You are implementing Google Security Operations (SecOps) at your organization. You discover that the current detection rules are too noisy. Due to the high volume of alerts, some true positives might be missed. You want to ingest additional context sources to reduce false positives in your security detections and to improve the overall positive ratio of the alerts. What should you do?
AIngest high-value asset (HVA) data from your configuration management database (CMDB) system to increase the priority of the alerts based on the sensitivity of the assets found in the detection rules.
BIngest dark web forum handlers from your threat intelligence system to match dark web principals within the detection rules.
CIngest IOCs from your threat intelligence system to validate the IP addresses, domains and hashes with the detection rules.
DIngest tactics, techniques, and procedures (TTPs) from your threat intelligence system to validate the processes and tools with the detection rules.
You are responsible for identifying suspicious activity and security events at your organization. You have been asked to search in Google Security Operations (SecOps) for network traffic associated with an active HTTP backdoor that runs on TCP port 5555. You want to use the most effective approach to identify traffic originating from the server that is running the backdoor. What should you do?
ADetect on events where network.ApplicationProtocol is HTTP.
BDetect on events where target.port is 5555.
CDetect on events where principal.port is 5555.
DDetect on events where network.ip_protocol is TCP.
You are an incident responder at your organization using Google Security Operations (SecOps) for monitonng and investigation. You discover that a critical production server, which handles financial transactions, shows signs of unauthorized file changes and network scanning from a suspicious IP address. You suspect that persistence mechanisms may have been installed. You need to use Google SecOps to immediately contain the threat while ensuring that forensic data remains available for investigation. What should you do first?
AUse the firewall integration to submit the IP address to a network block list to inhibit internet access from that machine.
BDeploy emergency patches, and reboot the server to remove malicious persistence.
CUse the EDR integration to quarantine the compromised asset.
DUse VirusTotal to enrich the IP address and retrieve the domain. Add the domain to the proxy block list.
Your organization's Google Security Operations (SecOps) tenant is ingesting a vendor's firewall logs in its default JSON format using the Google-provided parser for that log. The vendor recently released a patch that introduces a new field and renames an existing field in the logs. The parser does not recognize these two fields and they remain available only in the raw logs, while the rest of the log is parsed normally. You need to resolve this logging issue as soon as possible while minimizing the overall change management impact. What should you do?
AWrite a code snippet, and deploy it in a parser extension to map both fields to UDM.
BUse the web interface-based custom parser feature in Google SecOps to copy the parser, and modify it to map both fields to UDM.
CDeploy a third-party data pipeline management tool to ingest the logs, and transform the updated fields into fields supported by the default parser.
DUse the Extract Additional Fields tool in Google SecOps to convert the raw log entries to additional fields.
You work for a telecommunications company that wants to monitor their multi-region 5G network logs in Google Security Operations (SecOps). The logs are currently only available on-premises and are stored in a standalone network-attached storage (NAS) located in four different regions. You need to ingest the logs into Google SecOps and tag each NAS as a specific log source to avoid IP address aliasing. What should you do?
AConfigure feed management to pull data from each log's location, and configure a namespace for each log source.
BConfigure feed management to pull data from each log's location, and configure an ingestion label for each log source.
CConfigure a Bindplane agent that collects Syslog from each log's location, and configure a namespace for each log source.
DConfigure a Bindplane agent that collects Syslog from each log's location and configure an ingestion label for each log source.
Question 6
Incident response
0
Question 7
Platform operations
Question 8
Data management
Question 9
Threat hunting
Question 10
Data management
Question 11
Platform operations
Question 12
Threat hunting
Question 13
Observability
Question 14
Incident response
Question 15
Detection engineering
Question 16
Observability
Question 17
Incident response
Question 18
Incident response
Question 19
Platform operations
Question 20
Detection engineering
Question 21
Incident response
Question 22
Incident response
Question 23
Threat hunting
Question 24
Platform operations
Question 25
Detection engineering
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Your company uses Security Command Center (SCC) and Google Security Operations (SecOps). Last week, an attacker attempted to establish persistence by generating a key for an unused service account. You need to confirm that you are receiving alerts when keys are created for unused service accounts and that newly created keys are automatically deleted. You want to minimize the amount of manual effort required. What should you do?
AGenerate a YARA-L rule in Google SecOps that detects when a service account key is created. Using the built-in IDE, create a custom action in Google SecOps SOAR that deletes the service account key.
