@ktneely Automating on "garbage" introduces a ton of risk - you have to assume you're getting all the data and have perfect visibility before talking automation and 99% of orgs don't have that. They think they do, but they don't.
If you're automating alert responses, tune the alerts. If nobody's looking at it, why generate an alert? If you're automating information gathering, ask why your tools aren't giving you a whole picture and fix it. Automation *could* work in a static environment, but what org is ever static? If people have to constantly revise the automations, why not just do the work to begin with?
IR is not the place for automation bc you're 100% guaranteed to eventually miss something that will get you popped. Nobody wants to be on the hook for that but really, will insurance pay out on a breach that happened because automation obfuscated the attack before a human caught it? How many times will they do that before they start refusing?
This terrifies me because it's indicative that people are forging ahead with "automate ALL THE THINGS" without considering the risk generated by it, and implying that it frees up their humans for more interesting things when in reality it creates a new layer of labor around maintaining the automations. Worse yet, it creates a false sense of complete protection thinking automation catches more than humans do, which is pure vendor-speak and not true at all.
TL:DR - automation on bad datasets is a recipe for disaster, just fix your s**t and you don't need it.