Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER by Google - Page 1 | ExamCademy

Mode Selection

Sort:

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Page 1 of 6 • Questions 1-25 of 131

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

You are implementing Google Security Operations (SecOps) at your organization. You discover that the current detection rules are too noisy. Due to the high volume of alerts, some true positives might be missed. You want to ingest additional context sources to reduce false positives in your security detections and to improve the overall positive ratio of the alerts. What should you do?

A Ingest high-value asset (HVA) data from your configuration management database (CMDB) system to increase the priority of the alerts based on the sensitivity of the assets found in the detection rules.
B Ingest dark web forum handlers from your threat intelligence system to match dark web principals within the detection rules.
C Ingest IOCs from your threat intelligence system to validate the IP addresses, domains and hashes with the detection rules.
D Ingest tactics, techniques, and procedures (TTPs) from your threat intelligence system to validate the processes and tools with the detection rules.

You are responsible for identifying suspicious activity and security events at your organization. You have been asked to search in Google Security Operations (SecOps) for network traffic associated with an active HTTP backdoor that runs on TCP port 5555. You want to use the most effective approach to identify traffic originating from the server that is running the backdoor. What should you do?

A Detect on events where network.ApplicationProtocol is HTTP.
B Detect on events where target.port is 5555.
C Detect on events where principal.port is 5555.
D Detect on events where network.ip_protocol is TCP.

You are an incident responder at your organization using Google Security Operations (SecOps) for monitonng and investigation. You discover that a critical production server, which handles financial transactions, shows signs of unauthorized file changes and network scanning from a suspicious IP address. You suspect that persistence mechanisms may have been installed. You need to use Google SecOps to immediately contain the threat while ensuring that forensic data remains available for investigation. What should you do first?

A Use the firewall integration to submit the IP address to a network block list to inhibit internet access from that machine.
B Deploy emergency patches, and reboot the server to remove malicious persistence.
C Use the EDR integration to quarantine the compromised asset.
D Use VirusTotal to enrich the IP address and retrieve the domain. Add the domain to the proxy block list.

Your organization's Google Security Operations (SecOps) tenant is ingesting a vendor's firewall logs in its default JSON format using the Google-provided parser for that log. The vendor recently released a patch that introduces a new field and renames an existing field in the logs. The parser does not recognize these two fields and they remain available only in the raw logs, while the rest of the log is parsed normally. You need to resolve this logging issue as soon as possible while minimizing the overall change management impact. What should you do?

A Write a code snippet, and deploy it in a parser extension to map both fields to UDM.
B Use the web interface-based custom parser feature in Google SecOps to copy the parser, and modify it to map both fields to UDM.
C Deploy a third-party data pipeline management tool to ingest the logs, and transform the updated fields into fields supported by the default parser.
D Use the Extract Additional Fields tool in Google SecOps to convert the raw log entries to additional fields.

You work for a telecommunications company that wants to monitor their multi-region 5G network logs in Google Security Operations (SecOps). The logs are currently only available on-premises and are stored in a standalone network-attached storage (NAS) located in four different regions. You need to ingest the logs into Google SecOps and tag each NAS as a specific log source to avoid IP address aliasing. What should you do?

A Configure feed management to pull data from each log's location, and configure a namespace for each log source.
B Configure feed management to pull data from each log's location, and configure an ingestion label for each log source.
C Configure a Bindplane agent that collects Syslog from each log's location, and configure a namespace for each log source.
D Configure a Bindplane agent that collects Syslog from each log's location and configure an ingestion label for each log source.

Your company uses Security Command Center (SCC) and Google Security Operations (SecOps). Last week, an attacker attempted to establish persistence by generating a key for an unused service account. You need to confirm that you are receiving alerts when keys are created for unused service accounts and that newly created keys are automatically deleted. You want to minimize the amount of manual effort required. What should you do?

A Generate a YARA-L rule in Google SecOps that detects when a service account key is created. Using the built-in IDE, create a custom action in Google SecOps SOAR that deletes the service account key.
B Use the Initial Access: Dormant Service Account Key Created finding from SCC, and ingest this finding into Google SecOps. Create a custom action in Google SecOps SOAR that is triggered on this finding. Use the built-in IDE to build code to delete the service account key.
C Configure a Cloud Logging sink to write logs to a Pub/Sub topic that filters for the methodName: "google.iam.admin.v1.CreateServiceAccountKey" field. Create a Cloud Run function that subscribes to the Pub/Sub topic and deletes the service account key.
D Use the Initial Access: Dormant Service Account Key Created finding from SCC, and write this finding to a Pub/Sub topic. Create a Cloud Run function that subscribes to the Pub/Sub topic and deletes the service account key.

You work for an organization that uses Security Command Center (SCC) with Event Threat Detection (ETD) enabled. You need to enable ETD detections for data exfiltration attempts from designated sensitive Cloud Storage buckets and BigQuery datasets. You want to minimize Cloud Logging costs. What should you do?

A Enable "data read" audit logs only for the designated sensitive Cloud Storage buckets and BigQuery datasets.
B Enable "data read" and "data write" audit logs only for the designated sensitive Cloud Storage buckets and BigQuery datasets.
C Enable "data read" and "data write" audit logs for all Cloud Storage buckets and BigQuery datasets throughout the organization.
D Enable VPC Flow Logs for the VPC networks containing resources that access the sensitive Cloud Storage buckets and BigQuery datasets.

You are a security engineer at a managed security service provider (MSSP) that is onboarding to Google Security Operations (SecOps). You need to ensure that cases for each customer are logically separated. How should you configure this logical separation?

A In Google SecOps SOAR settings, create a new environment for each customer.
B In Google SecOps SOAR settings, create a role for each customer.
C In Google SecOps SOAR settings, create a permissions group for each customer.
D In Google SecOps Playbooks, create a playbook for each customer.

Your organization has mission-critical production Compute Engine VMS that you monitor daily. While performing a UDM search in Google Security Operations (SecOps), you discover several outbound network connections from one of the production VMs to an unfamiliar external IP address occurring over the last 48 hours. You need to use Google SecOps to quickly gather more context and assess the reputation of the external IP address. What should you do?

A Examine the Google SecOps Asset view details for the production VM.
B Create a new detection rule to alert on future traffic from the external IP address.
C Search for the external IP address in the Alerts & IOCs page in Google SecOps.
D Perform a UDM search to identify the specific user account that was logged into the production VM when the connections occurred.

You are a platform engineer at an organization that is migrating from a third-party SIEM product to Google Security Operations (SecOps). You previously manually exported context data from Active Directory (AD) and imported the data into your previous SIEM as a watchlist when there were changes in AD's user/asset context data. You want to improve this process using Google SecOps. What should you do?

A Configure a Google SecOps SOAR integration for AD to enrich user/asset information in your security alerts.
B Create a reference list that contains the AD context data. Use the reference list in your YARA-L rule to find user/asset information for each security event.
C Create a data table that contains AD context data. Use the data table in your YARA-L rule to find user/asset data that can be correlated within each security event.
D Ingest AD organizational context data as user/asset context to enrich user/asset information in your security events.

Your organization is a Google Security Operations (SecOps) customer and monitors critical assets using a SIEM dashboard. You need to dynamically monitor the assets based on a specific asset tag. What should you do?

A Ask Cloud Customer Care to add a custom filter to the dashboard.
B Add a custom filter to the dashboard.
C Copy an existing dashboard and add a custom filter.
D Export the dashboard configuration to a file, modify the file to add a custom filter, and import the file into Google SecOps.

You have discovered that a server that hosts an internal web application has been accidentally exposed to the internet for 48 hours. Logging is enabled on the server. You want to use Google Security Operations (SecOps) to run a UDM search against the server logs to identify whether there have been any successful exploitations against it. What event field search should you use?

A Perform a search for antimalware or endpoint security events by using the product_event_type UDM field.
B Perform a search for sign-on activity for user accounts that are not expected on the server by using the principal.user.userid UDM field.
C Perform a search for network traffic where the principal is rarely seen by using the principal.ip UDM field.
D Perform a search for process launches and commands that are rarely seen by using the metadata.event_type UDM field.

You are the SOC manager at a large enterprise that uses Google Security Operations (SecOps). You need to create a report that shows the Return on Investment (ROI) attributed to analyst activities in Google SecOps SOAR for the previous month. The report should include the time saved and efficiency gains from using SOAR's features. You need to generate this report using the most efficient and accurate approach while providing the required level of detail. What should you do?

