🔥 3-day streak
Professional Security Operations Engineer106 / 241
Question 106 of 241
During an active ransomware incident, a SecOps SOAR playbook is executing on a case involving a compromised Windows workstation. One playbook step calls an external threat-intel enrichment API to confirm whether the observed C2 domain is malicious before triggering EDR-based host isolation. The enrichment API is timing out repeatedly due to a vendor outage, and telemetry shows the same C2 beacon now appearing on two additional hosts. What is the most appropriate way to design the playbook to handle this situation?
Reviewed for accuracy · Report an issueNext question