Security-Operations-Engineer Google Exam Questions and Free Practice Test

Question 7

You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?

A. Configure the rule to trigger when the external IP address from the network connection event matches an entry in a manually pre-curated data table of all APT41-related IP addresses.

B. Configure the rule to establish a join between the live network connection event and Fusion Feed data for the common external IP addres

C. Filter the joined Fusion Feed data for explicit associations with the APT41 threat group or related indicators.

D. Configure the rule to check whether the external IP address from the network connection event has a high confidence score across any enabled threat intelligence feed.

E. Configure the rule to detect outbound network connections to the external IP addres

F. Create a Google SecOps SOAR playbook that queries the Fusion Feed to determine if the IP address has an APT41 relationship.

Correct Answer:B

Question 8

You have been tasked with developing a new response process in a playbook to contain an endpoint. The new process should take the following actions:
✑ Send an email to users who do not have a Google Security Operations (SecOps) account to request approval for endpoint containment.
✑ Automatically continue executing its logic after the user responds.
You plan to implement this process in the playbook by using the Gmail integration. You want to minimize the effort required by the SOC analyst. What should you do?

A. Set the containment action to 'Manual' and assign the action to the user to execute or skip the containment action.

B. Set the containment action to 'Manual' and assign the action to the appropriate tie

C. Contact the user by email to request approva

D. The analyst chooses to execute or skip the containment action.

E. Use the 'Send Email' action to send an email requesting approval to contain the endpoint, and use the 'Wait For Thread Reply' action to receive the resul

F. The analyst manually contains the endpoint.

G. Generate an approval link for the containment action and include the placeholder in the body of the 'Send Email' actio

H. Configure additional playbook logic to manage approved or denied containment actions.

Correct Answer:D

Question 9

You use Google Security Operations (SecOps) curated detections and YARA-L rules to detect suspicious activity on Windows endpoints. Your source telemetry uses EDR and Windows Events logs. Your rules match on the principal.user.userid UDM field. You need to ingest an additional log source for this field to match all possible log entries from your EDR and Windows Event logs. What should you do?

A. Ingest logs from Microsoft Entra ID.

B. Ingest logs from Windows Procmon.

C. Ingest logs from Windows PowerShell.

D. Ingest logs from Windows Sysmon.

Correct Answer:A

Question 10

Your company uses Google Security Operations (SecOps) Enterprise and is ingesting various logs. You need to proactively identify potentially compromised user accounts. Specifically, you need to detect when a user account downloads an unusually large volume of data compared to the user's established baseline activity. You want to detect this anomalous data access behavior using minimal effort. What should you do?

A. Develop a custom YARA-L detection rule in Google SecOps that counts download bytes per user per hour and triggers an alert if a threshold is exceeded.

B. Create a log-based metric in Cloud Monitoring, and configure an alert to trigger if the data downloaded per user exceeds a predefined limi

C. Identify users who exceed the predefined limit in Google SecOps.

D. Inspect Security Command Center (SCC) default findings for data exfiltration in Google SecOps.

E. Enable curated detection rules for User and Endpoint Behavioral Analytics (UEBA), and use the Risk Analytics dashboard in Google SecOps to identify metrics associated with the anomalous activity.

Correct Answer:D

Question 12

You are receiving security alerts from multiple connectors in your Google Security Operations (SecOps) instance. You need to identify which IP address entities are internal to your network and label each entity with its specific network name. This network name will be used as the trigger for the playbook.

A. Configure each network in the Google SecOps SOAR settings.

B. Modify the entity attribute in the alert overview.

C. Create an outcome variable in the rule to assign the network name.

D. Enrich the IP address entities as the initial step of the playbook.