Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedIn Apps & Security Tools

CyberDudeBivash • SOC Engineering

SOC Automation with Python – CYBERDUDEBIVASH EDITION

By Cyberdudebivash • Updated 2025-12-19

cyberdudebivash.com | cyberbivash.blogspot.com

TL;DR

SOC automation is about reducing analyst fatigue, not replacing analysts.
Python is ideal for SOC automation due to speed, ecosystem, and readability.
This guide shows how to build real-world, production-safe SOC automations.
Focus: detection enrichment, alert triage, response orchestration, and auditability.

1) Why SOC Automation Matters

Modern Security Operations Centers face a brutal reality: alerts grow exponentially while analyst headcount does not. Manual triage leads to missed incidents, burnout, and slow response.

SOC automation solves this by handling repeatable, deterministic tasks such as enrichment, correlation, suppression, and initial response—freeing analysts to focus on real investigations.

The goal is not “auto-blocking everything.” The goal is consistency, speed, and safety.

2) Why Python for SOC Automation

Massive ecosystem: requests, pandas, psutil, elasticsearch, splunk-sdk
Fast development and readability
Easy API integration with SIEM, EDR, SOAR, Threat Intel
Excellent for glue-code and orchestration

Python excels at connecting systems together—exactly what SOC automation requires.

3) SOC Automation Architecture

Ingest: Alerts from SIEM, EDR, IDS, Cloud logs
Enrich: IP, hash, domain, user, asset context
Decide: Risk scoring + policy engine
Respond: Ticket, isolate, block, notify
Audit: Immutable logs + metrics

Automation must be modular. Never mix detection logic with destructive actions.

4) High-Impact SOC Automation Use Cases

IOC enrichment (VirusTotal, MalwareBazaar, AbuseIPDB)
Alert deduplication and suppression
User risk scoring (impossible travel, brute force)
Automated phishing triage
Firewall / EDR block orchestration (policy-gated)

5) Python Example: Alert Enrichment + Decision

import requests

def enrich_ip(ip):
    r = requests.get(
        "https://api.abuseipdb.com/api/v2/check",
        params={"ipAddress": ip},
        headers={"Key": "API_KEY", "Accept": "application/json"},
        timeout=10
    )
    data = r.json().get("data", {})
    score = data.get("abuseConfidenceScore", 0)

    decision = "ALLOW"
    if score >= 80:
        decision = "BLOCK"
    elif score >= 40:
        decision = "REVIEW"

    return {
        "ip": ip,
        "score": score,
        "decision": decision
    }

alert = enrich_ip("8.8.8.8")
print(alert)

This pattern—signal → enrich → score → decide—is the foundation of all SOC automation.

6) Safe Automated Response

Automated response must be reversible and explainable.

Alert-only (default)
Create ticket + notify analyst
Temporary block with expiry
Host isolation only after multi-signal confirmation

7) Hardening SOC Automation Pipelines

Least privilege API keys
Policy versioning
Audit logs for every decision
Kill-switch for automation
OWASP-style input validation

8) 30-60-90 Day SOC Automation Plan

0-30: Alert enrichment + dashboards
31-60: Suppression + ticket automation
61-90: Controlled response actions

1) Splunk: Practical SPL queries (ready for SOC)

A) High-signal “suspicious PowerShell” (Windows EventCode 4688)

`index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 | eval cmd=lower(CommandLine) | where like(cmd,"%powershell%") AND (like(cmd,"% -enc %") OR like(cmd,"% -encodedcommand %") OR like(cmd,"%downloadstring%") OR like(cmd,"%iex%")) | stats earliest(_time) as firstSeen latest(_time) as lastSeen values(ComputerName) as hosts values(ParentProcessName) as parent values(NewProcessName) as proc values(CommandLine) as cmdline count by AccountName | sort - count`

B) Office spawning shell (common initial access chain)

`index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 | eval parent=lower(ParentProcessName), proc=lower(NewProcessName) | where parent IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe") AND proc IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe") | stats earliest(_time) as firstSeen latest(_time) as lastSeen values(ComputerName) as hosts values(CommandLine) as cmdline count by AccountName parent proc | sort - count`

C) Brute force / password spray (4625 failures)

`index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 | stats count as failures dc(TargetUserName) as distinctUsers values(TargetUserName) as users by IpAddress, ComputerName | where failures >= 20 OR distinctUsers >= 8 | sort - failures`

2) Splunk: Python automation (Splunk SDK) — run search + parse results

Install

`pip install splunk-sdk`

Python script: run SPL, return JSON results

import os, json import splunklib.client as client import splunklib.results as results SPLUNK_HOST = os.getenv("SPLUNK_HOST", "localhost") SPLUNK_PORT = int(os.getenv("SPLUNK_PORT", "8089")) SPLUNK_USER = os.getenv("SPLUNK_USER") SPLUNK_PASS = os.getenv("SPLUNK_PASS") SPLUNK_APP = os.getenv("SPLUNK_APP", "search") QUERY = r''' search index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 | eval cmd=lower(CommandLine) | where like(cmd,"%powershell%") AND (like(cmd,"% -enc %") OR like(cmd,"% -encodedcommand %")) | stats count by AccountName, ComputerName, NewProcessName, CommandLine | sort - count | head 50 ''' def run_spl(query: str): service = client.connect( host=SPLUNK_HOST, port=SPLUNK_PORT, username=SPLUNK_USER, password=SPLUNK_PASS, app=SPLUNK_APP ) job = service.jobs.create(query, exec_mode="blocking") rr = results.ResultsReader(job.results(count=0, output_mode="json")) out = [] for item in rr: if isinstance(item, dict): out.append(item) return out if name == "main": data = run_spl(QUERY) print(json.dumps({"count": len(data), "results": data}, indent=2))

3) Splunk: Create a “Notable” (ES) / send event back into Splunk (HEC)

If you don’t want to mess with ES notable APIs yet, the cleanest universal method is: send a structured alert event to Splunk via HEC.

