🔥 3-day streak
Professional Security Operations Engineer120 / 241
Question 120 of 241

A SOAR playbook in Google SecOps responds to a confirmed credential-phishing incident. It has already disabled the compromised user account, revoked active sessions, and forced a password reset. The lead responder wants the playbook to avoid prematurely closing the case and to ensure the threat is truly eradicated before the case is auto-resolved. Which playbook step should be added before the case-closure action to best support this goal?

Reviewed for accuracy · Report an issueNext question