Which strategy automatically remediates dormant service account keys when a finding is ingested into SecOps?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Which strategy automatically remediates dormant service account keys when a finding is ingested into SecOps?

Explanation:
Remediation should be driven by the finding as soon as it’s ingested, using an event-driven workflow that automatically carries the action through without manual steps. Security Command Center can emit a finding about a dormant service account key, and that finding should flow into a message bus (Pub/Sub). A Cloud Run service subscribed to that topic can receive the finding payload and perform the deletion of the specific dormant key via the appropriate Cloud IAM API, with logging for auditing. This end-to-end automation is scalable, auditable, and tightly coupled to the ingestion event, ensuring immediate remediation as soon as the finding appears in SecOps. The other approaches don’t provide the same seamless, event-driven linkage. A YARA-L based rule plus SOAR action isn’t a native, streamlined path from SecOps findings to automated cloud remediation and adds extra tooling and potential delays. Triggering a SOAR action directly from ingestion can work, but it relies on another system’s integration and timing, which may not be as reliable or scalable. Using only a Cloud Logging sink and a Cloud Run function lacks the direct, event-driven connection from the SecOps finding to remediation, making it harder to guarantee automatic execution right when the finding is ingested.

Remediation should be driven by the finding as soon as it’s ingested, using an event-driven workflow that automatically carries the action through without manual steps. Security Command Center can emit a finding about a dormant service account key, and that finding should flow into a message bus (Pub/Sub). A Cloud Run service subscribed to that topic can receive the finding payload and perform the deletion of the specific dormant key via the appropriate Cloud IAM API, with logging for auditing. This end-to-end automation is scalable, auditable, and tightly coupled to the ingestion event, ensuring immediate remediation as soon as the finding appears in SecOps.

The other approaches don’t provide the same seamless, event-driven linkage. A YARA-L based rule plus SOAR action isn’t a native, streamlined path from SecOps findings to automated cloud remediation and adds extra tooling and potential delays. Triggering a SOAR action directly from ingestion can work, but it relies on another system’s integration and timing, which may not be as reliable or scalable. Using only a Cloud Logging sink and a Cloud Run function lacks the direct, event-driven connection from the SecOps finding to remediation, making it harder to guarantee automatic execution right when the finding is ingested.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy