Incident response
Drill 20 practice questions focused entirely on Incident response for the Google Cloud PSOE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
After containing a data exfiltration incident, your SOC lead asks you to lead the post-incident review. The incident timeline shows the alert fired at 02:14 but was not acknowledged in the Google SecOps case queue until 09:40, when the day-shift analyst began triage. Containment was completed within 20 minutes of triage starting. Leadership wants the post-incident activity to produce a corrective action that most directly reduces the risk of this delay recurring. Which finding should drive the primary corrective action?
A SecOps analyst is triaging the morning queue in Google SecOps. Three separate alerts have opened as distinct cases within a 15-minute window: (1) a suspicious PowerShell execution on host WIN-APP-04, (2) an outbound connection from WIN-APP-04 to a domain flagged by GTI as C2 infrastructure, and (3) a rare scheduled task creation on WIN-APP-04. The analyst confirms all three reference the same host entity, the same user principal, and overlapping timestamps consistent with a single intrusion chain. What is the MOST appropriate triage action before beginning containment?
Following a confirmed business email compromise incident, your SecOps team completed a blameless post-incident review. The review produced eight corrective actions, ranging from enabling phishing-resistant MFA to updating a SOAR playbook that lacked an approval gate. Two weeks later, leadership asks the SOC manager to demonstrate that the incident's lessons are actually reducing organizational risk. Which practice BEST ensures the post-incident review translates into measurable risk reduction?
After closing a phishing-driven credential-theft incident in Google SecOps, the post-incident review finds that the initial malicious OAuth token grant went undetected for 6 days because no rule existed to flag high-privilege third-party app authorizations. The SOC lead wants the review to produce the most durable improvement to prevent a repeat blind spot. Which post-incident action best closes the loop between the RCA finding and future detection coverage?
During post-incident activities for a resolved credential-phishing case in Google SecOps, your team confirmed the attacker used a specific set of newly registered domains and a phishing kit hash that were NOT detected proactively. Leadership wants to ensure the organization can immediately identify whether these same indicators appeared elsewhere in the environment during the incident window AND be alerted if they recur. Which combination of post-incident actions BEST satisfies both goals?
Following the containment and eradication of a compromised service account that was used for data staging in a GCP project, your SOC lead asks you to run the post-incident review. During the review, one engineer admits they ignored an earlier low-severity SecOps alert about anomalous service account activity because they were overloaded. The team wants to prevent recurrence. Which approach best aligns with effective root cause analysis and post-incident practices?
After containing a compromised GKE workload, your team must reconstruct the attacker's activity timeline for the post-incident report. During the incident, an analyst manually terminated the malicious pod before capturing forensic artifacts, and the SOAR playbook's evidence-collection step was skipped due to a connector timeout. You need to determine the earliest reliable point of initial access. Which approach provides the most defensible timeline reconstruction given the missing artifacts?
A SecOps analyst is designing a triage playbook in Google SecOps SOAR that fires for every endpoint malware alert. Analysts complain the playbook opens a case and pages the on-call engineer for every alert, including many that turn out to be benign quarantined files. The team wants to reduce paging noise without missing true positives. Which change to the playbook logic best addresses this while preserving investigative fidelity?
During an active incident, a Google SecOps SOAR playbook is triggered by a case involving a compromised Compute Engine VM showing signs of cryptomining and possible credential theft. Your IR team wants automation to contain the threat, but the incident may require legal follow-up and root cause analysis. Which sequencing of automated playbook actions best balances containment with the need for later forensic investigation?
During a shift, a SecOps analyst opens a Google SecOps case that was auto-created by a SOAR playbook. The case aggregates several alerts: one high-severity malware detection on a developer laptop, and three medium-severity failed-login alerts against a low-value test service account. The analyst must decide the triage order for investigation this hour, given limited time. Which factor should MOST influence prioritizing which alert to investigate first within the case?
