🔥 3-day streak
Professional Security Operations Engineer100 / 241
Question 100 of 241

A Google SecOps SOAR playbook for automated endpoint isolation includes a manual approval node requiring a Tier-2 analyst to confirm before the containment action executes. During an overnight incident, the on-call analyst does not respond, and the approval node times out after 30 minutes while a confirmed ransomware process continues encrypting files on the host. The incident response lead wants to redesign the playbook so that time-sensitive, high-confidence detections are not stalled by an unavailable approver, while preserving human oversight for lower-confidence cases. Which redesign best achieves this?

Reviewed for accuracy · Report an issueNext question