🔥 3-day streak
Professional Security Operations Engineer110 / 241
Question 110 of 241

During an active data-exfiltration incident, your SOAR playbook automatically identifies a compromised GCS bucket that an attacker used to stage stolen files. The playbook is configured to delete the staged objects to stop further exfiltration. However, your legal team has just placed a litigation hold on the affected project because the incident may lead to regulatory action. As the SecOps engineer, what is the MOST appropriate way to modify the containment step to balance rapid response with legal obligations?

Reviewed for accuracy · Report an issueNext question