Module 15: Security Automation & AI-Assisted Operations
Automate the repetitive, augment with AI. Focus on what requires a human.
You'll automate the Shadow Broker response — alert enrichment, case creation, and IOC blocking.
Lessons & Labs
Security Automation & SOAR Fundamentals
SOAR concepts, automation vs orchestration, Shuffle architecture, what to automate vs keep manual
Lab 15.1 — Your First Shuffle Playbook
Set up Shuffle, create alert-to-enrichment workflow: Wazuh alert → VirusTotal lookup → TheHive case.
Building Automated Playbooks
Playbook design principles, Shuffle workflow builder, phishing response playbook, error handling
Lab 15.2 — Phishing Response Playbook
Build end-to-end phishing playbook: extract IOCs → enrich → check MISP → create case → notify.
Integration & Orchestration
Connecting Wazuh/TheHive/MISP/Velociraptor, API integrations, enrichment pipelines, automated containment
Lab 15.3 — Multi-Tool Orchestration
Full SOC pipeline: Wazuh alert → MISP enrichment → TheHive case → Velociraptor containment.
AI-Assisted Triage & Investigation
LLM applications in the SOC — alert summarization, prompt engineering for analysts, limitations, and the future of AI-assisted hunting
Lab 15.4 — AI-Assisted Alert Analysis
Browser-only: Write effective prompts for alert analysis, evaluate AI output for accuracy, identify hallucinations, write an AI triage SOP.
AI-Assisted SOC Operations
LLM-powered alert triage, prompt engineering for security analysis, AI-generated reports, human-in-the-loop validation
Lab 15.5 — AI-Powered SOC Operations
Browser-only: Use AI prompt templates to triage alerts, generate investigation summaries, and write an AI triage SOP.