BUse the Initial Access: Dormant Service Account Key Created finding from SCC, and ingest this finding into Google SecOps. Create a custom action in Google SecOps SOAR that is triggered on this finding. Use the built-in IDE to build code to delete the service account key.
CConfigure a Cloud Logging sink to write logs to a Pub/Sub topic that filters for the methodName: "google.iam.admin.v1.CreateServiceAccountKey" field. Create a Cloud Run function that subscribes to the Pub/Sub topic and deletes the service account key.
DUse the Initial Access: Dormant Service Account Key Created finding from SCC, and write this finding to a Pub/Sub topic. Create a Cloud Run function that subscribes to the Pub/Sub topic and deletes the service account key.
You work for an organization that uses Security Command Center (SCC) with Event Threat Detection (ETD) enabled. You need to enable ETD detections for data exfiltration attempts from designated sensitive Cloud Storage buckets and BigQuery datasets. You want to minimize Cloud Logging costs. What should you do?
AEnable "data read" audit logs only for the designated sensitive Cloud Storage buckets and BigQuery datasets.
BEnable "data read" and "data write" audit logs only for the designated sensitive Cloud Storage buckets and BigQuery datasets.
CEnable "data read" and "data write" audit logs for all Cloud Storage buckets and BigQuery datasets throughout the organization.
DEnable VPC Flow Logs for the VPC networks containing resources that access the sensitive Cloud Storage buckets and BigQuery datasets.
You are a security engineer at a managed security service provider (MSSP) that is onboarding to Google Security Operations (SecOps). You need to ensure that cases for each customer are logically separated. How should you configure this logical separation?
AIn Google SecOps SOAR settings, create a new environment for each customer.
BIn Google SecOps SOAR settings, create a role for each customer.
CIn Google SecOps SOAR settings, create a permissions group for each customer.
DIn Google SecOps Playbooks, create a playbook for each customer.
Your organization has mission-critical production Compute Engine VMS that you monitor daily. While performing a UDM search in Google Security Operations (SecOps), you discover several outbound network connections from one of the production VMs to an unfamiliar external IP address occurring over the last 48 hours. You need to use Google SecOps to quickly gather more context and assess the reputation of the external IP address. What should you do?
AExamine the Google SecOps Asset view details for the production VM.
BCreate a new detection rule to alert on future traffic from the external IP address.
CSearch for the external IP address in the Alerts & IOCs page in Google SecOps.
DPerform a UDM search to identify the specific user account that was logged into the production VM when the connections occurred.
You are a platform engineer at an organization that is migrating from a third-party SIEM product to Google Security Operations (SecOps). You previously manually exported context data from Active Directory (AD) and imported the data into your previous SIEM as a watchlist when there were changes in AD's user/asset context data. You want to improve this process using Google SecOps. What should you do?
AConfigure a Google SecOps SOAR integration for AD to enrich user/asset information in your security alerts.
BCreate a reference list that contains the AD context data. Use the reference list in your YARA-L rule to find user/asset information for each security event.
CCreate a data table that contains AD context data. Use the data table in your YARA-L rule to find user/asset data that can be correlated within each security event.
DIngest AD organizational context data as user/asset context to enrich user/asset information in your security events.
Your organization is a Google Security Operations (SecOps) customer and monitors critical assets using a SIEM dashboard. You need to dynamically monitor the assets based on a specific asset tag. What should you do?
AAsk Cloud Customer Care to add a custom filter to the dashboard.
BAdd a custom filter to the dashboard.
CCopy an existing dashboard and add a custom filter.
DExport the dashboard configuration to a file, modify the file to add a custom filter, and import the file into Google SecOps.
You have discovered that a server that hosts an internal web application has been accidentally exposed to the internet for 48 hours. Logging is enabled on the server. You want to use Google Security Operations (SecOps) to run a UDM search against the server logs to identify whether there have been any successful exploitations against it. What event field search should you use?
APerform a search for antimalware or endpoint security events by using the product_event_type UDM field.
BPerform a search for sign-on activity for user accounts that are not expected on the server by using the principal.user.userid UDM field.
CPerform a search for network traffic where the principal is rarely seen by using the principal.ip UDM field.
DPerform a search for process launches and commands that are rarely seen by using the metadata.event_type UDM field.
You are the SOC manager at a large enterprise that uses Google Security Operations (SecOps). You need to create a report that shows the Return on Investment (ROI) attributed to analyst activities in Google SecOps SOAR for the previous month. The report should include the time saved and efficiency gains from using SOAR's features. You need to generate this report using the most efficient and accurate approach while providing the required level of detail. What should you do?
