Module Summary

What you learned in this module

Section 0.1: Why Most SOCs Don't Automate. The five barriers that prevent SOC teams from building automation programs: blast radius fear, no confidence measurement, tooling complexity, organizational inertia, and perpetual deferral. You learned why IBM's 2025 data shows $1.9 million in savings from automation, why Mandiant's M-Trends 2026 documents 22-second initial access handoffs that outpace manual response, and why most teams never capture that value.

Section 0.2: The Automation Spectrum. The five automation levels from L0 (fully manual) through L4 (autonomous response), with the left-to-right dependency chain that prevents skipping levels. You learned the action classification framework and why every automation action must be placed on the spectrum before deployment.

Section 0.3: The Three Automation Tiers. The tier classification by blast radius: Tier 1 (enrichment, zero blast radius, always safe), Tier 2 (collection and notification, low blast radius, basic validation), and Tier 3 (containment, high blast radius, requires confidence thresholds, VIP checks, and rollback playbooks). You learned the managed identity permission model for each tier and the governance requirements that scale with blast radius.

Section 0.4: The Confidence Threshold Problem. The distinction between alert severity and detection confidence, and why severity alone cannot gate containment decisions. You learned the composite additive scoring model, signal weight calibration, and the threshold-by-action-type framework: 95% for session revocation, 97% for account disablement, 98% for device isolation.

Section 0.5: The Blast Radius Assessment. The four blast radius categories (standard user, VIP/executive, server/infrastructure, service account) and how dynamic assessment via Sentinel watchlists provides real-time entity classification. You learned the combined confidence-plus-blast-radius gate that prevents high-impact containment on critical assets.

Section 0.6: NE's Automation Landscape. The current-state audit of NE's environment: 847 unreviewed Defender actions, four automation rules (one valuable, one redundant, one harmful, one fragile), one dead VirusTotal playbook, and zero enrichment, collection, notification, or containment playbooks. You established the 90-day target architecture.

Section 0.7: Sentinel Automation Architecture. The two-layer model: automation rules as the orchestration layer (conditions, actions, execution order) and playbooks as Logic Apps for execution (API calls, conditional logic, entity extraction). You learned the service account permission model, the Enhanced Alert Trigger, and the decision framework for choosing rules-only vs playbook-backed automation.

Section 0.8: Defender XDR Automation Architecture. Attack disruption's three-stage containment model (signal correlation, action selection, auto-execute in three minutes), AIR's four automation levels per device group, custom detection rules with auto-actions and NRT capability, and the coordination framework that prevents conflicts between Sentinel and Defender XDR automation.

Section 0.9: The Automation Governance Framework. The four governance pillars: version control (ARM templates in Git), testing (staging workspace with test incidents), monitoring (SentinelHealth plus AzureDiagnostics), and documentation (six-question runbooks with ownership). You learned the deploy gate, the monthly review cycle, the tiered change management process, and the retirement procedure.

Section 0.10: The Automation Maturity Model. The five maturity levels and eight assessment dimensions. You scored NE at Level 1.0 across all dimensions and set the 90-day target at Level 2.4. You learned the progression path that maps each level transition to specific course modules.

Section 0.11: Guided Walkthrough. You applied every framework to NE's environment: scored the maturity assessment, identified automation candidates for the top five alert types, classified blast radius for critical systems, and produced the 90-day roadmap with monthly milestones and success metrics.

What's next

Module 1 starts building. The frameworks from this module become the decision criteria for every playbook you deploy. SA1 constructs the first enrichment playbooks, applies the deploy gate from Section 0.9, configures monitoring from day one, and delivers the first measurable improvement: analysts opening investigation-ready incidents instead of raw alerts. The 90-day clock starts.