Lab 20 – Endpoint Response Automation & Playbooks

This lab focuses on automating endpoint‑response actions using your EDR and SIEM platforms. You’ll build workflows that isolate hosts, kill malicious processes, enrich alerts, and notify administrators automatically.

• Outcome 1: Automated response workflows created.
• Outcome 2: EDR actions integrated with SIEM automation.
• Outcome 3: Alerts enriched and escalated automatically.
• Outcome 4: Playbooks validated using simulated attacks.

• DL20.1: Automated malware‑response workflow.
• DL20.2: Automated suspicious‑process workflow.
• DL20.3: Automated compromised‑account workflow.
• DL20.4: EDR + SIEM integration validated.
• DL20.5: Documentation updated with workflow diagrams.

1. Create a workflow that triggers on:
   • High‑severity malware alerts
   • Suspicious process behavior
2. Automate actions:
   • Isolate host
   • Kill malicious process
   • Collect forensic logs
3. Send notification to admin.

1. Create a workflow that triggers on:
   • Encoded PowerShell commands
   • Unexpected parent/child process chains
2. Automate:
   • Process termination
   • Hash lookup via threat‑intel APIs
   • Alert enrichment

1. Create a workflow that triggers on:
   • Failed logon spikes
   • Password‑spray patterns
   • Unusual logon hours
2. Automate:
   • Disable account
   • Block source IP
   • Notify admin

1. Simulate:
   • Malware‑like process behavior
   • Suspicious PowerShell commands
   • Failed logon bursts
2. Verify:
   • Workflow triggers
   • Automated actions
   • Alert enrichment
   • Notifications
3. Document results and detection gaps.

• Automation: How automated workflows accelerate response.
• Integration: How EDR and SIEM combine to improve detection.
• Consistency: How playbooks reduce human error.

With this lab, you’ve completed Month 5 and built strong endpoint‑response capabilities. In Month 6, you’ll move into cloud security and identity‑focused detection.