Day 5: Automation with SOAR and Python

Today's Objective

Playbook automation with SOAR platforms, Python scripts for enrichment, and the API integrations that let a three-person SOC team respond at machine speed.

SOC KPIs and Metrics

Key metrics: Mean Time to Detect (MTTD) — average time from attacker entry to alert; Mean Time to Respond (MTTR) — alert to containment; False Positive Rate — percentage of alerts that are not real attacks (industry average: 40-70%); Dwell Time — time attacker operates before detection (industry average: 21 days). These metrics drive analyst hiring, tool investment, and process improvement decisions.

Writing Detection Rules and Playbooks

A detection rule has: name, ATT&CK technique mapping, data source, query logic, tuning notes, and expected alert volume. A playbook has: trigger condition, triage steps, investigation steps, escalation criteria, and response actions. Both must be version-controlled (Git), reviewed quarterly, and tested annually against real or simulated attacks. SOC maturity correlates directly with documentation quality.

SOC Career Paths

Tier 1 Analyst → Tier 2 Analyst → Tier 3 Analyst/Threat Hunter → SOC Manager/CISO. Salary ranges (2025): T1 $55-75K, T2 $80-110K, T3 $100-140K, SOC Manager $120-160K. Key certifications: CompTIA Security+ (entry), Splunk Core Certified User (T1-T2), Blue Team Labs certifications, GCIH (GIAC Certified Incident Handler), GCIA (GIAC Certified Intrusion Analyst), CISSP (management). Federal SOC roles add 15-25% salary premium.

text

SOC DETECTION RULE DOCUMENTATION TEMPLATE

Rule Name: PowerShell Encoded Command Execution
ATT&CK Technique: T1059.001 (Command and Scripting: PowerShell)
Data Source: Windows Security Event Log, Sysmon
Event IDs: 4104 (Script Block Logging), Sysmon 1

Query (Splunk):
  index=windows (EventCode=4104 OR source=Sysmon EventCode=1)
  | regex CommandLine="(?i)(-enc|-encodedcommand)"
  | stats count by host, user, CommandLine
  | where count > 0

Tuning Notes:
  - Exclude hosts: [SCCM server, patching servers] — they use encoded PS legitimately
  - Alert threshold: any occurrence (0 expected in non-admin population)
  - Expected false positive rate: ~5% from legitimate admin scripts

Escalation Criteria:
  - Any P1: PowerShell + outbound network connection
  - Any P2: Encoded command from non-admin account
  - P3: Encoded command from admin account during business hours

💡

Track your MTTD and MTTR weekly. If MTTD exceeds 24 hours, you have a detection coverage problem. If MTTR exceeds 4 hours for P1, you have a process problem. Both need fixing.

📝 Day 5 Exercise

Document Your SOC Playbooks

Write a detection rule document for the PowerShell encoded command rule using the template above
Create a Git repository for your SOC documentation: rules/, playbooks/, runbooks/
Write a triage playbook for phishing email alerts (5 investigation steps, 3 escalation criteria)
Calculate MTTD and MTTR for 5 incidents from your lab exercises
Research Blue Team Labs Online (blueteamlabs.online) and complete one free SOC investigation challenge

Day 5 Summary

MTTD and MTTR are the two most important SOC performance metrics
Detection rules and playbooks must be version-controlled, reviewed, and tested
SOC career path: T1 → T2 → T3/Threat Hunter → Manager, with certifications at each level
Federal SOC roles command 15-25% salary premium over private sector
Blue Team Labs and TryHackMe Blue Path provide hands-on SOC training

Challenge

Complete the 'The Report' or 'Infection Monkey' challenge on Blue Team Labs Online. Write a detailed analyst report documenting your investigation methodology, findings, and IOCs in a format suitable for a job interview portfolio.

← Previous

Day 4: Incident Response in the SOC

Course complete

Back to course overview

→

Course Complete

Completing all five days means having a solid working knowledge of SOC Operations in 5 Days. The skills here translate directly to real projects. The next step is practice — pick a project and build something with what was learned.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Automation with SOAR and Python — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Automation with SOAR and Python Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 5 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day the final lesson?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Back to Course

SOC Operations in 5 Days — Full Course Overview

→