Phishing alerts are ingested directly into SecOps SOAR from an email inbox, and analysts currently use a SIEM query; you want the query results to be automatically included in the case without writing new code. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Phishing alerts are ingested directly into SecOps SOAR from an email inbox, and analysts currently use a SIEM query; you want the query results to be automatically included in the case without writing new code. What should you do?

Explanation:
The idea is to automate data enrichment by using a playbook action that fetches the SIEM results and feeds them directly into the case. In SecOps SOAR, a playbook can orchestrate interactions with external tools during or after an alert is ingested. By adding an action to the playbook that runs the SIEM query and returns the results, those results can be automatically appended to the case (as notes or artifacts) without writing new code. This matches the requirement of automatic inclusion and leverages existing integrations within the SOAR platform. Using a custom action would require creating new code, which isn’t the goal here. Modifying a detection rule affects how alerts are generated, not how data is enriched in an already opened case. Adding a widget would enable manual querying, not automatic enrichment of the case content.

The idea is to automate data enrichment by using a playbook action that fetches the SIEM results and feeds them directly into the case. In SecOps SOAR, a playbook can orchestrate interactions with external tools during or after an alert is ingested. By adding an action to the playbook that runs the SIEM query and returns the results, those results can be automatically appended to the case (as notes or artifacts) without writing new code. This matches the requirement of automatic inclusion and leverages existing integrations within the SOAR platform.

Using a custom action would require creating new code, which isn’t the goal here. Modifying a detection rule affects how alerts are generated, not how data is enriched in an already opened case. Adding a widget would enable manual querying, not automatic enrichment of the case content.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy