A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the alert triage phase, Which action gives the analyst the clearest next triage step?
Trap 1: Disable the reporting user's account immediately
The reporter may not be compromised; disabling the account could be unnecessary.
Trap 2: Close all similar alerts as duplicates
Similarity does not prove benign status or complete containment.
Trap 3: Automatically delete all messages from the sender across all…
Deletion can be appropriate after validation, but automatic destructive action is risky at the first phase.
- A
Disable the reporting user's account immediately
Why wrong: The reporter may not be compromised; disabling the account could be unnecessary.
- B
Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
Early automation should gather context and evidence while keeping analysts in control of disruptive actions.
- C
Close all similar alerts as duplicates
Why wrong: Similarity does not prove benign status or complete containment.
- D
Automatically delete all messages from the sender across all mailboxes
Why wrong: Deletion can be appropriate after validation, but automatic destructive action is risky at the first phase.