Your organization requires the SOC director to be notified by email of escalated incidents and their results before a case is closed. You need to create a process that automatically sends the email when an escalated case is closed. You need to ensure the email is reliably sent for the appropriate cases. What process should you use?

D. Create a playbook block that includes a condition to identify cases that have been escalated. The two resulting branches either close the alert and email the notes to the director, or close the alert without sending an email.

A. Use the Close Case button in the UI to close the case. If the case is marked as an incident, export the case from the UI and email it to the director.

B. Write a job to check closed cases for incident escalation status, pull the case status details if a case has been escalated, and send an email to the director.

C. Navigate to the Alert Overview tab to close the Alert. Run a manual action to gather the case details. If the case was escalated, email the notes to the director Use the Close Case action in the UI to close the case.

You are a security analyst at an organization that uses Google Security Operations (SecOps). You have identified a new IP address that is known to be used by a malicious threat actor to launch network attacks. You need to search for this IP address in Google SecOps using all normalized logs to determine whether any malicious activity has occurred. You want to use the most effective approach. What should you do?

D. Write UDM searches using YARA-L 2.0 syntax to find events where the IP address appears.

A. Write a YARA-L 2.0 detection rule that searches for events with the IP address.

B. Run raw log searches using the IP address as a search term.

C. On the Alerts & IOCs page, review results and entries where the IP address appears.

You have been tasked with developing a new response process in a playbook to contain an endpoint. The new process should take the following actions: Send an email to users who do not have a Google Security Operations (SecOps) account to request approval for endpoint containment Automatically continue executing its logic after the user responds You plan to implement this process in the playbook by using the Gmail integration. You want to minimize the amount of effort required by the SOC analyst. What should you do?

D. Generate an approval link for the containment action and include the placeholder in the body of the 'Send Email' action. Configure additional playbook logic to manage approved or denied containment actions.

A. Set the containment action to 'Manual' and assign the action to the user to execute or skip the containment action.

B. Set the containment action to 'Manual' and assign the action to the appropriate tier. Contact the user by email to request approval. The analyst chooses to execute or skip the containment action.

C. Use the 'Send Email' action to send an email requesting approval to contain the endpoint, and use the 'Wait For Thread Reply' action to receive the result. The analyst manually contains the endpoint.

Your organization plans to ingest logs from an on-premises MySQL database as a new log source into its Google Security Operations (SecOps) instance. You need to create a solution that minimizes effort. What should you do?

C. Configure and deploy a Google SecOps forwarder.

A. Configure a third-party API feed in Google SecOps.

B. Configure direct ingestion from your Google Cloud organization.

D. Configure and deploy a Bindplane collection agent.

Your organization is a Google Security Operations (SecOps) customer. You use Google Threat Intelligence to identify cyber threats within your organization's threat profile. You believe your organization may have been targeted by a cyber crime group. You need to identify whether your organization has been the victim of an attack. What should you do?

B. In the Reports & Analysis feature, extract the IOCs from the recent reports, and implement detection rules and lists in Google SecOps to identify whether they are present in your organization's environment.

A. Implement monitors in the Digital Threat Monitoring feature to identify new compromised credentials, dark web mentions, or data leaks.

C. Review the Threat Landscape feature to identify threat groups that are active in your industry, research their known MITRE ATT&CK tactics, techniques, and procedures (TTPs) and implement detection rules in Google SecOps.

D. In the Vulnerability Intelligence feature, identify new high and critical vulnerabilities in products or technologies that your organization uses so they can be patched.

You are implementing Google Security Operations (SecOps) for your organization. Your organization has their own threat intelligence feed that has been ingested to Google SecOps by using a native integration with a Malware Information Sharing Platform (MISP). You are working on the following detection rule to leverage the command and control (C2) indicators that were ingested into the entity graph. What code should you add in the detection rule to filter for the domain IOCs?

A. $ioc.graph.metadata.entity_type = "DOMAIN_NAME" $ioc.graph.metadata.source_type = "ENTITY_CONTEXT"

B. $ioc.graph.metadata.entity_type = "DOMAIN_NAME" $ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"

C. $ioc.graph.metadata.entity_type = "DOMAIN_NAME" $ioc.graph.metadata.source_type = "DERIVED_CONTEXT"

D. $ioc.graph.metadata.entity_type = "DOMAIN_NAME" $ioc.graph.metadata.source_type = "SOURCE_TYPE_UNSPECIFIED"

You are using Google Security Operations (SecOps) to identify and report a repetitive sequence of brute force SSH login attempts on a Compute Engine image that did not result in a successful login. You need to gain visibility into this activity while minimizing impact on your ingestion quota. Which log type should you ingest into Google SecOps?

B. Security Command Center Premium (SCCP) findings

You are a SOC analyst working a case in Google Security Operations (SecOps). The case contains a file hash that your playbooks have automatically enriched with VirusTotal context and categorized as likely malicious. You need to quickly identify devices and users in your organization who have interacted with this file. What should you do?

A. Build a playbook to perform a UDM search matching on the file hash in Google SecOps SIEM.

B. Build a playbook to query your threat intelligence platform (TIP) for the presence of the file hash.

C. Use a manual action in Google SecOps SOAR to perform a UDM search matching on the file hash in Google SecOps SIEM.

D. Use a manual action in Google SecOps SOAR to query your threat intelligence platform (TIP) for the presence of the file hash.

You are responsible for monitoring the ingestion of critical Windows server logs to Google Security Operations (SecOps) by using the Bindplane agent. You want to receive an immediate notification when no logs have been ingested for over 30 minutes. You want to use the most efficient notification solution. What should you do?

C. Create a new alert policy in Cloud Monitoring that triggers a notification based on the absence of logs from the server's hostname.

A. Create a new YARA-L rule in Google SecOps SIEM to detect the absence of logs from the server within a 30-minute window.

B. Configure a Bindplane agent to send a heartbeat signal to Google SecOps every 15 minutes, and create an alert if two heartbeats are missed.

D. Configure the Windows server to send an email notification if there is an error in the Bindplane process.

You observe several distinct, low-severity suspicious activities associated with a single internal server. You determine that no single event is a high-confidence IOC. You need to create a solution that ensures ongoing and heightened scrutiny for this server. What should you do?

C. Add the server to a Google Security Operations (SecOps) watchlist, and monitor the watchlist closely for the next few weeks.

A. Schedule a daily Google Security Operations (SecOps) report detailing all activity on this server.

B. Develop a YARA-L detection rule specific to this server.

D. Create a case, isolate the server from the network, and escalate the case for forensic investigation.

Your organization recently adopted Google Security Operations (SecOps), and has configured ingestion, parsing and rules for their log sources. The security operations team is currently triaging alerts one at a time using several external product dashboards with alerts and enrichment data. You want to use the case management functionality in Google SecOps to reduce the amount of pivoting between products your SOC analysts are required to do. You want to minimize development effort. What should you do first?

D. Build a low-priority, catch-all playbook for enrichment of entities in a case using threat intelligence sources.

A. Build a playbook for each detection rule to enrich and remediate alerts relative to the particular threat each rule is designed to detect.

B. Build a playbook for each of the noisiest alert sources to gather additional context on the case from the source product.

C. Build a job to periodically iterate over recent cases, determine relevant context, and enrich alerts.

You were recently hired as a SOC manager at an organization with an existing Google Security Operations (SecOps) implementation. You need to understand the current performance by calculating the mean time to respond or remediate (MTTR) for your cases. What should you do?

B. Create a dashboard table widget that displays the average case handling times by analyst, case priority, and environment.

A. Create a multi-event detection rule to calculate the response metrics in the outcome section based on the entity graph. Create a dashboard based on these metrics.

C. Create a playbook block that can be re-used in all alert playbooks to write timestamps in the case wall after each change to the case. Write a job to calculate the case metrics.

D. Use the playbooks' case stages to capture metrics for each stage change. Create a dashboard based on these metrics.

You received an IOC from your threat intelligence feed that is identified as a suspicious domain used for command and control (C2). You want to use Google Security Operations (SecOps) to investigate whether this domain appeared in your environment. You want to search for this IOC using the most efficient approach. What should you do?

B. Configure a UDM search that queries the DNS section of the network noun.

A. Run a raw log search to search for the domain string.

C. Enable Group by Field in scan view to cluster events by hostname.

D. Enter the IOC into the IOC Search feature, and wait for detections with this domain to appear in the Case view.

You are a senior SOC analyst in your organization. You are receiving alerts of traffic to a command and control (C2) IP address. You want to use Google Security Operations (SecOps) to investigate the IP address associated with the C2 IP address. What should you do?

C. Conduct a Google SecOps SIEM Search that uses src.ip and target.ip to identify outbound and inbound traffic associated with the suspicious IP address.

A. Use Google SecOps SOAR Search to run a playbook designed to investigate the suspicious IP address and identify related outbound and inbound traffic.