Python: send detection to Splunk HEC

import os, json, time import requests HEC_URL = os.getenv("SPLUNK_HEC_URL") # e.g. https://splunk.company:8088/services/collector HEC_TOKEN = os.getenv("SPLUNK_HEC_TOKEN") VERIFY_TLS = os.getenv("HEC_VERIFY_TLS", "true").lower() == "true" def hec_send(event: dict, sourcetype="cyberdudebivash:shield", index="main", host=None): payload = { "time": int(time.time()), "host": host or event.get("host") or "CYBERDUDEBIVASH-Shield", "sourcetype": sourcetype, "index": index, "event": event } r = requests.post( HEC_URL, headers={"Authorization": f"Splunk {HEC_TOKEN}"}, data=json.dumps(payload), timeout=10, verify=VERIFY_TLS ) r.raise_for_status() return r.text if name == "main": alert = { "vendor": "CyberDudeBivash", "product": "CYBERDUDEBIVASH-Shield", "severity": "high", "rule": "Suspicious PowerShell EncodedCommand", "account": "example_user", "host": "WIN-01", "ioc": {"type": "process", "value": "powershell.exe"}, "rationale": "encodedcommand flags detected", } print(hec_send(alert))

4) Elastic SIEM: Real KQL queries (Elastic Security)

A) Suspicious PowerShell encoded command (Windows)

`event.code : "4688" and process.name : ("powershell.exe","pwsh.exe") and process.command_line : ("* -enc " or " -encodedcommand " or "FromBase64String" or "DownloadString*")`

B) Office spawning script engines

`event.code : "4688" and process.parent.name : ("WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE","OUTLOOK.EXE") and process.name : ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe")`

C) Brute force (auth failure)

(Exact fields vary by data source; common ECS fields:)`event.category : "authentication" and event.outcome : "failure" and source.ip : *`

5) Elastic: Python automation (search via Elasticsearch API)

Install

`pip install elasticsearch`

Python: run ECS query and return top hits

import os, json from elasticsearch import Elasticsearch ES_URL = os.getenv("ES_URL") # e.g. https://elastic.company:9200 ES_USER = os.getenv("ES_USER") ES_PASS = os.getenv("ES_PASS") ES_INDEX = os.getenv("ES_INDEX", "logs-") # adjust to your index pattern def es_client(): return Elasticsearch( ES_URL, basic_auth=(ES_USER, ES_PASS), verify_certs=True, request_timeout=30 ) def search_suspicious_powershell(): body = { "size": 50, "query": { "bool": { "filter": [ {"term": {"event.code": "4688"}}, {"terms": {"process.name": ["powershell.exe", "pwsh.exe"]}}, {"query_string": { "query": 'process.command_line:(" -enc " OR " -encodedcommand " OR "FromBase64String" OR "DownloadString*")' }} ] } }, "_source": ["@timestamp","host.name","user.name","process.name","process.command_line","process.parent.name","event.code"] } es = es_client() resp = es.search(index=ES_INDEX, body=body) hits = [h["_source"] for h in resp["hits"]["hits"]] return hits if name == "main": print(json.dumps({"results": search_suspicious_powershell()}, indent=2))

6) Elastic: Push IOCs into an Indicator Index (simple IOC feed approach)

You can maintain your own IOC index (e.g., `cyberdudebivash-iocs`) and match logs against it with rules.

Python: index an IP IOC document

import os, time from elasticsearch import Elasticsearch ES_URL = os.getenv("ES_URL") ES_USER = os.getenv("ES_USER") ES_PASS = os.getenv("ES_PASS") IOC_INDEX = os.getenv("IOC_INDEX", "cyberdudebivash-iocs") es = Elasticsearch(ES_URL, basic_auth=(ES_USER, ES_PASS), verify_certs=True) def add_ip_ioc(ip: str, confidence: int = 80, source="CyberDudeBivash"): doc = { "@timestamp": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()), "indicator": {"type": "ipv4-addr", "ip": ip}, "confidence": confidence, "source": source, "tags": ["block", "threat-intel"] } return es.index(index=IOC_INDEX, document=doc) if name == "main": print(add_ip_ioc("1.2.3.4"))

FAQ

Is SOC automation risky?
Only if done without policy and audit.

Can Python replace SOAR?
No, but it can complement or bootstrap one.

Should juniors automate?
Yes—under supervision and alert-only first.

CyberDudeBivash Ecosystem
Apps & Products • Threat Intel Blog

#cyberdudebivash #CyberDudeBivash #SOCAutomation #PythonSecurity #SecurityAutomation #SOC #BlueTeam #ThreatHunting #IncidentResponse #DetectionEngineering #SIEM #EDR #XDR #ThreatIntel #DFIR #SecurityOperations #DevSecOps #ZeroTrust #OWASP #CyberSecurity