From Signals to Actions: Building SIEM+SOAR Playbooks with Safe, Measured SOC AI

Online, Available in English and Arabic

Topics:

• SIEM foundations + detection quality 
• Telemetry mapping (ATT&CK-driven) + parsing/normalisation patterns
• Lab 1: Ingest dataset, validate fields, build parsers
• Detection engineering: Sigma logic, correlations, risk scoring
• Lab 2: Write/tune detections; measure signal-to-noise
• Lab 3: Correlate alerts → cases; triage workflow
• SOAR + SOC AI + safety hardening 
• SOAR design: playbooks, approvals, least-privilege actions
• Lab 4: Phishing-to-containment playbook (ticket + block + notify)
• SOC AI: local LLM assistant for triage, queries, report drafting
• Lab 5: Build RAG runbook assistant; measure hallucination & leakage
   

Overview

Modern SOCs rely on SIEM and SOAR, but telemetry is noisy and AI copilots can introduce new failure modes. This hands‑on course teaches analysts and engineers to build a vendor‑neutral SecOps pipeline: ingest and normalise logs, write and test detections, enrich alerts, and automate response playbooks. 

On day two, students add a locally‑run LLM assistant for triage and querying, then learn how to measure and harden it against prompt‑injection and unsafe tool actions using practical guardrails. Every module includes labs and a capstone incident where teams reduce time‑to‑triage while maintaining safety and least privilege.

By the end of this course, the participant will be able to: 

• Ingest and normalize multi‑source telemetry into a SIEM and validate parsing quality
• Author, test and tune detection rules/correlations with measurable signal‑to‑noise targets 
• Build SOAR playbooks with least‑privilege actions and approval checkpoints 
• Integrate an offline/local LLM assistant for triage and query generation
• Run a repeatable safety test suite for prompt‑injection/unsafe actions and apply guardrails to reduce failure rates