SOC 2 CC7.2 requires you to demonstrate that containment actions are both effective and traceable. Here's what worked for us during our Type II audit:
**1. Automated containment playbooks with immutable logs**
We use Runbook-as-Code (Python scripts in Git) for common containment actions: isolate network segment, revoke IAM credentials, quarantine container. Each playbook logs to a write-once S3 bucket with Object Lock. The auditor can see exactly which script ran, at what time, with what input parameters.
**2. Correlation between detection and containment timestamps**
The critical evidence is the delta between detection (SIEM alert) and first containment action. We track this in a dedicated dashboard. Our Type II auditor specifically asked: "Show me the median time from detection to containment for the last 6 months." Having that metric pre-computed saved us.
**3. Human approval gates with audit trail**
For actions that affect production (e.g., shutting down a customer-facing service), we require a Slack approval with timestamped confirmation. This satisfies the "human oversight" requirement that CC7.2 implies — automation executes, but humans authorize.
**What failed in our first audit attempt:**
We initially showed only the automated containment logs. The auditor pushed back: "I can see the script ran, but I can't see that the right script ran for this specific incident." We had to add incident-to-playbook mapping — each alert now carries an incident ID that threads through detection, containment, and resolution logs.
**Practical takeaway:** Build the incident ID as the primary key of your audit trail from day one. Retrofitting it later is painful.