🔥 3-day streak
Professional Security Operations Engineer22 / 241
Question 22 of 241
A SecOps analyst is triaging the morning queue in Google SecOps. Three separate alerts have opened as distinct cases within a 15-minute window: (1) a suspicious PowerShell execution on host WIN-APP-04, (2) an outbound connection from WIN-APP-04 to a domain flagged by GTI as C2 infrastructure, and (3) a rare scheduled task creation on WIN-APP-04. The analyst confirms all three reference the same host entity, the same user principal, and overlapping timestamps consistent with a single intrusion chain. What is the MOST appropriate triage action before beginning containment?
Reviewed for accuracy · Report an issueNext question