🔥 3-day streak
Professional Security Operations Engineer128 / 241
Question 128 of 241
During a Google SecOps SOAR playbook run, an incoming alert about a suspicious OAuth token grant is automatically enriched. The playbook queries an internal IdP for the affected user's recent sign-in risk. The IdP returns a HTTP 200 with a body indicating the risk lookup is 'pending' rather than a final risk score. The playbook has a conditional branch that escalates the case severity to Critical only when risk is 'high', and otherwise closes the case as benign. As the SOAR engineer reviewing this design during a post-incident review, what is the BEST correction to the playbook logic?
Reviewed for accuracy · Report an issueNext question