🔥 3-day streak
Professional Security Operations Engineer104 / 241
Question 104 of 241
During an active incident, a SecOps SOAR playbook detects that a service account is being used to enumerate storage buckets from an unusual region. The playbook is configured to automatically disable any credential flagged as compromised. However, this service account is also used by a production data-pipeline job that runs hourly and feeds a customer-facing dashboard. The analyst on call must decide how the containment step should proceed. Which approach best balances rapid containment with operational risk in the playbook design?
Reviewed for accuracy · Report an issueNext question