soc30 / lms
connected
back to day 27
WEEK_4 · DAY_27 · LAB

Lab 27 — Brute Force Playbook

Automate the analyst — Splunk SOAR (Phantom)

LAB PROGRESS0/4 steps · 0%

Lab Objectives

  • Understand SOAR concepts: playbook, asset, action, artifact
  • Author a brute-force response playbook
  • Add human approval gates for destructive actions
  • Measure analyst time saved

Lab Instructions

  1. 1
    Notable: N-2041 (Brute Force).
  2. 2
    Sketch a playbook: enrich src_ip (geo, threat) → check user exists → block at FW (approval) → notify.
  3. 3
    Decide which steps are auto vs approval-gated.
  4. 4
    Estimate time saved per incident (typically 15-30 min).
← LAB 26
Lab 26 — Run an IR Tabletop
LAB 28
Lab 28 — Cloud Detection