🔥 3-day streak
Professional Security Operations Engineer98 / 241
Question 98 of 241

A SecOps SOAR playbook is triggered for a high-severity alert indicating a compromised user account with confirmed credential theft. The playbook is designed to automatically disable the user in Google Workspace, revoke active OAuth tokens, and quarantine the user's Chrome-managed device. During a review, the incident response lead observes that the same playbook occasionally fires on false positives from a noisy detection rule, and an auto-disable of an executive account during business hours caused a significant operational disruption. The team wants to retain automated speed for clear-cut cases while preventing disruptive actions on ambiguous ones. What is the BEST playbook design change to achieve this?

Reviewed for accuracy · Report an issueNext question