🔥 3-day streak
Professional Security Operations Engineer113 / 241
Question 113 of 241

A SOAR playbook in Google SecOps automatically triages endpoint alerts. During execution, a case is enriched, an initial containment (host network isolation) succeeds, but the playbook detects that the malicious binary wrote to a domain controller's SYSVOL share — indicating scope beyond the endpoint team's remediation authority. Company policy requires that Active Directory / identity incidents be handled by the dedicated Identity Response team. What is the MOST appropriate playbook design to handle this handoff without losing investigation continuity?

Reviewed for accuracy · Report an issueNext question