In a SOAR playbook using VirusTotal v3 to set alert severity, which practice best informs severity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

In a SOAR playbook using VirusTotal v3 to set alert severity, which practice best informs severity?

Explanation:
The key idea is to base alert severity on concrete, countable evidence returned by VirusTotal rather than a binary or indirect method. In VirusTotal v3, the JSON response includes analysis statistics that quantify how many scanners flagged the item and how many detections there are overall. By reading this count and applying thresholds in the SOAR playbook, you can map the evidence to a graded severity level (for example, more detections or a higher malicious count → higher severity). This makes severity consistent, data-driven, and scalable across different indicators. Using a widget to translate JSON into a severity score adds an extra layer but doesn’t provide the direct, action-ready decision logic the playbook needs; it delays or obscures how severity is actually determined. Passing the response to SIEM doesn’t assign or encode severity within the SOAR workflow. Treating the URL as simply suspicious or benign is too binary and ignores how strong the evidence is, which is exactly what the detections count captures. Therefore, using the number of detections from the JSON response in a conditional to set severity best leverages the available data to produce meaningful, consistent alert levels.

The key idea is to base alert severity on concrete, countable evidence returned by VirusTotal rather than a binary or indirect method. In VirusTotal v3, the JSON response includes analysis statistics that quantify how many scanners flagged the item and how many detections there are overall. By reading this count and applying thresholds in the SOAR playbook, you can map the evidence to a graded severity level (for example, more detections or a higher malicious count → higher severity). This makes severity consistent, data-driven, and scalable across different indicators.

Using a widget to translate JSON into a severity score adds an extra layer but doesn’t provide the direct, action-ready decision logic the playbook needs; it delays or obscures how severity is actually determined. Passing the response to SIEM doesn’t assign or encode severity within the SOAR workflow. Treating the URL as simply suspicious or benign is too binary and ignores how strong the evidence is, which is exactly what the detections count captures. Therefore, using the number of detections from the JSON response in a conditional to set severity best leverages the available data to produce meaningful, consistent alert levels.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy