Automating Incident Response: How AI Can Help Your SOC
Security teams are overwhelmed with alerts. Learn how AI and automation can help triage incidents, reduce response times, and let analysts focus on real threats.
The Alert Fatigue Problem
Here's a typical day for a SOC analyst: 500 alerts, 8 hours, 2 actual incidents buried somewhere in the noise. The rest? False positives, low-priority events, and alerts that could have been auto-resolved.
This isn't sustainable. Analysts burn out, real threats get missed, and security suffers.
Automation isn't about replacing analysts. It's about handling the tedious stuff so humans can focus on what requires human judgment.
What Can (and Should) Be Automated
Tier 1: Full Automation
These should happen without human involvement:
- Known false positives
- Automatic enrichment (adding context to alerts)
- Standard responses (password resets after phishing, blocking known-bad IPs)
- Compliance logging
Tier 2: Automation with Verification
Automation does the work, human confirms before execution:
- Account lockouts
- Quarantining endpoints
- Blocking domains/IPs
Tier 3: Human-Led, AI-Assisted
Complex incidents where AI provides analysis:
- Advanced malware investigation
- Insider threat cases
- Incident scoping
Building Your Automation Stack
SOAR Platforms
Popular options: Microsoft Sentinel + Logic Apps, Splunk SOAR, Palo Alto XSOAR, Tines.
Basic Automation Playbook: Phishing Response
- Extract indicators (sender, URLs, attachment hashes)
- Enrich (check threat intel, scan URLs, analyze attachments)
- Auto-classify based on findings
- Execute response actions
- Document everything
AI-Enhanced Triage
AI can help prioritize alerts by analyzing context, recent activity, threat intelligence, and asset criticality.
Measuring Success
| Metric | Before | Target |
|---|---|---|
| Mean Time to Acknowledge | 45 min | 5 min |
| Mean Time to Respond | 4 hours | 1 hour |
| Alerts per Analyst per Day | 150 | 30 (meaningful ones) |
| False Positive Rate | 85% | 40% |
Common Pitfalls
1. Automating Too Much Too Fast
Start small. Pick one alert type, automate it well, measure results, then expand.
2. No Human Override
Always have a way to disable automation.
3. Poor Documentation
Every automated action should be logged.
4. Set and Forget
Automation needs maintenance. Threats evolve.
Practical Guide: PowerShell & CLI Commands for Incident Response
These are real commands you can use during incident response. Copy, adapt, and automate them.
Initial Triage Commands
Get system information:
# Windows - Basic system info
Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsArchitecture, LastBootUpTime
# Linux - System overview
hostnamectl && uptime && whoCheck running processes:
# Windows - Find suspicious processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20 Name, Id, CPU, Path
# Windows - Processes with network connections
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'} |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess,
@{Name='ProcessName';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
# Linux - Active connections with processes
ss -tunapl | grep ESTABCheck scheduled tasks and persistence:
# Windows - Scheduled tasks (common persistence mechanism)
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} |
Select-Object TaskName, TaskPath, State
# Windows - Startup programs
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
# Linux - Cron jobs for all users
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null; doneLog Collection Commands
Windows Event Logs:
# Failed login attempts (last 24 hours)
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625;StartTime=(Get-Date).AddHours(-24)} |
Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}},
@{N='Source IP';E={$_.Properties[19].Value}}
# Successful logins from new sources
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624;StartTime=(Get-Date).AddHours(-24)} |
Where-Object {$_.Properties[8].Value -notin @(2,7)} |
Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}},
@{N='LogonType';E={$_.Properties[8].Value}}
# PowerShell execution logs
Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -MaxEvents 100 |
Where-Object {$_.Id -eq 4104} | Select-Object TimeCreated, MessageLinux Logs:
# Authentication failures
grep -i 'failed\|failure' /var/log/auth.log | tail -50
# SSH access
grep 'sshd' /var/log/auth.log | grep -E 'Accepted|Failed' | tail -50
# Sudo usage
grep 'sudo' /var/log/auth.log | tail -50Containment Actions
Isolate a compromised machine:
# Windows - Block all outbound except management
New-NetFirewallRule -DisplayName 'IR-Block-Outbound' -Direction Outbound -Action Block
New-NetFirewallRule -DisplayName 'IR-Allow-Management' -Direction Outbound -Action Allow -RemotePort 22,3389 -Protocol TCP
# Linux - Block all outbound (iptables)
iptables -I OUTPUT -p tcp --dport 1:65535 -j DROP
iptables -I OUTPUT -p tcp --dport 22 -j ACCEPT # Keep SSHDisable compromised account:
# Windows - Disable AD account
Disable-ADAccount -Identity 'compromised_user'
# Windows - Force logout
query user /server:COMPUTERNAME
logoff SESSION_ID /server:COMPUTERNAME
# Linux - Lock account
passwd -l compromised_user
pkill -u compromised_userKill malicious process:
# Windows - Kill by name
Stop-Process -Name 'malware' -Force
# Windows - Kill by PID
Stop-Process -Id 1234 -Force
# Linux
kill -9 1234Evidence Preservation
Hash suspicious files:
# Windows
Get-FileHash -Path 'C:\suspicious\file.exe' -Algorithm SHA256
# Linux
sha256sum /path/to/suspicious/fileCopy evidence with metadata:
# Windows - Copy preserving timestamps
robocopy 'C:\Users\victim\' 'E:\Evidence\' /COPY:DAT /E /LOG:evidence.log
# Linux - Copy with metadata
cp -a --preserve=all /home/victim /evidence/Automation Script Template
Here's a basic PowerShell script to automate initial triage:
# IR-Triage.ps1 - Run on suspected compromised machine
$OutputPath = 'C:\IR-Evidence'
New-Item -ItemType Directory -Path $OutputPath -Force
# System Info
Get-ComputerInfo | Out-File "$OutputPath\system-info.txt"
# Network Connections
Get-NetTCPConnection | Export-Csv "$OutputPath\connections.csv"
# Running Processes
Get-Process | Select-Object Name, Id, Path, CPU | Export-Csv "$OutputPath\processes.csv"
# Recent Security Events
Get-WinEvent -FilterHashtable @{LogName='Security';StartTime=(Get-Date).AddHours(-24)} |
Export-Csv "$OutputPath\security-events.csv"
# Create archive
Compress-Archive -Path $OutputPath -DestinationPath 'C:\IR-Evidence.zip'Getting Started This Week
Day 1-2: Pick one high-volume, low-complexity alert type
Day 3-4: Build enrichment automation
Day 5: Add auto-classification
Week 2: Add response actions for clear-cut cases
Week 3+: Expand to other alert types
Automation is a force multiplier, not a replacement. The goal is a team of 5 operating like a team of 20, not a team of 0.
Get weekly security insights
Cloud security, zero trust, and identity guides — straight to your inbox.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Questions & Answers
Related Articles
Azure AI Foundry Private Link Setup: Secure Azure OpenAI, AI Search, and Storage End-to-End
18 min read
MCP Server Security: How to Protect AI Agents from Prompt Injection and Tool Abuse (2026)
18 min read
Non-Human Identities (NHI): The Hidden Security Crisis Powering AI Agent Attacks in 2026
16 min read
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us