🔥 3-day streak
Professional Security Operations Engineer116 / 241
Question 116 of 241

A SOAR playbook responds to a confirmed leaked GCP service account key incident. The playbook automatically disables the exposed key, then creates a new key and updates the affected workload's secret. During post-incident review, the SOC lead notes that although the leaked key was disabled, an attacker session using a short-lived OAuth access token derived from that key continued to make API calls for nearly an hour after key disablement. Which change to the eradication step best closes this gap?

Reviewed for accuracy · Report an issueNext question