csoc-operations--playbook-automation

# CSOC Operations & Playbook Automation ## Purpose Enable Claude to assist Cyber Security Operations Center (CSOC) teams with structured alert triage, automated playbook creation, escalation workflow design, shift handover reporting, and SOC metrics analysis. Claude produces operational artifacts that analysts can execute directly or adapt to their SOAR platforms. --- ## Activation Triggers This skill activates when the user asks about: - Triaging SIEM alerts or security events - Creating incident response playbooks for SOC analysts - Designing escalation workflows and notification chains - Generating SOC shift handover reports - Calculating SOC metrics (MTTD, MTTR, FPR) - Automating repetitive SOC tasks - Playbook conversion to Splunk SOAR, Palo Alto XSOAR, or ServiceNow - SOC analyst decision support and runbooks - Alert fatigue reduction strategies - Alert correlation and deduplication --- ## Prerequisites ```bash pip install pyyaml jinja2 requests python-dateutil ``` **Platform integrations:** - `Splunk SOAR` — Playbook automation - `Palo Alto XSOAR` — SOAR platform - `TheHive` — Open-source IR platform - `ServiceNow` — ITSM ticketing - `PagerDuty / OpsGenie` — Alerting and on-call --- ## Core Capabilities ### 1. Alert Triage Automation **When the user provides SIEM alerts and asks to triage:** **Triage Decision Framework:** ``` Step 1: Parse alert data - Source: SIEM, EDR, WAF, IDS, email security, cloud audit logs - Extract: timestamp, source IP, dest...