Exam Security-Operations-Engineer Topic 5 Question 30 Discussion
Actual exam question for Google's Security-Operations-Engineer exam
Question #: 30
Topic #: 5
Question #: 30
Topic #: 5
Your company's SOC recently responded to a ransomware incident that began with the execution of a malicious document. EDR tools contained the initial infection. However, multiple privileged service accounts continued to exhibit anomalous behavior, including credential dumping and scheduled task creation. You need to design an automated playbook in Google Security Operations (SecOps) SOAR to minimize dwell time and accelerate containment for future similar attacks. Which action should you take in your Google SecOps SOAR playbook to support containment and escalation?
Suggested Answer: C Vote an answer
Comprehensive and Detailed Explanation
The correct answer is Option C. The incident description makes it clear that endpoint containment (by EDR) was insufficient, as the attacker successfully pivoted to privileged service accounts and began post- compromise activities (credential dumping, scheduled tasks).
The goal is to automate containment and minimize dwell time.
* Option A is an enrichment/investigation action, not a containment action.
* Option B is the opposite of automation; adding a manual approval step increases dwell time and response time.
* Option D is a detection engineering task (creating a YARA-L rule), not a SOAR playbook (response) action.
Option C is the only true automated containment action that directly addresses the new threat. The anomalous behavior of the privileged accounts would raise their Entity Risk Score within Google SecOps. A modern SOAR playbook can be configured to automatically trigger on this high-risk score and execute an identity- based containment action. Revoking tokens and suspending sessions for the compromised high-privilege accounts is the most effective way to immediately stop the attacker's lateral movement and malicious activity, thereby accelerating containment and minimizing dwell time.
Exact Extract from Google Security Operations Documents:
SOAR Playbooks and Automation: Google Security Operations (SecOps) SOAR enables the orchestration and automation of security responses. Playbooks are designed to execute a series of automated steps to respond to an alert.
Identity and Access Management Integrations: SOAR playbooks can integrate directly with Identity Providers (IdPs) like Google Workspace, Okta, and Microsoft Entra ID. A critical automated containment action for compromised accounts is to revoke active OAuth tokens, suspend user sessions, or disable the account entirely. This action immediately logs the attacker out of all active sessions and prevents them from re-authenticating.
Entity Risk: Detections and anomalous activities contribute to an entity's (e.g., a user or asset) risk score.
Playbooks can be configured to use this risk score as a trigger. For example, if a high-privilege account's risk score crosses a critical threshold, the playbook can automatically execute identity containment actions.
References:
Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Playbooks > Playbook Actions Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations > (e.g., Okta, Google Workspace) Google Cloud Documentation: Google Security Operations > Documentation > Investigate > View entity risk scores
The correct answer is Option C. The incident description makes it clear that endpoint containment (by EDR) was insufficient, as the attacker successfully pivoted to privileged service accounts and began post- compromise activities (credential dumping, scheduled tasks).
The goal is to automate containment and minimize dwell time.
* Option A is an enrichment/investigation action, not a containment action.
* Option B is the opposite of automation; adding a manual approval step increases dwell time and response time.
* Option D is a detection engineering task (creating a YARA-L rule), not a SOAR playbook (response) action.
Option C is the only true automated containment action that directly addresses the new threat. The anomalous behavior of the privileged accounts would raise their Entity Risk Score within Google SecOps. A modern SOAR playbook can be configured to automatically trigger on this high-risk score and execute an identity- based containment action. Revoking tokens and suspending sessions for the compromised high-privilege accounts is the most effective way to immediately stop the attacker's lateral movement and malicious activity, thereby accelerating containment and minimizing dwell time.
Exact Extract from Google Security Operations Documents:
SOAR Playbooks and Automation: Google Security Operations (SecOps) SOAR enables the orchestration and automation of security responses. Playbooks are designed to execute a series of automated steps to respond to an alert.
Identity and Access Management Integrations: SOAR playbooks can integrate directly with Identity Providers (IdPs) like Google Workspace, Okta, and Microsoft Entra ID. A critical automated containment action for compromised accounts is to revoke active OAuth tokens, suspend user sessions, or disable the account entirely. This action immediately logs the attacker out of all active sessions and prevents them from re-authenticating.
Entity Risk: Detections and anomalous activities contribute to an entity's (e.g., a user or asset) risk score.
Playbooks can be configured to use this risk score as a trigger. For example, if a high-privilege account's risk score crosses a critical threshold, the playbook can automatically execute identity containment actions.
References:
Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Playbooks > Playbook Actions Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations > (e.g., Okta, Google Workspace) Google Cloud Documentation: Google Security Operations > Documentation > Investigate > View entity risk scores
by Belle at Dec 27, 2025, 05:37 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).