Professional Security Operations Engineer v1.0

Page:    1 / 9   
Exam contains 131 questions
Expand All

You are investigating an alert in Google Security Operations (SecOps). You want to view previous enrichment attributes and relevant historical cases for an entity using the fewest number of steps. What should you do?

  • A. Initiate a SIEM Search to query the entity.
  • B. Initiate a SOAR Search to query the entity.
  • C. Select View Details for the entity in the Entity Highlights widget.
  • D. Select the entity identifier in the Entity Highlights widget to open Entity Explorer.


Answer : D

During a proactive threat hunting exercise, you discover that a critical production project has an external identity with a highly privileged IAM role. You suspect that this is part of a larger intrusion, and it is unknown how long this identity has had access. All logs are enabled and routed to a centralized organization-level Cloud Logging bucket, and historical logs have been exported to BigQuery datasets. You need to determine whether any actions were taken by this external identity in your environment. What should you do?

  • A. Use Policy Analyzer to identity the resources that are accessible by the external identity. Examine the logs related to these resources in the centralized Cloud Logging bucket and the BigQuery dataset.
  • B. Analyze VPC Flow Logs exported to BigQuery, and correlate source IP addresses with potential login events for the external identity.
  • C. Analyze IAM recommender insights and Security Command Center (SCC) findings associated with the external identity.
  • D. Execute queries against the centralized Cloud Logging bucket and the BigQuery dataset to filter for logs for where the principal email matches the external identity.


Answer : D

You are a security analyst at an organization that uses Google Security Operations (SecOps). You notice suspicious login attempts on several user accounts. You need to determine whether these attempts are part of a coordinated attack as quickly as possible. What action should you take first?

  • A. Enable default curated detections to automatically block suspicious IP addresses.
  • B. Use UDM Search to query historical logs for recent IOCs associated with the suspicious login attempts.
  • C. Remove user accounts that have repeated invalid login attempts.
  • D. Look for correlations across impacted users in the Risk Analytics dashboard.


Answer : D

Your Google Security Operations (SecOps) instance is generating a high volume of alerts related to an IP address that recently appeared in a threat intelligence feed. The IP address is flagged as a known command and control (C2) server by multiple vendors. The IP address appears in repeated DNS queries originating from a sandboxing system and test environment used by your malware analysis team. You want to avoid alert fatigue while preserving visibility in the event that the IOC reappears in real production telemetry. What should you do?

  • A. Temporarily disable the rule to avoid unnecessary alerts until the IOC expires in the threat feed.
  • B. Add the IP address to a Google SecOps reference list, and configure the rule to suppress alerts for that list.
  • C. Reduce the severity score in the rule configuration when the IOC match occurs in any internal IP address range.
  • D. Add an exception in the detection rule to exclude matches originating from specific asset groups.


Answer : D

You are threat hunting for an advanced threat group known for targeted, novel attacks by deploying campaign-specific infrastructure. You want to develop detections based on the threat group's behaviors so you can effectively detect whether the threat group has attacked your organization. What should you do?

  • A. Identify exposed technologies and products used by your organization, and develop detections to search for signs of exploitation.
  • B. Find intelligence reports in Google Threat Intelligence that relate to the threat actor, identify their behavior in previous campaigns, and use the past behavior to design detections in Google Security Operations (SecOps).
  • C. Search for the threat actor in Google Threat Intelligence, export the IOCs associated with the threat actor into a Google Security Operations (SecOps) list, and develop detections that reference this list.
  • D. Search for the threat actor in Google Threat Intelligence, review the threat actor's tactics, techniques, and procedures (TTPs), and design detections based on the TTPs in Google Security Operations (SecOps).


Answer : D

You work for a large international company that has several Compute Engine instances running in production. You need to configure monitoring and alerting for Compute Engine instances tagged with compliance=pci that have an external IP address assigned. What should you do?

  • A. Create a custom Event Threat Detection module that alerts when a Compute Engine instance with the compliance=pci tag is assigned an external IP address.
  • B. Deploy the compute.vmExternalIpAccess organization policy constraint to prevent specific projects or folders with the compliance=pci tag from creating Compute Engine instances with external IP addresses.
  • C. Create a custom Security Health Analytics (SHA) module. Configure the detection logic to scan Cloud Asset Inventory data for compute.googleapis.com/Instance assets, and Search for the compliance=pci tag.
  • D. Use the PUBLIC_IP_ADDRESS Security Health Analytics (SHA) detector to identify Compute Engine instances with external IP addresses. Determine whether the compliance=pci tag exists on the instances.


Answer : C

Your company's analyst team uses a playbook to make necessary changes to external systems that are integrated with the Google Security Operations (SecOps) platform. You need to automate the task to run once every day at a specific time. You want your solution to minimize maintenance overhead. What should you do?

  • A. Write a custom Google SecOps SOAR job in the IDE using the code from the existing playbook actions.
  • B. Create a Google SecOps SOAR request and a playbook trigger to match the request from the user to start the playbook with the relevant actions.
  • C. Create a Cron Scheduled Connector for this use case Configure a playbook trigger to match the cases created by the connector that runs the playbook with the relevant actions.
  • D. Use a VM to host a script that runs a playbook via an API call.


Answer : C

You have discovered that a server that hosts an internal web application has been accidentally exposed to the internet for 48 hours. Logging is enabled on the server. You want to use Google Security Operations (SecOps) to run a UDM search against the server logs to identify whether there have been any successful exploitations against it. What event field search should you use?

