nerdexam
Google

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #19

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #19: Real Exam Question with Answer & Explanation

The correct answer is A. Configure a step that revokes OAuth tokens and suspends sessions for high-privilege accounts. To minimize dwell time and contain privileged account abuse in ransomware incidents, the SOAR playbook should revoke OAuth tokens and suspend sessions for high-privilege accounts based on entity risk. This action directly disrupts attacker persistence and lateral movement while a

Question

Your company's SOC recently responded to a ransomware incident that began with the execution of a malicious document. EDR tools contained the initial infection. However, multiple privileged service accounts continued to exhibit anomalous behavior, including credential dumping and scheduled task creation. You need to design an automated playbook in Google Security Operations (SecOps) SOAR to minimize dwell time and accelerate containment for future similar attacks. Which action should you take in your Google SecOps SOAR playbook to support containment and escalation?

Options

  • AConfigure a step that revokes OAuth tokens and suspends sessions for high-privilege accounts
  • BAdd an approval step that requires an analyst to validate the alert before executing a containment
  • CCreate an external API call to VirusTotal to submit hashes from forensic artifacts.
  • DAdd a YARA-L rule that sends an alert when a document is executed using a scripting engine

Explanation

To minimize dwell time and contain privileged account abuse in ransomware incidents, the SOAR playbook should revoke OAuth tokens and suspend sessions for high-privilege accounts based on entity risk. This action directly disrupts attacker persistence and lateral movement while automated escalation ensures timely response, reducing reliance on manual intervention.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Practice