If phishing alerts feed into SecOps SOAR and you want to automatically include the SIEM query results in the case without writing code, which action should you implement?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

If phishing alerts feed into SecOps SOAR and you want to automatically include the SIEM query results in the case without writing code, which action should you implement?

Explanation:
In SecOps SOAR, you automate incident enrichment by wiring data fetches into the incident workflow. To automatically include SIEM query results in the case without writing code, you add an action to the playbook that runs the SIEM query and returns the results directly into the case. This leverages the existing SIEM integration within the playbook, so as phishing alerts come in, the query runs, relevant logs or indicators are gathered, and the results are attached to the case automatically. Analysts then have the SIEM context immediately, without manual steps or custom development. Using a custom action in the IDE would involve creating or configuring new code, which contradicts the no-code requirement. Changing the detection rule affects how alerts are generated, not how data gets embedded in the case. Adding a widget for analysts to query directly offers manual access rather than automatic enrichment, so it doesn’t meet the goal of automatic inclusion.

In SecOps SOAR, you automate incident enrichment by wiring data fetches into the incident workflow. To automatically include SIEM query results in the case without writing code, you add an action to the playbook that runs the SIEM query and returns the results directly into the case. This leverages the existing SIEM integration within the playbook, so as phishing alerts come in, the query runs, relevant logs or indicators are gathered, and the results are attached to the case automatically. Analysts then have the SIEM context immediately, without manual steps or custom development.

Using a custom action in the IDE would involve creating or configuring new code, which contradicts the no-code requirement. Changing the detection rule affects how alerts are generated, not how data gets embedded in the case. Adding a widget for analysts to query directly offers manual access rather than automatic enrichment, so it doesn’t meet the goal of automatic inclusion.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy