🔥 3-day streak
Professional Security Operations Engineer108 / 241
Question 108 of 241

During an active incident, a SecOps analyst confirms that a compromised employee laptop is actively exfiltrating data over an established C2 channel, and the same user's OAuth refresh tokens have been observed authenticating from a foreign ASN within the last 10 minutes. The SOAR playbook offers automated containment actions for both the endpoint (network isolation via EDR) and the identity (revoke sessions and reset credentials). The team wants to stop ongoing damage while preserving the ability to complete root cause analysis. Which containment sequencing decision best meets these goals?

Reviewed for accuracy · Report an issueNext question