🔥 3-day streak
Professional Security Operations Engineer112 / 241
Question 112 of 241

During an incident, a Google SecOps SOAR playbook detects that a service account's credentials were exfiltrated and are now being used from an unusual ASN to enumerate Cloud Storage buckets. The IR lead wants the playbook to stop the ongoing abuse quickly while preserving the ability to investigate what the attacker already accessed. Which containment action should the playbook execute first?

Reviewed for accuracy · Report an issueNext question