🔥 3-day streak
Professional Security Operations Engineer102 / 241
Question 102 of 241
During an active incident, a Google SecOps SOAR playbook is triggered on a Compute Engine VM confirmed to be running a cryptominer with an established outbound C2 channel. The incident commander wants to both preserve forensic evidence and stop the ongoing resource abuse and data risk. The playbook currently jumps straight to terminating (deleting) the compromised instance. What is the BEST modification to the automated containment sequence?
Reviewed for accuracy · Report an issueNext question