 builds your first automation rule and your first playbook. You will configure a Sentinel automation rule that changes AiTM alert severity to High, then build a Logic App playbook that enriches incidents with user risk data and posts the results to Teams. By the end of SA1, you have working automation deployed in your Sentinel workspace — the first step on the maturity ladder.

The frameworks from this module — the three-tier model, the confidence threshold methodology, the blast radius assessment, and the governance pillars — are referenced in every subsequent module. They are not theoretical constructs to memorise. They are operational tools to apply.