Exam Security-Operations-Engineer Topic 4 Question 101 Discussion

Actual exam question for Google's Security-Operations-Engineer exam
Question #: 101
Topic #: 4
You have been tasked with developing a new response process in a playbook to contain an endpoint. The new process should take the following actions:
* Send an email to users who do not have a Google Security Operations (SecOps) account to request approval for endpoint containment.
* Automatically continue executing its logic after the user responds.
You plan to implement this process in the playbook by using the Gmail integration. You want to minimize the effort required by the SOC analyst. What should you do?

Suggested Answer: D Vote an answer

Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:
This scenario describes an automated external approval, which is a key feature of Google Security Operations (SecOps) SOAR. The solution that "minimizes the effort required by the SOC analyst" is one that is fully automated and does not require the analyst to wait for an email and then manually resume the playbook.
The correct method (Option D) is to use the platform's built-in capabilities (often part of the "Flow" or
"Siemplify" integration) to generate a unique approval link (or "Approve" / "Deny" links). These links are tokenized and tied to the specific playbook's execution. This link is then inserted as a placeholder into the email that is sent to the non-SecOps user via the "Send Email" (Gmail integration) action.
The playbook is then configured with conditional logic (e.g., a "Wait for Condition") to pause execution until one of the links is clicked. When the external user clicks the "Approve" or "Deny" link in their email, it sends a secure signal back to the SOAR platform. The playbook automatically detects this response and continues down the appropriate conditional path (e.g., "if approved, execute endpoint containment"). This process is fully automated and requires zero analyst intervention, perfectly meeting the requirements.
Options A, B, and C all require manual analyst action, which violates the core requirement of minimizing analyst effort.
(Reference: Google Cloud documentation, "Google SecOps SOAR Playbooks overview"; "Gmail integration documentation"; "Flow integration - Wait for Approval")

by Abner at Jan 26, 2026, 09:29 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10