During a security operations center (SOC) process-improvement workshop, the team catalogs routine activities to decide which should be included in the initial SOAR playbooks. The list includes (1) daily enrichment of SIEM alerts with threat-intelligence data, (2) executive approval of high-risk firewall rule changes, (3) root-cause analysis meetings after major incidents, and (4) an annual review of incident-response policy. Which task is MOST appropriate to automate first?
Daily enrichment of SIEM alerts with threat-intelligence data
Annual review of incident-response policy
Root-cause analysis meetings after major incidents
Executive approval of high-risk firewall rule changes
Daily enrichment of SIEM alerts with threat-intelligence data follows the same steps every time and does not require subjective decision-making. Automating this repeatable task accelerates alert triage and frees analysts for higher-value investigations. The other activities involve complex judgment, high business risk, or occur too infrequently for automation to yield efficiency gains, so they should retain human oversight or remain manual until more maturity is reached.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are repeatable tasks ideal for security operations automation?
Open an interactive chat with Bash
What are examples of tools used in automating security tasks?
Open an interactive chat with Bash
Are there risks associated with automating security tasks?