🔥 3-day streak
Professional Security Operations Engineer124 / 241
Question 124 of 241
A SOAR playbook in Google SecOps automatically triages phishing alerts: it enriches the sender domain with GTI, extracts URLs, and detonates attachments in a sandbox. The security team wants the playbook to fully quarantine the user's mailbox and disable their account ONLY after a senior analyst reviews the enrichment results, because past false positives locked out executives during business-critical periods. However, the team also insists that time-sensitive containment must not stall indefinitely if no analyst responds. How should the playbook be designed to satisfy both requirements?
Reviewed for accuracy · Report an issueNext question