A Create a custom Google SecOps SOAR search query that filters for all cases handled by specific analysts in the last month. Export the results to a spreadsheet for analysis and ROI calculation.
B Use the ROI - Analysts Benchmark report in SOAR Reports. Configure the report to display data for the desired time period, and filter by individual analysts.
C Use the filters and visualizations in the Management - SOC Status report in SOAR Reports to extract case-specific performance data.
D Develop a Google SecOps SOAR playbook that automatically aggregates analyst performance metrics, incorporates custom weighted factors for different case types, calculates ROI based on predefined formulas, and generates a PDF report on a monthly schedule.

Your organization has recently onboarded to Google Cloud with Security Command Center Enterprise (SCCE) and is now integrating it with your organization's SOC. You want to automate the response process and integrate with the existing SOW ticketing system. How should you implement this functionality?

A Evaluate each event within the SCC console. Create a ticket for each finding in the ticketing system, and include the remediation steps.
B Use the SCC notifications feed to send alerts to Pub/Sub. Ingest these feeds using the relevant SIEM connector.
C Configure the SCC notifications feed to use Pub/Sub for alerts. Create a Cloud Run function to trigger when an event arrives in the topic and generate a ticket by calling the API endpoint in the SOC ticketing system.
D Disable the generic posture finding playbook in Google Security Operations (SecOps) SOAR and enable the playbook for the ticketing system. Add a step in your Google SecOps SOAR playbook to generate a ticket based on the event type.

Your organization recently acquired a Google Security Operations (SecOps) Enterprise Plus license. Your organization is already ingesting Cloud Audit Logs, firewall logs, proxy logs and endpoint logs, but there are no threat intelligence feeds being ingested into your Google SecOps environment. You need to design and deploy a solution that alerts your team quickly if an IOC of an active breach is observed in your environment. What should you do?

A Write, enable, and configure alerting on a custom multi-event rule.
B Write, enable, and configure alerting on a custom single-event rule.
C Enable and configure alerting for relevant curated detection rule sets.
D Create and schedule a dashboard to send periodic summaries of the active breach IOCs and their associated events.

You work for a large international company that has several Compute Engine instances running in production. You need to configure monitoring and alerting for Compute Engine instances tagged with compliance=pci that have an external IP address assigned. What should you do?

A Create a custom Event Threat Detection module that alerts when a Compute Engine instance with the compliance=pci tag is assigned an external IP address.
B Deploy the compute.vmExternalIpAccess organization policy constraint to prevent specific projects or folders with the compliance=pci tag from creating Compute Engine instances with external IP addresses.
C Create a custom Security Health Analytics (SHA) module. Configure the detection logic to scan Cloud Asset Inventory data for compute.googleapis.com/Instance assets, and Search for the compliance=pci tag.
D Use the PUBLIC_IP_ADDRESS Security Health Analytics (SHA) detector to identify Compute Engine instances with external IP addresses. Determine whether the compliance=pci tag exists on the instances.

You are reviewing the security analyst team's playbook action process. Currently, security analysts navigate to the Playbooks tab in Google Security Operations (SecOps) for each alert and manually run steps assigned to a user. You need to present all actions from alerts awaiting user input in one location for the analyst to execute. What should you do?

A Enable approval links in the manual action and display them as clickable links to the user in a HTML widget in the Default Case View tab.
B Add a general insight in your playbook to display manual action details to the user.
C Use the Pending Actions widget in the Default Case View in settings.
D Create an Alert View with the playbook that incorporates the Pending Actions widget.

Your organization uses Google Security Operations (SecOps) for security analysis and investigation. Your organization has decided that all security cases related to Data Loss Prevention (DLP) events must be categorized with a defined root cause specific to one of five DLP event types when the case is closed in Google SecOps. How should you achieve this?

A Customize the Close Case dialog and add the five DLP event types as root cause options.
B Customize the Case Name format to include the DLP event type.
C Create a Google SecOps SOAR playbook that automatically assigns case tags where each tag contains the unique definition of one of the five DLP event types.
D Create case tags in Google SecOps SOAR where each tag contains a unique definition of each of the five DLP event types, and have analysts assign them to cases manually.

You are creating a playbook for the SOC. The SOC requires that each Google Security Operations (SecOps) role sees different information for the alert that the playbook runs on. You need to ensure that the playbook presents the relevant information for each Google SecOps role. What should you do?

