🔥 3-day streak
Professional Security Operations Engineer129 / 241
Question 129 of 241

During an active investigation, a Google SecOps SOAR playbook is triaging a high-severity endpoint alert. The playbook is configured to enrich the host artifact with asset criticality from the CMDB, the user's recent authentication history, and a GTI reputation lookup on an outbound IP before deciding whether to auto-isolate the host. Mid-execution, the CMDB integration returns an error and the GTI lookup times out, but the authentication enrichment succeeds and shows the account performed an impossible-travel login moments before the alert fired. The playbook's containment gate requires a computed risk score. What is the MOST appropriate playbook design decision for handling this partial-enrichment situation?

Reviewed for accuracy · Report an issueNext question