Comprehensive and Detailed Explanation
The correct answer is Option C. The prompt specifies two critical, simultaneous requirements: immediate containment and preservation of forensic data.
Immediate Containment: The server is actively scanning the network, so it must be taken offline to prevent lateral movement and further compromise.
Forensic Preservation: The suspicion of persistence mechanisms means a full investigation is required. This investigation relies on volatile data (running processes, memory, active network connections) that must not be destroyed.
Option C is the only action that satisfies both requirements. Using a Google SecOps SOAR playbook to trigger the EDR integration's "quarantine" action instructs the EDR agent on the server to block all its network connections. This immediately contains the threat. However, the server itself remains running, which preserves all volatile forensic data for the investigation.
Option B (reboot) is incorrect because it is an eradication step that would destroy all volatile forensic evidence. Options A and D are incomplete containment or investigation steps that do not fully isolate the compromised host.
Exact Extract from Google Security Operations Documents:
Incident Response and Containment: When a critical asset is compromised, the first priority is containment. Google SecOps SOAR playbooks integrate with Endpoint Detection and Response (EDR) tools to automate this step.
EDR Integration Actions: The most common containment action is "Quarantine Host" or "Isolate Asset." This action instructs the EDR agent on the endpoint to block all network communications, effectively isolating it from the rest of the network. This step immediately stops the threat from spreading or communicating with a C2 server. A key benefit of this approach, as opposed to a shutdown or reboot, is that the host remains powered on, which preserves volatile memory and process data for forensic investigation.
[References:, Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Playbooks > Playbook Actions, Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations > (e.g., CrowdStrike, SentinelOne, Microsoft Defender), , , ]
