Module 3 Overview
Module 3 of 3
SOC Investigation
Respond, Triage, and Automate Incident Handling
Confirm Tenant Switch
You should now be logged into the Enterprise Tenant (Tenant 1). If you are still in the Lab Tenant, log out and log in using the Enterprise Tenant credentials provided by your facilitator.
Alex built the controls. Kevin tested them. Now Priya, Dataparity's SOC analyst, picks up the incident queue and closes the loop. This module covers the full incident response lifecycle using the Zscaler Workflow Automation (ZWA) portal โ from reviewing incident details and evidence, to modifying status, notifying users, escalating for approval, and configuring automated workflow templates.
Module Objectivesโ
| Question | Capability |
|---|---|
| How does Priya find and review incidents? | ZWA Incident Dashboard |
| How does she assess evidence and trigger data? | Incident Details & Violation Content |
| How does she update status and priority? | Incident Metadata & State Changes |
| How does she notify and coach the violating user? | User Notification via Email / Slack / Teams |
| How does she escalate for manager approval? | Escalation Workflow |
| How can routine responses be automated? | Workflow Templates & Mapping |