  • A. Perform a search for antimalware or endpoint security events by using the product_event_type UDM field.
  • B. Perform a search for sign-on activity for user accounts that are not expected on the server by using the principal.user.userid UDM field.
  • C. Perform a search for network traffic where the principal is rarely seen by using the principal.ip UDM field.
  • D. Perform a search for process launches and commands that are rarely seen by using the metadata.event_type UDM field.


Answer : D

You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?

  • A. Configure the rule to detect outbound network connections to the external IP address. Create a Google SecOps SOAR playbook that queries the Fusion Feed to determine if the IP address has an APT41 relationship.
  • B. Configure the rule to establish a join between the live network connection event and Fusion Feed data for the common external IP address. Filter the joined Fusion Feed data for explicit associations with the APT41 threat group or related indicators.
  • C. Configure the rule to check whether the external IP address from the network connection event has a high confidence score across any enabled threat intelligence feed.
  • D. Configure the rule to trigger when the external IP address from the network connection event matches an entry in a manually pre-curated reference list of all APT41-related IP addresses.


Answer : B

You are writing a detection rule in Google Security Operations (SecOps) SIEM that sends a risk score to the alert. You have access to Google Threat Intelligence (GTI) data through your Google SecOps subscription. You need to ensure that the threat score output in the detection logic informs the alert's risk score and is available for future detections. What should you do?

  • A. Use the outcomes section of your detection logic to pull UDM enrichment fields from the event data. Apply logic to determine the total risk outcome, and store the risk score as the risk_score variable
  • B. Use the match section of your detection logic to filter out irrelevant entities. Store the remaining entities as the risk_score variable.
  • C. Configure a feed in Google SecOps SIEM to ingest GTI data to automatically enrich the appropriate entities.
  • D. Create a Google SecOps SOAR playbook to query GTI that uses the VirusTotal integration to enrich the alert. Modify the risk_score context value to match.


Answer : A

You are a SOC manager, and your company recently migrated to Google Security Operations (SecOps). As the team grows, you want to monitor all audit logs related to data feeds in Google SecOps. What should you do?

  • A. Enable Data Access and Admin Activity audit logs in Cloud Logging, and ingest those logs into Google SecOps SIEM.
  • B. Ingest the Google SecOps audit logs into Google SecOps SIEM for monitoring.
  • C. Monitor Google SecOps SOAR user activity logs for administrative activity.
  • D. Configure the Cloud Logging filter to ingest audit logs related to data feeds into Google SecOps for monitoring.


Answer : B

Your company is taking a more proactive approach to security. You want to generate an alert when a binary hash first appears in your environment. What should you do?

  • A. Enable the Applied Threat Intelligence - Curated Prioritization rule set in curated detections.
  • B. Navigate to the Alerts & IOCs page in Google Security Operations (SecOps). Create a filter that targets hashes and specifies a first_seen_time value excluding the current date.
  • C. Write a rule to examine file-related events that join with derived context for hashes in the entity graph. Compare the timestamp of the hash with the first_seen_time field.
  • D. Create a table by using the Google Security Operations (SecOps) statistics in search to examine file-related events for the current day. Verify that the first_seen_time value predates the current day.


Answer : C

You are a SOC manager guiding an implementation of your existing incident response plan (IRP) into Google Security Operations (SecOps). You need to capture time duration data for each of the case stages. You want your solution to minimize maintenance overhead. What should you do?

  • A. Configure a detection rule in SIEM Rules & Detections to include logic to capture the event fields for each case with the relevant stage metrics.
  • B. Write a job in the IDE that runs frequently to check the progress of each case and updates the notes with timestamps to reflect when these changes were identified.
  • C. Configure Case Stages in the Google SecOps SOAR settings, and use the Change Case Stage action in your playbooks that captures time metrics when the stage changes.
  • D. Create a Google SecOps SOAR dashboard that displays specific actions that have been run, identifies which stage a case is in, and calculates the time elapsed since the start of the case.


Answer : C

Your organization recently implemented Google Security Operations (SecOps) with Applied Threat Intelligence enabled. You were notified by the networking team about potentially anomalous communications to external domains in the last 30 days. You plan to start your threat hunting by looking at communications to external domains. You are ingesting the following logs into Google SecOps:

Firewall logs -

Proxy logs -

DNS logs -

DHCP logs -
What should you do? (Choose two.)

  • A. Perform a UDM search across the logs for domains with geolocations that were first seen in the last 30 days.
  • B. Perform a UDM search across the logs for domains with low prevalence that were first seen in the last 30 days.
  • C. Perform a raw log search across the logs for domains with low prevalence that were first seen in the last 30 days.
  • D. Identify the domains with the higher normalized risk in Risk Analytics. Drill down into those entities to determine their prevalence and if they were first seen in the last 30 days.
  • E. Navigate to the IOC Matches page and filter based on domain type over the last 30 days. Look for the first seen and last seen timestamps for the reported domains. Investigate these domains using the IOC drilldown link.


Answer : BD

Your company recently started pulling JSON logs from a third-party system into Google Security Operations (SecOps). You noticed that some fields are missing, and you want to parse them into UDM fields as quickly as possible. What should you do?

  • A. Configure auto extraction to add the additional fields.
  • B. Create parser extensions using the no-code approach.
  • C. Create parser extensions using the code snippet approach.
  • D. Submit a parser improvement request to Cloud Customer Care.


Answer : B

Page:    1 / 9   
Exam contains 131 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy