5.7.1. Use Cases for Automation and Scripting

💡 First Principle: Automation is most valuable for tasks that are repetitive, time-sensitive, and rule-based. Not every task should be automated — tasks requiring judgment, context, or exception handling should remain with humans. The goal is to automate the predictable so humans can focus on the unpredictable.

User provisioning/deprovisioning — automatically creating accounts with role-based permissions when an employee joins, and revoking all access when they leave. Eliminates delays and forgotten accounts. Automated deprovisioning is especially critical — orphaned accounts from former employees are a common attack vector.

Guard rails — automated policies that prevent misconfigurations: cloud guardrails that block public S3 buckets, IaC validation that catches hardcoded secrets, network rules that prevent overly broad firewall exceptions. Guard rails prevent mistakes before they happen rather than detecting them after the fact.

Security groups — automated management of network security groups based on resource tags, roles, or compliance requirements. When a new server is tagged "production-web," automation applies the standard web server security group rules.

Ticket creation — automatically generating incident tickets when alerts meet defined criteria, with enrichment data (affected assets, threat intelligence, related alerts) attached. Ensures nothing falls through the cracks and analysts have context before they start investigating.

Escalation — automatic escalation of tickets that aren't addressed within defined SLAs. A critical alert unacknowledged for 15 minutes automatically escalates to the team lead; unaddressed for an hour, it escalates to the CISO.

Enabling/disabling integrations and services — automatically disabling compromised service accounts, rotating API keys, or activating additional security controls during detected incidents.

Interaction with SOAR — Security Orchestration, Automation, and Response platforms connect security tools and automate multi-step response workflows (playbooks). SOAR turns manual runbooks into automated workflows that can execute across firewalls, SIEMs, EDR, and ticketing systems in a coordinated sequence.

⚠️ Exam Trap: SOAR orchestrates multi-tool workflows. SIEM correlates and alerts. They're different tools that work together: SIEM detects, SOAR responds. If a question asks about automating the response to a detected threat, SOAR is the answer.