A Add a view to the playbook for each Google SecOps role.
B Add the Case Comment action to the playbook for each Google SecOps role.
C Add the Create Siemplify Task action to the playbook to assign a task to each Google SecOps role.
D Add the Add General insight action to the playbook for each Google SecOps role.

You are writing a detection rule in Google Security Operations (SecOps) SIEM that sends a risk score to the alert. You have access to Google Threat Intelligence (GTI) data through your Google SecOps subscription. You need to ensure that the threat score output in the detection logic informs the alert's risk score and is available for future detections. What should you do?

A Use the outcomes section of your detection logic to pull UDM enrichment fields from the event data. Apply logic to determine the total risk outcome, and store the risk score as the risk_score variable
B Use the match section of your detection logic to filter out irrelevant entities. Store the remaining entities as the risk_score variable.
C Configure a feed in Google SecOps SIEM to ingest GTI data to automatically enrich the appropriate entities.
D Create a Google SecOps SOAR playbook to query GTI that uses the VirusTotal integration to enrich the alert. Modify the risk_score context value to match.

You are a SOC manager guiding an implementation of your existing incident response plan (IRP) into Google Security Operations (SecOps). You need to capture time duration data for each of the case stages. You want your solution to minimize maintenance overhead. What should you do?

A Configure a detection rule in SIEM Rules & Detections to include logic to capture the event fields for each case with the relevant stage metrics.
B Write a job in the IDE that runs frequently to check the progress of each case and updates the notes with timestamps to reflect when these changes were identified.
C Configure Case Stages in the Google SecOps SOAR settings, and use the Change Case Stage action in your playbooks that captures time metrics when the stage changes.
D Create a Google SecOps SOAR dashboard that displays specific actions that have been run, identifies which stage a case is in, and calculates the time elapsed since the start of the case.

Your organization is conducting a penetration test. The CISO has asked you to implement a real-time method to track cases that originate from the penetration test, and clearly differentiate these cases from other security incidents. You need to recommend the most effective and efficient approach to achieve this goal in Google Security Operations (SecOps). What should you do?

A Implement case tagging within Google SecOps and apply a unique tag (e.g., PenTest) to all cases related to the penetration test entities. Use this tag for filtering and monitoring.
B Create a dashboard that is connected to the Google SecOps data lake. Use pre-built templates to visualize case status based on the penetration testing IP address range.
C Create a custom Google SecOps SOAR playbook that automatically extracts case metadata, including key findings and risk scores, and sends an email summary to the CISO.
D Configure a custom alert rule that triggers a high-severity alert for all activity originating from the penetration testing team's source IP addresses and sends a notification for potential critical vulnerabilities. Verify that these alerts are immediately visible in the alert queue.

You are conducting a proactive threat hunt in Google Security Operations (SecOps). You observe multiple login events with the same principal.user.userid field that originate from different countries within a short time window. You need to validate whether the account has been compromised. What should you do?

A Use the entity graph to correlate the user's risk score with linked assets, and review any active alerts.
B Perform a YARA-L 2.0 search for login events and their associated principal.location.country field. Use an outcome field to aggregate the number of failed logins.
C Perform a UDM search for login events, and pivot to group results by user and country of origin.
D Run a YARA-L retrohunt rule that detects users who are logging in from multiple regions using multiple entity contexts.

Your company has deployed two on-premises firewalls. You need to configure the firewalls to send logs to Google Security Operations (SecOps) using Syslog. What should you do?

A Pull the firewall logs by using a Google SecOps feed integration.
B Set the Google SecOps URL instance as the Syslog destination.
C Deploy a third-party agent (e.g Bindplane, NXLog) on your on-premises environment, and set the agent as the Syslog destination.
D Deploy a Google Ops Agent on your on-premises environment, and set the agent as the Syslog destination.

You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?

A Configure the rule to detect outbound network connections to the external IP address. Create a Google SecOps SOAR playbook that queries the Fusion Feed to determine if the IP address has an APT41 relationship.
B Configure the rule to establish a join between the live network connection event and Fusion Feed data for the common external IP address. Filter the joined Fusion Feed data for explicit associations with the APT41 threat group or related indicators.
C Configure the rule to check whether the external IP address from the network connection event has a high confidence score across any enabled threat intelligence feed.
D Configure the rule to trigger when the external IP address from the network connection event matches an entry in a manually pre-curated reference list of all APT41-related IP addresses.

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEERPreview