🔥 3-day streak
Professional Security Operations Engineer34 / 241
Question 34 of 241

After closing a phishing-driven credential-theft incident in Google SecOps, the post-incident review finds that the initial malicious OAuth token grant went undetected for 6 days because no rule existed to flag high-privilege third-party app authorizations. The SOC lead wants the review to produce the most durable improvement to prevent a repeat blind spot. Which post-incident action best closes the loop between the RCA finding and future detection coverage?

Reviewed for accuracy · Report an issueNext question