Which strategy automatically remediates dormant service account keys when a finding is ingested into SecOps?

• A. Generate a YARA-L rule and a SOAR action to delete.
• B. Ingest the "Initial Access: Dormant Service Account Key Created" finding and trigger a SOAR action to delete.
• C. Configure a Cloud Logging sink and a Cloud Run function to delete.
• D. Use the SCC finding, write to Pub/Sub, and a Cloud Run function to delete.

Answer: (D)

Remediation should be driven by the finding as soon as it’s ingested, using an event-driven workflow that automatically carries the action through without manual steps. Security Command Center can emit a finding about a dormant service account key, and that finding should flow into a message bus (Pub/Sub). A Cloud Run service subscribed to that topic can receive the finding payload and perform the deletion of the specific dormant key via the appropriate Cloud IAM API, with logging for auditing. This end-to-end automation is scalable, auditable, and tightly coupled to the ingestion event, ensuring immediate remediation as soon as the finding appears in SecOps.

The other approaches don’t provide the same seamless, event-driven linkage. A YARA-L based rule plus SOAR action isn’t a native, streamlined path from SecOps findings to automated cloud remediation and adds extra tooling and potential delays. Triggering a SOAR action directly from ingestion can work, but it relies on another system’s integration and timing, which may not be as reliable or scalable. Using only a Cloud Logging sink and a Cloud Run function lacks the direct, event-driven connection from the SecOps finding to remediation, making it harder to guarantee automatic execution right when the finding is ingested.