Google Professional Security Operations Engineer Exam - Topic 4 Question 12 Discussion

Actual exam question for Google's Professional Security Operations Engineer exam

Question #: 12
Topic #: 4

[All Professional Security Operations Engineer Questions]

Your organization has recently onboarded to Google Cloud with Security Command Center Enterprise (SCCE) and is now integrating it with your organization's SOC. You want to automate the response process within SCCE and integrate with the existing SOC ticketing system. You want to use the most efficient solution. How should you implement this functionality?

AUse the SCC notifications feed to send alerts to Pub/Sub. Ingest these feeds using the relevant SIEM connector.

BEvaluate each event within the SCC console. Create a ticket for each finding in the ticketing system, and include the remediation steps.

CDisable the generic posture finding playbook in Google Security Operations (SecOps) SOAR and enable the playbook for the ticketing system. Add a step in your Google SecOps SOAR playbook to generate a ticket based on the event type.

DConfigure the SCC notifications feed to send alerts to a Cloud Storage bucket. Create a Dataflow job to read the new files, extract the relevant information, and send the information to the SOC ticketing system.

Show Suggested Answer

Suggested Answer: C

Comprehensive and Detailed Explanation

The correct answer is Option C. The prompt asks for the most efficient and automated solution for handling SCCE findings and integrating with a ticketing system. This is the primary use case for Google Security Operations SOAR.

The native workflow is as follows:

SCCE detects a finding.

The finding is automatically ingested into Google SecOps SIEM, which creates an alert.

The alert is automatically sent to SecOps SOAR, which creates a case.

The SOAR case automatically triggers a playbook.

Option C describes this process perfectly. An administrator would disable the default playbook and enable a specific playbook that uses a pre-built integration (from the Marketplace) for the organization's ticketing system (e.g., ServiceNow, Jira). This playbook would contain an automated step to generate a ticket, thus fulfilling the requirement efficiently.

Option B is a manual process. Options A and D describe complex, custom-built data engineering pipelines, which are far less efficient than using the built-in SOAR capabilities.

Exact Extract from Google Security Operations Documents:

SOAR Playbooks and Integrations: Google SecOps SOAR is designed to automate and orchestrate responses to alerts. When an alert from a source like Security Command Center (SCC) is ingested and creates a case, it can be configured to automatically trigger a playbook.

Ticketing Integration: A common playbook use case is integration with an external ticketing system. Using a pre-built integration from the SOAR Marketplace, an administrator can add a step to the playbook (e.g., Create Ticket). This action will automatically generate a ticket in the external system and populate it with details from the alert, such as the finding, the affected resources, and the recommended remediation steps. This provides a seamless, automated workflow from detection to ticketing.

Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Use cases > Case Management

Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations

by Josephine at Apr 08, 2026, 07:39 AM

Limited Time Offer

25%

Off

Get Premium Professional Security Operations Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Jonelle

3 days ago

I remember we discussed using Pub/Sub for alerting in one of our practice sessions. It seems like option A could be the most efficient way to automate responses.

upvoted 0 times

...