Google Cloud Professional Security Operations Engineer — Question 3

You are an incident responder at your organization using Google Security Operations (SecOps) for monitonng and investigation. You discover that a critical production server, which handles financial transactions, shows signs of unauthorized file changes and network scanning from a suspicious IP address. You suspect that persistence mechanisms may have been installed. You need to use Google SecOps to immediately contain the threat while ensuring that forensic data remains available for investigation. What should you do first?

Answer options

• A. Use the firewall integration to submit the IP address to a network block list to inhibit internet access from that machine.
• B. Deploy emergency patches, and reboot the server to remove malicious persistence.
• C. Use the EDR integration to quarantine the compromised asset.
• D. Use VirusTotal to enrich the IP address and retrieve the domain. Add the domain to the proxy block list.

Correct answer: C

Explanation

The correct answer is C, as using the EDR integration to quarantine the compromised asset directly addresses the immediate threat while allowing the forensic data to remain intact for investigation. Options A and D could inhibit access but do not isolate the threat effectively, and option B may disrupt critical services and potentially lose valuable forensic evidence.