B. Use Google SecOps SOAR Search to identify the cases where the suspicious IP address exists.

D. Use Google SecOps SIEM Search to query against the grouped ip field, and use the enriched field from the suspicious events to identify related activity.

You are working with your company's analyst team to automate the investigation of phishing alerts ingested directly into Google Security Operations (SecOps) SOAR from an email inbox. The analyst team currently uses a SIEM query to search for related information. You need to design a solution to automatically include the query results in the Google SecOps case without writing any new code. What should you do?

D. Add an action to the playbook that runs the SIEM query and returns the results.

A. Create a custom action in Google SecOps IDE that runs the SIEM query from a playbook through an API call and returns the results.

B. Modify the detection rule in the SIEM to include the query results as part of the detection.

C. Add a widget to the Default Case View in Google SecOps SOAR that allows the analyst team to query directly from the widget.

Your Google Security Operations (SecOps) instance is generating alerts for unusual login times from multiple user accounts. Your SOC analysts are reporting a high number of the alerts are false positives involving service accounts used by scheduled automation tasks. You want to refine the detection logic using entity-level context available in Google SecOps. You want to use the most effective approach. What should you do?

B. Modify the rule to include the principal.user.type != "service_account" condition.

A. Use asset tags to group known automation systems, and exclude them from the alert logic.

C. Update the rule to only alert when the principal.user.email and principal.user.userid fields match in the same event.

D. Add a reference list of all service accounts, and suppress alerts for any matches on the principal.user.email field.

You are building a detection rule in Google Security Operations (SecOps) to alert on requests to potentially malicious domains. You are planning to use the logs from your network detection and response (NDR) solution but you need to reduce noise and narrow the scope of detections. You want to minimize cost and deploy the solution quickly. What should you do?

D. Ingest logs from your threat intelligence platform (TIP), and build a multi-event rule that correlates the domains found in your NDR logs with your threat intelligence data.

A. Ingest logs from a domain monitoring service, and build a multi-event rule that correlates the domains found in your NDR logs with your domain monitoring data.

B. Build a Google SecOps SOAR playbook that enriches domain entities in alerts with VirusTotal information and auto-closes cases when no domains are classified as malicious.

C. Build a multi-event rule that correlates the domains found in your NDR logs with WHOIS context in the entity graph and sets the risk score based on domain creation time.

You are helping a new Google Security Operations (SecOps) customer configure access for their SOC team. The Google SecOps administrators currently have access to the instance. The customer is reporting that new Google SecOps users are not getting authorized to access the instance, but they are able to authenticate to the third-party identity provider (IdP). How should you fix the issue? (Choose two.)

D. Grant the roles/chronicle.viewer role to the SOC team's IdP group in IAM.

E. Grant the Basic permission to the appropriate IdP groups in the Google SecOps SOAR Advanced Settings.

A. Link Google SecOps to a Google Cloud project with the Chronicle API.

B. Integrate Google SecOps with the third-party IdP using Workforce Identity Federation.

C. Grant the appropriate data access scope to the SOC team's IdP group in IAM.

You are a security analyst at an organization that uses Google Security Operations (SecOps). Google SecOps triggered a medium severity alert of Unusual Cloud Storage Access - High Volume Download for user1@securecloudservices.com from the internal-project-code-repository bucket. This user is a senior developer within your organization who has legitimate access, but their download volume is unusually high and occurs outside working hours. You need to investigate this alert. What should you do first?

D. Review user1's timeline in Google SecOps, focusing on network events and resource access immediately preceding the download anomaly.

A. Run a Google SecOps SOAR playbook to suspend user1's bucket access, and review their user timeline.

B. Enrich the bucket entity with sensitivity labels and access control list (ACL) data.

C. Create a default detection rule in Google SecOps to monitor future high-volume downloads from the bucket, and add user1 to a high-risk watchlist.

Your company uses Google-managed images on Compute Engine VM instances extensively and has deployed Security Command Center Enterprise (SCCE) at the organization level Due to a recent increase in vulnerability exploits, you want to improve visibility into operating system (OS) risks for all VMs in your organization. You want to use managed services to enhance security detection capabilities related to these vulnerabilities using minimal effort. What should you do?

A. Enable VM Manager across your projects, and allow VM Manager to write findings to SCCE.

B. Enable Virtual Machine Threat Detection in SCCE, and allow it to generate findings.

C. Set up Google Open Source Vulnerability (OSV)-Scanner to scan all Compute Engine VMs. Configure a Google Security Operations (SecOps) forwarder to write logs to your Google SecOps instance.

