Google Professional Security Operations Engineer Exam - Topic 3 Question 13 Discussion

Actual exam question for Google's Professional Security Operations Engineer exam

Question #: 13
Topic #: 3

[All Professional Security Operations Engineer Questions]

You are an incident responder at your organization using Google Security Operations (SecOps) for monitoring and investigation. You discover that a critical production server, which handles financial transactions, shows signs of unauthorized file changes and network scanning from a suspicious IP address. You suspect that persistence mechanisms may have been installed. You need to use Google SecOps to immediately contain the threat while ensuring that forensic data remains available for investigation. What should you do first?

AUse the firewall integration to submit the IP address to a network block list to inhibit internet access from that machine.

BDeploy emergency patches, and reboot the server to remove malicious persistence.

CUse the EDR integration to quarantine the compromised asset.

DUse VirusTotal to enrich the IP address and retrieve the domain. Add the domain to the proxy block list.

Show Suggested Answer

Suggested Answer: C

Comprehensive and Detailed Explanation

The correct answer is Option C. The prompt specifies two critical, simultaneous requirements: immediate containment and preservation of forensic data.

Immediate Containment: The server is actively scanning the network, so it must be taken offline to prevent lateral movement and further compromise.

Forensic Preservation: The suspicion of persistence mechanisms means a full investigation is required. This investigation relies on volatile data (running processes, memory, active network connections) that must not be destroyed.

Option C is the only action that satisfies both requirements. Using a Google SecOps SOAR playbook to trigger the EDR integration's 'quarantine' action instructs the EDR agent on the server to block all its network connections. This immediately contains the threat. However, the server itself remains running, which preserves all volatile forensic data for the investigation.

Option B (reboot) is incorrect because it is an eradication step that would destroy all volatile forensic evidence. Options A and D are incomplete containment or investigation steps that do not fully isolate the compromised host.

Exact Extract from Google Security Operations Documents:

Incident Response and Containment: When a critical asset is compromised, the first priority is containment. Google SecOps SOAR playbooks integrate with Endpoint Detection and Response (EDR) tools to automate this step.

EDR Integration Actions: The most common containment action is 'Quarantine Host' or 'Isolate Asset.' This action instructs the EDR agent on the endpoint to block all network communications, effectively isolating it from the rest of the network. This step immediately stops the threat from spreading or communicating with a C2 server. A key benefit of this approach, as opposed to a shutdown or reboot, is that the host remains powered on, which preserves volatile memory and process data for forensic investigation.

Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Playbooks > Playbook Actions

Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations > (e.g., CrowdStrike, SentinelOne, Microsoft Defender)

by Jerlene at May 06, 2026, 03:55 PM

Limited Time Offer

25%

Off

Get Premium Professional Security Operations Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!