ACreate a custom Google SecOps SOAR search query that filters for all cases handled by specific analysts in the last month. Export the results to a spreadsheet for analysis and ROI calculation.
BUse the ROI - Analysts Benchmark report in SOAR Reports. Configure the report to display data for the desired time period, and filter by individual analysts.
CUse the filters and visualizations in the Management - SOC Status report in SOAR Reports to extract case-specific performance data.
DDevelop a Google SecOps SOAR playbook that automatically aggregates analyst performance metrics, incorporates custom weighted factors for different case types, calculates ROI based on predefined formulas, and generates a PDF report on a monthly schedule.
Your organization has recently onboarded to Google Cloud with Security Command Center Enterprise (SCCE) and is now integrating it with your organization's SOC. You want to automate the response process and integrate with the existing SOW ticketing system. How should you implement this functionality?
AEvaluate each event within the SCC console. Create a ticket for each finding in the ticketing system, and include the remediation steps.
BUse the SCC notifications feed to send alerts to Pub/Sub. Ingest these feeds using the relevant SIEM connector.
CConfigure the SCC notifications feed to use Pub/Sub for alerts. Create a Cloud Run function to trigger when an event arrives in the topic and generate a ticket by calling the API endpoint in the SOC ticketing system.
DDisable the generic posture finding playbook in Google Security Operations (SecOps) SOAR and enable the playbook for the ticketing system. Add a step in your Google SecOps SOAR playbook to generate a ticket based on the event type.
Your organization recently acquired a Google Security Operations (SecOps) Enterprise Plus license. Your organization is already ingesting Cloud Audit Logs, firewall logs, proxy logs and endpoint logs, but there are no threat intelligence feeds being ingested into your Google SecOps environment. You need to design and deploy a solution that alerts your team quickly if an IOC of an active breach is observed in your environment. What should you do?
AWrite, enable, and configure alerting on a custom multi-event rule.
BWrite, enable, and configure alerting on a custom single-event rule.
CEnable and configure alerting for relevant curated detection rule sets.
DCreate and schedule a dashboard to send periodic summaries of the active breach IOCs and their associated events.
You work for a large international company that has several Compute Engine instances running in production. You need to configure monitoring and alerting for Compute Engine instances tagged with compliance=pci that have an external IP address assigned. What should you do?
ACreate a custom Event Threat Detection module that alerts when a Compute Engine instance with the compliance=pci tag is assigned an external IP address.
BDeploy the compute.vmExternalIpAccess organization policy constraint to prevent specific projects or folders with the compliance=pci tag from creating Compute Engine instances with external IP addresses.
CCreate a custom Security Health Analytics (SHA) module. Configure the detection logic to scan Cloud Asset Inventory data for compute.googleapis.com/Instance assets, and Search for the compliance=pci tag.
DUse the PUBLIC_IP_ADDRESS Security Health Analytics (SHA) detector to identify Compute Engine instances with external IP addresses. Determine whether the compliance=pci tag exists on the instances.
You are reviewing the security analyst team's playbook action process. Currently, security analysts navigate to the Playbooks tab in Google Security Operations (SecOps) for each alert and manually run steps assigned to a user. You need to present all actions from alerts awaiting user input in one location for the analyst to execute. What should you do?
AEnable approval links in the manual action and display them as clickable links to the user in a HTML widget in the Default Case View tab.
BAdd a general insight in your playbook to display manual action details to the user.
CUse the Pending Actions widget in the Default Case View in settings.
DCreate an Alert View with the playbook that incorporates the Pending Actions widget.
Your organization uses Google Security Operations (SecOps) for security analysis and investigation. Your organization has decided that all security cases related to Data Loss Prevention (DLP) events must be categorized with a defined root cause specific to one of five DLP event types when the case is closed in Google SecOps. How should you achieve this?
ACustomize the Close Case dialog and add the five DLP event types as root cause options.
BCustomize the Case Name format to include the DLP event type.
CCreate a Google SecOps SOAR playbook that automatically assigns case tags where each tag contains the unique definition of one of the five DLP event types.
DCreate case tags in Google SecOps SOAR where each tag contains a unique definition of each of the five DLP event types, and have analysts assign them to cases manually.
You are creating a playbook for the SOC. The SOC requires that each Google Security Operations (SecOps) role sees different information for the alert that the playbook runs on. You need to ensure that the playbook presents the relevant information for each Google SecOps role. What should you do?
