🔥 3-day streak
Professional Security Operations Engineer99 / 241
Question 99 of 241
During a live incident, a Google SecOps SOAR playbook automatically disabled a compromised service account and quarantined a Compute Engine VM. The on-call analyst determines that the VM quarantine is disrupting a critical payment-processing service and decides to reverse only the VM containment while keeping the service account disabled. The SOC manager later needs to reconstruct exactly who reversed which containment action and why, for a regulated post-incident review. Which approach best supports both the immediate operational need and the audit requirement?
Reviewed for accuracy · Report an issueNext question