Google Professional Security Operations Engineer Exam - Topic 1 Question 10 Discussion

Actual exam question for Google's Professional Security Operations Engineer exam

Question #: 10
Topic #: 1

[All Professional Security Operations Engineer Questions]

Your organization requires the SOC director to be notified by email of escalated incidents and their results before a case is closed. You need to create a process that automatically sends the email when an escalated case is closed. You need to ensure the email is reliably sent for the appropriate cases. What process should you use?

AWrite a job to check closed cases for incident escalation status, pull the case status details if a case has been escalated, and send an email to the director.

BCreate a playbook block that includes a condition to identify cases that have been escalated. The two resulting branches either close the alert and email the notes to the director, or close the alert without sending an email.

CNavigate to the Alert Overview tab to close the Alert. Run a manual action to gather the case details. If the case was escalated, email the notes to the director. Use the Close Case action in the UI to close the case.

DUse the Close Case button in the UI to close the case. If the case is marked as an incident, export the case from the UI and email it to the director.

Show Suggested Answer

Suggested Answer: B

Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:

The most reliable, automated, and low-maintenance solution is to use the native Google Security Operations (SecOps) SOAR capabilities. A playbook block is a reusable, automated workflow that can be attached to other playbooks, such as the standard case closure playbook.

This block would be configured with a conditional action. This action would check a case field (e.g., case.escalation_status == 'escalated'). If the condition is true, the playbook automatically proceeds down the 'Yes' branch, which would use an integration action (like 'Send Email' for Gmail or Outlook) to send the case details to the director. After the email action, it would proceed to the 'Close Case' action. If the condition is false (the case was not escalated), the playbook would proceed down the 'No' branch, which would skip the email step and immediately close the case.

This method ensures the process is 'reliably sent' and 'automatic,' as it's built directly into the case management logic. Options C and D are incorrect because they rely on manual analyst actions, which are not reliable and violate the 'automatic' requirement. Option A is a custom, external solution that adds unnecessary complexity and maintenance overhead compared to the native SOAR playbook functionality.

(Reference: Google Cloud documentation, 'Google SecOps SOAR Playbooks overview'; 'Playbook blocks'; 'Using conditional logic in playbooks')

by Yolando at Mar 08, 2026, 12:46 AM

Limited Time Offer

25%

1 month ago

I remember we discussed the importance of automation in incident response. Option A seems like it could work, but I'm not entirely sure if it would catch all escalated cases reliably.

upvoted 0 times

...