AAdd a view to the playbook for each Google SecOps role.
BAdd the Case Comment action to the playbook for each Google SecOps role.
CAdd the Create Siemplify Task action to the playbook to assign a task to each Google SecOps role.
DAdd the Add General insight action to the playbook for each Google SecOps role.
You are writing a detection rule in Google Security Operations (SecOps) SIEM that sends a risk score to the alert. You have access to Google Threat Intelligence (GTI) data through your Google SecOps subscription. You need to ensure that the threat score output in the detection logic informs the alert's risk score and is available for future detections. What should you do?
AUse the outcomes section of your detection logic to pull UDM enrichment fields from the event data. Apply logic to determine the total risk outcome, and store the risk score as the risk_score variable
BUse the match section of your detection logic to filter out irrelevant entities. Store the remaining entities as the risk_score variable.
CConfigure a feed in Google SecOps SIEM to ingest GTI data to automatically enrich the appropriate entities.
DCreate a Google SecOps SOAR playbook to query GTI that uses the VirusTotal integration to enrich the alert. Modify the risk_score context value to match.
You are a SOC manager guiding an implementation of your existing incident response plan (IRP) into Google Security Operations (SecOps). You need to capture time duration data for each of the case stages. You want your solution to minimize maintenance overhead. What should you do?
AConfigure a detection rule in SIEM Rules & Detections to include logic to capture the event fields for each case with the relevant stage metrics.
BWrite a job in the IDE that runs frequently to check the progress of each case and updates the notes with timestamps to reflect when these changes were identified.
CConfigure Case Stages in the Google SecOps SOAR settings, and use the Change Case Stage action in your playbooks that captures time metrics when the stage changes.
DCreate a Google SecOps SOAR dashboard that displays specific actions that have been run, identifies which stage a case is in, and calculates the time elapsed since the start of the case.
Your organization is conducting a penetration test. The CISO has asked you to implement a real-time method to track cases that originate from the penetration test, and clearly differentiate these cases from other security incidents. You need to recommend the most effective and efficient approach to achieve this goal in Google Security Operations (SecOps). What should you do?
AImplement case tagging within Google SecOps and apply a unique tag (e.g., PenTest) to all cases related to the penetration test entities. Use this tag for filtering and monitoring.
BCreate a dashboard that is connected to the Google SecOps data lake. Use pre-built templates to visualize case status based on the penetration testing IP address range.
CCreate a custom Google SecOps SOAR playbook that automatically extracts case metadata, including key findings and risk scores, and sends an email summary to the CISO.
DConfigure a custom alert rule that triggers a high-severity alert for all activity originating from the penetration testing team's source IP addresses and sends a notification for potential critical vulnerabilities. Verify that these alerts are immediately visible in the alert queue.
You are conducting a proactive threat hunt in Google Security Operations (SecOps). You observe multiple login events with the same principal.user.userid field that originate from different countries within a short time window. You need to validate whether the account has been compromised. What should you do?
AUse the entity graph to correlate the user's risk score with linked assets, and review any active alerts.
BPerform a YARA-L 2.0 search for login events and their associated principal.location.country field. Use an outcome field to aggregate the number of failed logins.
CPerform a UDM search for login events, and pivot to group results by user and country of origin.
DRun a YARA-L retrohunt rule that detects users who are logging in from multiple regions using multiple entity contexts.
Your company has deployed two on-premises firewalls. You need to configure the firewalls to send logs to Google Security Operations (SecOps) using Syslog. What should you do?
APull the firewall logs by using a Google SecOps feed integration.
BSet the Google SecOps URL instance as the Syslog destination.
CDeploy a third-party agent (e.g Bindplane, NXLog) on your on-premises environment, and set the agent as the Syslog destination.
DDeploy a Google Ops Agent on your on-premises environment, and set the agent as the Syslog destination.
You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?
AConfigure the rule to detect outbound network connections to the external IP address. Create a Google SecOps SOAR playbook that queries the Fusion Feed to determine if the IP address has an APT41 relationship.
BConfigure the rule to establish a join between the live network connection event and Fusion Feed data for the common external IP address. Filter the joined Fusion Feed data for explicit associations with the APT41 threat group or related indicators.
CConfigure the rule to check whether the external IP address from the network connection event has a high confidence score across any enabled threat intelligence feed.
DConfigure the rule to trigger when the external IP address from the network connection event matches an entry in a manually pre-curated reference list of all APT41-related IP addresses.
