CSOC Operations & Playbook Automation

# CSOC Operations & Playbook Automation

## Purpose

Enable Claude to assist Cyber Security Operations Center (CSOC) teams with structured alert triage, automated playbook creation, escalation workflow design, shift handover reporting, and SOC metrics analysis. Claude produces operational artifacts that analysts can execute directly or adapt to their SOAR platforms.

---

## Activation Triggers

This skill activates when the user asks about:
- Triaging SIEM alerts or security events
- Creating incident response playbooks for SOC analysts
- Designing escalation workflows and notification chains
- Generating SOC shift handover reports
- Calculating SOC metrics (MTTD, MTTR, FPR)
- Automating repetitive SOC tasks
- Playbook conversion to Splunk SOAR, Palo Alto XSOAR, or ServiceNow
- SOC analyst decision support and runbooks
- Alert fatigue reduction strategies
- Alert correlation and deduplication

---

## Prerequisites

```bash
pip install pyyaml jinja2 requests python-dateutil
```

**Platform integrations:**
- `Splunk SOAR` — Playbook automation
- `Palo Alto XSOAR` — SOAR platform
- `TheHive` — Open-source IR platform
- `ServiceNow` — ITSM ticketing
- `PagerDuty / OpsGenie` — Alerting and on-call

---

## Core Capabilities

### 1. Alert Triage Automation

**When the user provides SIEM alerts and asks to triage:**

**Triage Decision Framework:**

```
Step 1: Parse alert data
  - Source: SIEM, EDR, WAF, IDS, email security, cloud audit logs
  - Extract: timestamp, source IP, destination, user, process, alert type

Step 2: Asset criticality lookup
  - Is the asset business-critical? (production DB, domain controller, payment system)
  - Is the user privileged? (admin, developer, finance)
  - What is the asset's network exposure?

Step 3: Threat context enrichment
  - IP reputation: Check against blocklists (AbuseIPDB, VirusTotal, Shodan)
  - Hash reputation: VirusTotal lookup for file hashes
  - Domain reputation: Phishtank, URLhaus, MX Toolbox
  - User risk score: Recent activity anomalies, recent password resets

Step 4: Apply triage matrix
```

**Alert Triage Matrix:**

| Alert Confidence | Asset Criticality | Recommended Action | SLA |
|----------------|-------------------|--------------------|-----|
| High | Critical | Immediate escalation to Tier 2/3 — declare incident | 15 min |
| High | High | Tier 1 priority investigation | 30 min |
| High | Medium | Tier 1 standard investigation | 1 hour |
| High | Low | Tier 1 standard queue | 4 hours |
| Medium | Critical | Tier 1 priority investigation | 30 min |
| Medium | High | Tier 1 standard investigation | 2 hours |
| Medium | Low | Standard queue, investigate if pattern emerges | 8 hours |
| Low | Any | Auto-close with documentation and note | 24 hours |

**Triage Analysis Output Format:**
```markdown
## Alert Triage Summary

**Alert ID:** [ID]
**Alert Type:** [Type — e.g., Brute Force Login]
**Source:** [Source IP/User/Host]
**Time:** [UTC timestamp]
**SIEM Rule:** [Rule name that triggered]

**Asset Assessment:**
- Asset: [Hostname/IP]
- Criticality: [Critical / High / Medium / Low]
- Role: [e.g., Production Database Server]

**Threat Context:**
- Source IP Reputation: [Malicious / Suspicious / Clean / Unknown]
- Source IP Location: [Country, ASN]
- Known threat actor: [Yes/No — if yes, attribution]
- Related IOCs found: [Yes/No]

**Verdict:** [True Positive / False Positive / Undetermined]
**Triage Action:** [Escalate to Tier 2 / Investigate / Close / Watch]
**Recommended Playbook:** [Playbook name]
**Priority:** [P1 Critical / P2 High / P3 Medium / P4 Low]

**Analyst Notes:**
[Notes from triage]
```

```bash
# Automated triage with script
python scripts/alert_triager.py --alerts alerts.json --output triage_results.json
python scripts/alert_triager.py --alerts siem_export.csv --playbook default --auto-assign
```

### 2. Incident Playbook Creation

**When the user asks to create a SOC playbook:**

**Playbook YAML Template (SOAR-compatible):**

```yaml
# CSOC Playbook: Phishing Email Response
# Compatible with: Splunk SOAR, XSOAR, TheHive
# Last updated: 2025-05-28

name: phishing_email_response
version: "2.0"
trigger:
  alert_types:
    - "Email Security - Phishing Detected"
    - "User Reported Phishing"
  severity: [medium, high, critical]

variables:
  - name: sender_email
    type: string
  - name: recipient_email
    type: string
  - name: email_subject
    type: string
  - name: attachment_hash
    type: string
    required: false

tasks:
  - id: "1-extract-artifacts"
    name: "Extract Email Artifacts"
    type: automated
    actions:
      - Extract sender, recipients, subject, body, attachments
      - Defang all URLs and IPs found in email body
      - Calculate SHA256 of all attachments
      - Extract email headers (SPF, DKIM, DMARC results)
    output:
      - sender_ip
      - sender_domain
      - urls_in_body
      - attachment_hashes

  - id: "2-enrich-indicators"
    name: "Enrich IOCs with Threat Intelligence"
    type: automated
    depends_on: ["1-extract-artifacts"]
    actions:
      - VirusTotal lookup: sender_ip, attachment_hashes, urls_in_body
      - URLhaus lookup: all URLs
      - AbuseIPDB lookup: sender_ip
      - Check internal blocklists
    output:
      - vt_results
      - url_classification
      - ip_reputation

  - id: "3-assess-impact"
    name: "Assess Who Clicked / Opened Attachment"
    type: manual
    depends_on: ["2-enrich-indicators"]
    analyst_actions:
      - "Check email security gateway: did anyone click the link?"
      - "Check proxy logs: any traffic to phishing domain?"
      - "Check EDR: any process execution from attachment?"
    decision_point:
      - condition: "User clicked link OR opened attachment"
        action: escalate_to_incident
      - condition: "No user interaction confirmed"
        action: continue_to_containment

  - id: "4-contain"
    name: "Email and Infrastructure Containment"
    type: hybrid
    actions:
      - Block sender domain in email gateway