During post-incident review of a confirmed data-exfiltration case, the SOAR playbook auto-closed 40 related alerts as duplicates before an analyst could confirm they were truly identical. The IR lead wants to prevent premature closure of alerts that may contain distinct evidence while still reducing analyst workload from duplicate noise. Which change to the incident-response process best balances these goals?
A SecOps SOAR playbook is triggered for a high-severity alert indicating a compromised user account with confirmed credential theft. The playbook is designed to automatically disable the user in Google Workspace, revoke active OAuth tokens, and quarantine the user's Chrome-managed device. During a review, the incident response lead observes that the same playbook occasionally fires on false positives from a noisy detection rule, and an auto-disable of an executive account during business hours caused a significant operational disruption. The team wants to retain automated speed for clear-cut cases while preventing disruptive actions on ambiguous ones. What is the BEST playbook design change to achieve this?
During a live incident, a Google SecOps SOAR playbook automatically disabled a compromised service account and quarantined a Compute Engine VM. The on-call analyst determines that the VM quarantine is disrupting a critical payment-processing service and decides to reverse only the VM containment while keeping the service account disabled. The SOC manager later needs to reconstruct exactly who reversed which containment action and why, for a regulated post-incident review. Which approach best supports both the immediate operational need and the audit requirement?
A Google SecOps SOAR playbook for automated endpoint isolation includes a manual approval node requiring a Tier-2 analyst to confirm before the containment action executes. During an overnight incident, the on-call analyst does not respond, and the approval node times out after 30 minutes while a confirmed ransomware process continues encrypting files on the host. The incident response lead wants to redesign the playbook so that time-sensitive, high-confidence detections are not stalled by an unavailable approver, while preserving human oversight for lower-confidence cases. Which redesign best achieves this?
During an active incident, a Google SecOps SOAR playbook is triggered by a high-severity alert indicating credential misuse from a workstation. The playbook is designed to automatically isolate the source host via the EDR integration. However, the enrichment step reveals the source IP maps to a shared jump server used by dozens of administrators for legitimate remote access, and there is no maintenance window active. What is the MOST appropriate playbook design decision to handle this situation?
During an active incident, a Google SecOps SOAR playbook is triggered on a Compute Engine VM confirmed to be running a cryptominer with an established outbound C2 channel. The incident commander wants to both preserve forensic evidence and stop the ongoing resource abuse and data risk. The playbook currently jumps straight to terminating (deleting) the compromised instance. What is the BEST modification to the automated containment sequence?
During an active investigation of a compromised GCE instance, your SOAR playbook is about to execute a containment action that deletes the instance to stop attacker-controlled outbound traffic. The incident may later result in legal action, and your legal team has requested that all evidence be preserved with a defensible chain of custody. Which modification to the playbook best satisfies both the containment need and the legal preservation requirement?
During an active incident, a SecOps SOAR playbook detects that a service account is being used to enumerate storage buckets from an unusual region. The playbook is configured to automatically disable any credential flagged as compromised. However, this service account is also used by a production data-pipeline job that runs hourly and feeds a customer-facing dashboard. The analyst on call must decide how the containment step should proceed. Which approach best balances rapid containment with operational risk in the playbook design?
During triage in Google SecOps, an analyst confirms that a production database server is beaconing to a known C2 domain and has an active interactive session from an external IP. The SOAR playbook offers an automated action to immediately isolate the host from the network. However, the incident response lead is simultaneously trying to capture the attacker's tooling and lateral movement path for attribution. The host runs a revenue-critical service with no failover. What is the MOST appropriate immediate containment decision?
During an active ransomware incident, a SecOps SOAR playbook is executing on a case involving a compromised Windows workstation. One playbook step calls an external threat-intel enrichment API to confirm whether the observed C2 domain is malicious before triggering EDR-based host isolation. The enrichment API is timing out repeatedly due to a vendor outage, and telemetry shows the same C2 beacon now appearing on two additional hosts. What is the most appropriate way to design the playbook to handle this situation?
More PSOE practice
Keep going with the other Professional Security Operations Engineer domains, or take a full timed mock exam.
← Back to PSOE overview