D. Create a custom Security Health Analytics (SHA) scanner to check the sourceImage of the compute disk. Check for matches in a vulnerability database.

You work at a financial services company. You need to detect in near real-time when a Cloud Run functions service agent modifies the IAM policy of an Artifact Registry repository. You plan to use Security Command Center (SCC). You want to follow the Google-recommended approach. What should you do?

C. Use Event Threat Detection in SCC with a custom unexpected Cloud API call rule that detects when a specified principal calls a method against a resource.

A. Create a custom Security Health Analytics (SHA) detector that scans Artifact Registry repositories for IAM policy changes. When a change is detected identify the principal that made the change.

B. Configure a Cloud Logging log sink to export all IAM policy changes to BigQuery, and create a custom dashboard in SCC to visualize the data.

D. Implement a Cloud Run function that is triggered by IAM policy changes within the project and sends an alert to SCC using the Security Command Center API.

Your Google Security Operations (SecOps) case queue contains a case with IP address entities. You need to determine whether the entities are internal or external assets and ensure that internal IP address entities are marked accordingly upon ingestion into Google SecOps SOAR. What should you do?

A. Indicate your organization's known internal CIDR ranges in the Environment Networks list in the settings.

B. Modify the connector logic to perform a secondary lookup against your CMDB and flag incoming entities as internal or external.

C. Configure a feed to ingest enrichment data about the networks, and include these fields into your detection outcome.

D. Create a custom action to ping the IP address entity from your Remote Agent. If successful, the custom action designates the IP address entity as internal.

Your organization has a standard set of Google Security Operations (SecOps) playbooks that are applied to alerts in different circumstances. One playbook uses an "All" trigger that should always be applied if no other more specific playbooks have triggered. You need to ensure that the more specific playbook is attached and not the generic "All" playbook when multiple triggers match. What should you do?

A. Set the priority of the "All" playbook to a higher value than the priority of the specific playbook to ensure the "All" trigger is evaluated after the previous priorities.

B. Change the "All" trigger to be more precise so that it doesn't trigger when the other playbook is needed.

C. In the Outcomes section of the detection rule that is firing your alert, add a specific field to search for the specific playbook to base the trigger on.

D. Create a tagging rule in the Google SecOps SOAR settings, and use a tag trigger to trigger the specific playbook.

You work for a telecommunications company that wants to monitor their multi-region 5G network logs in Google Security Operations (SecOps). The logs are currently only available on-premises and are stored in a standalone network-attached storage (NAS) located in four different regions. You need to ingest the logs into Google SecOps and tag each NAS as a specific log source to avoid IP address aliasing. What should you do?

B. Configure feed management to pull data from each log's location, and configure an ingestion label for each log source.

A. Configure feed management to pull data from each log's location, and configure a namespace for each log source.

C. Configure a Bindplane agent that collects Syslog from each log's location, and configure a namespace for each log source.

D. Configure a Bindplane agent that collects Syslog from each log's location and configure an ingestion label for each log source.

Professional Security Operations Engineer (101-131)

Authored by Mauricio Ardon

Information Technology (IT)

Professional Development

Used 32+ times

Professional Security Operations Engineer (101-131)

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

31 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You are planning log onboarding for a Google Security Operations (SecOps) SIEM deployment in a cloud-heavy enterprise environment. The detection engineering team is requesting log sources that support visibility into:

User identity behavior -

Lateral movement -

Privilege escalation attempts -
You need to determine which telemetry sources are ingested first. Which log source should you prioritize?

A. Cloud access security broker (CASB) logs

B. EDR logs

C. IAM logs

D. Network firewall logs

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You are responsible for selecting and prioritizing potential sources of data to integrate with Google Security Operations (SecOps). Your company has recently started using several Google Cloud services to increase security in its Google Cloud organization. You need to determine which logs should be ingested into Google SecOps to reduce the effort required to write detections. What should you do?

A. Ingest Google Cloud Armor logs by using Cloud Logging.

B. Deploy a Bindplane agent to ingest event logs from Compute Engine VMs that provide endpoint visibility.

C. Integrate Security Command Center (SCC) into Google SecOps to ingest logs originating from the Google Cloud services.

D. Use Google Threat Intelligence to gain insight about threat group behavior and support threat hunting activities.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

You are developing a security strategy for your organization. You are planning to use Google Security Operations (SecOps) and Google Threat Intelligence (GTI). You need to enhance the detection and response across multi-cloud and on-premises systems. How should you integrate these products? (Choose two.)

