Google Cloud Professional Security Operations Engineer — Question 26

During a high-priority phishing incident at your company, Google Security Operations (SecOps) created and assigned the case to a Tier 1 analyst. The analyst added email headers and attached the malicious file as evidence but failed to escalate the case, violating an internal SLA of 30 minutes for a phishing response. The delay led to multiple users opening the file before containment actions were initiated. You want to optimize the case management workflow for future high-priority incidents. What should you do?

Answer options

• A. Build a playbook that automatically ingests reported phishing emails, enriches entities with threat intelligence, determines the impact and assigns the case for review.
• B. Change the default case assignment logic to route all phishing alerts to the Tier 2 team.
• C. Configure a SOAR notification loop that sends escalating email alerts to the Tier 1 analysts, the Tier 2 analysts, and the SOC manager every five minutes until the case is manually reassigned.
• D. Update the playbook to automatically close phishing cases after 60 minutes if no manual response has occurred.

Correct answer: A

Explanation

The correct answer is A because creating a comprehensive playbook will help automate the handling of phishing incidents, ensuring timely escalation and reducing the risk of delays. Options B and C do not address the root cause of the issue, which is the lack of an automated response process, while option D could lead to premature closure of cases without proper resolution.