Exam Security-Operations-Engineer Topic 3 Question 31 Discussion
Actual exam question for Google's Security-Operations-Engineer exam
Question #: 31
Topic #: 3
Question #: 31
Topic #: 3
You were recently hired as a SOC manager at an organization with an existing Google Security Operations (SecOps) implementation. You need to understand the current performance by calculating the mean time to respond or remediate (MTTR) for your cases. What should you do?
Suggested Answer: B Vote an answer
Google Security Operations (SecOps) SOAR is designed to natively measure and report on key SOC performance metrics, including MTTR. This calculation is automatically derived from playbook case stages.
As a case is ingested and processed by a SOAR playbook, it moves through distinct, customizable stages (e.g.,
"Triage," "Investigation," "Remediation," "Closed"). The SOAR platform automatically records a timestamp for each of these stage transitions. The time deltas between these stages (e.g., the time from when a case entered "Triage" to when it entered "Remediation") are the raw data used to calculate MTTR and other KPIs.
This data is then aggregated and visualized in the built-in SecOps SOAR reporting and dashboarding features.
This is the standard, out-of-the-box method for capturing these metrics. Option C describes a manual, redundant process of what case stages do automatically. Option D describes where the data might be viewed (Looker), but Option B describes the underlying mechanism for how the MTTR data is captured in the first place, which is the core of the question.
(Reference: Google Cloud documentation, "Google SecOps SOAR overview"; "Manage playbooks"; "Get insights from dashboards and reports")
As a case is ingested and processed by a SOAR playbook, it moves through distinct, customizable stages (e.g.,
"Triage," "Investigation," "Remediation," "Closed"). The SOAR platform automatically records a timestamp for each of these stage transitions. The time deltas between these stages (e.g., the time from when a case entered "Triage" to when it entered "Remediation") are the raw data used to calculate MTTR and other KPIs.
This data is then aggregated and visualized in the built-in SecOps SOAR reporting and dashboarding features.
This is the standard, out-of-the-box method for capturing these metrics. Option C describes a manual, redundant process of what case stages do automatically. Option D describes where the data might be viewed (Looker), but Option B describes the underlying mechanism for how the MTTR data is captured in the first place, which is the core of the question.
(Reference: Google Cloud documentation, "Google SecOps SOAR overview"; "Manage playbooks"; "Get insights from dashboards and reports")
by Herman at Dec 29, 2025, 07:04 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).