A. Ingest GTI IOCs into Google SecOps as security events.

B. Ingest on-premises and cloud security logs into Google SecOps SIEM as events.

C. Ingest on-premises and cloud security logs into Google SecOps SIEM as entities.

D. Use Google SecOps SOAR integrations with GTI for event enrichment.

E. Use Google SecOps SOAR integrations with GTI for entity enrichment.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your organization is a Google Security Operations (SecOps) customer. The compliance team requires a weekly export of case resolutions and SLA metrics of high and critical severity cases over the past week. The compliance team's post-processing scripts require this data to be formatted as tabular data in CSV files, zipped, and delivered to their email each Monday morning. What should you do?

A. Generate a report in SOAR Reports, and schedule delivery of the report.

B. Use statistics in search, and configure a Google SecOps SOAR job to format and send the report.

C. Build an Advanced Report in SOAR Reports, and schedule delivery of the report.

D. Build a detection rule with outcomes, and configure a Google SecOps SOAR job to format and send the report.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You are reviewing the results of a UDM search in Google Security Operations (SecOps). The UDM fields shown in the default view are not relevant to your search. You want to be able to quickly view the relevant data for your analysis. What should you do?

A. Download the search results as a CSV file, and manipulate the data to display relevant data in a spreadsheet.

B. Create a Google SecOps SIEM dashboard based on the search you have run, and visualize the data in an appropriate table or graphical format.

C. Select the events of interest, and choose the relevant UDM fields from the event view using the checkboxes. Copy, extract, and analyze the UDM fields, and refine the search query.

D. Use the columns feature to select or remove columns that are relevant to your analysis.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your organization uses the curated detection rule set in Google Security Operations (SecOps) for high priority network indicators. You are finding a vast number of false positives coming from your on-premises proxy servers. You need to reduce the number of alerts. What should you do?

A. Configure a rule exclusion for the network.asset.ip field.

B. Configure a rule exclusion for the principal.ip field.

C. Configure a rule exclusion for the target.domain field.

D. Configure a rule exclusion for the target.ip field.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your third-party application data is published in a Pub/Sub topic located in a separate Google Cloud project from your Google Security Operations (SecOps) instance. Your attempts to push data from the Pub/Sub topic to Google SecOps have failed. You need to send this data into Google SecOps in a low-latency, robust way. What should you do?

A. Push the data to Cloud Logging, and modify the export filter in direct ingestion.

B. Enable the Chronicle API in the project that owns the Pub/Sub topic to push the subscription to Google SecOps.

C. Create a Cloud Run function that is subscribed to the Pub/Sub topic and uses a Google SecOps Ingestion API key to push the data into Google SecOps.

D. Send Pub/Sub messages to a Cloud Storage bucket. Create an ingestion feed in Google SecOps to read from the bucket. Grant Storage Admin IAM access to the service account.

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Microsoft

or continue with

Facebook

Apple

Others

Already have an account?

Similar Resources on Wayground

27 questions

Examen Acumulativo - AZ-900

Quiz

•

Professional Development

29 questions

Xfinity Voice and Home Services Quiz

Quiz

•

Professional Development

30 questions

Information Security Awareness Training Quiz

Quiz

•

Professional Development

30 questions

Mada - PM Quizz 3 Agile

Quiz

•

Professional Development

31 questions

SMR 1

Quiz

•

Professional Development

35 questions

Computer Science Quiz

Quiz

•

Professional Development

30 questions

EDIT

Quiz

•

Professional Development

35 questions

IT Systems and Tools Quiz

Quiz

•

Professional Development

Popular Resources on Wayground

28 questions

US History Regents Review

Quiz

•

11th Grade

36 questions

Biology Regents Review

Quiz

•

9th - 10th Grade

20 questions

Math Review

Quiz

•

3rd Grade

38 questions

Regents Life Science General Review

Quiz

•

9th Grade

20 questions

Math Review

Quiz

•

6th Grade

21 questions

EOY Grade 6 Benchmark Assessment - Content Skills

Quiz

•

6th Grade

20 questions

Inferences

Quiz

•

4th Grade

20 questions

Figurative Language Review

Quiz

•

6th Grade

Discover more resources for Information Technology (IT)

10 questions

June Standards Quiz

Quiz

•

Professional Development

23 questions

super heros

Quiz

•

KG - Professional Dev...