You are responsible for identifying suspicious activity and security events at your organization. You have been asked to search in Google Security Operations (SecOps) for network traffic associated with an active HTTP backdoor that runs on TCP port 5555. You want to use the most effective approach to identify traffic originating from the server that is running the backdoor. What should you do?
Answer(s): C
The backdoor is running on TCP port 5555 on the server, meaning the server is the source of the traffic. In Google Security Operations (SecOps), the field principal.port represents the source port of the traffic, while target.port represents the destination. Since you want to identify traffic originating from the compromised server, filtering on principal.port = 5555 is the most effective approach.
You are an incident responder at your organization using Google Security Operations (SecOps) for monitonng and investigation. You discover that a critical production server, which handles financial transactions, shows signs of unauthorized file changes and network scanning from a suspicious IP address. You suspect that persistence mechanisms may have been installed. You need to use Google SecOps to immediately contain the threat while ensuring that forensic data remains available for investigation. What should you do first?
The most effective first step in containment while preserving forensic data is to use the EDR integration to quarantine the compromised asset. Quarantine isolates the server from the network, preventing further malicious activity, but it does not wipe or reboot the system, ensuring that evidence such as persistence mechanisms, unauthorized file changes, and indicators of compromise remain intact for forensic investigation.
Your organization uses Google Security Operations (SecOps). You discover frequent file downloads from a shared workspace within a short time window. You need to configure a rule in Google SecOps that identifies these suspicious events and assigns higher risk scores to repeated anomalies. What should you do?
Answer(s): B
The correct approach is to create a frequency-based YARA-L detection rule in Google SecOps. Frequency- based rules allow you to detect repeated suspicious behavior, such as multiple file downloads within a short time window, and assign higher risk outcome scores accordingly. This ensures anomalies are prioritized based on their frequency and severity, rather than flagging isolated single events.
You are implementing Google Security Operations (SecOps) at your organization. You discover that the current detection rules are too noisy. Due to the high volume of alerts, some true positives might be missed. You want to ingest additional context sources to reduce false positives in your security detections and to improve the overall positive ratio of the alerts. What should you do?
Answer(s): A
Ingesting high-value asset (HVA) data from the CMDB allows Google SecOps to prioritize alerts based on the sensitivity and criticality of the affected systems. This reduces noise by helping analysts focus on detections involving critical assets, improving the signal-to-noise ratio and ensuring true positives on important systems are not missed.
You are developing a new detection rule in Google Security Operations (SecOps). You are defining the YARA-L logic that includes complex event, match, and condition sections. You need to develop and test the rule to ensure that the detections are accurate before the rule is migrated to production. You want to minimize impact to production processes. What should you do?
The safest way to minimize production impact is to develop and refine the rule logic in UDM search first. By running searches and reviewing outputs, you can iteratively tune filters and conditions until the detections are accurate. Once validated, you then copy the tested query into the Rules Editor. This approach ensures accuracy without risking false positives or unnecessary load in production.
Your organization has recently acquired Company A, which has its own SOC and security tooling. You have already configured ingestion of Company A's security telemetry and migrated their detection rules to Google Security Operations (SecOps). You now need to enable Company A's analysts to work their cases in Google SecOps. You need to ensure that Company A's analysts:do not have access to any case data originating from outside of Company A.are able to re-purpose playbooks previously developed by your organization's employees.You need to minimize effort to implement your solution. What is the first step you should take?
The correct first step is to define a new SOC role for Company A within Google SecOps. By assigning appropriate role-based access controls, you can ensure Company A's analysts only see case data originating from their own telemetry, while still being able to reuse existing playbooks from your organization. This approach minimizes effort compared to acquiring or creating new environments or tenants.
You have identified and isolated a new malware sample installed by an advanced threat group that you believe was developed specifically for an attack against your organization. You want to quickly and efficiently analyze this malware to get IOCs without alerting the threat group. What should you do?
The correct action is to upload the malware to Google Threat Intelligence using Private Scanning. Private Scanning allows you to analyze malware safely and extract IOCs without sharing the sample publicly. This prevents alerting the threat group while still enabling rapid and detailed intelligence gathering.
Your organization uses Cloud Identity as their identity provider (IdP) and is a Google Security Operations (SecOps) customer You need to grant a group of users access to the Google SecOps instance with read-only access to all resources, including detection engine rules. How should this be configured?
To grant read-only access to all Google SecOps resources, including detection engine rules, you assign the roles/chronicle.Viewer IAM role. The correct method is to create a Google Group, add the required users, and grant this role to the group at the project level tied to your Google SecOps instance. This ensures consistent, least-privilege access management through Cloud Identity.
Share your comments for Google Security-Operations-Engineer exam with other users:
this looks accurate
question 46, the answer should be data "virtualization" (not visualization).
its useful.
Pass this exam 3 days ago. The PDF version and the Xengine App is quite useful.
informative for me.
question 134s answer shoule be "dlp"
in 72 the answer must be [sys_user_has_role] table.
i appreciated the mix of multiple-choice and short answer questions. i passed my exam this morning.
great to find this website, thanks
examination questions seem to be relevant.
planning to take psm test
please allow to download
please provide dumps
is the answer to question 15 correct ? i feel like the answer should be b
its getting more technical
i think these questions are what i need.
helpful assessment
i am confused about the answers to the questions. do you know if the answers are correct?
hi, please make the dumps available for my upcoming examination.
good practice
so far it is really informative
hi i want it please please upload it
am preparing for exam ,just nice questions
please upload c_tadm_23 exam
can we get tdvan4 vantage data engineering pdf?
want to clear the exam.
could you please upload the dumps of sap c_sac_2302
asm management configuration is about storage
kool thumb up
just passed the az-500 exam this last friday. most of the questions in this exam dumps are in the exam. i bought the full version and noticed some of the questions which were answered wrong in the free version are all corrected in the full version. this site is good but i wish the had it in an interactive version like a test engine simulator.
i can practice for exam
please i need this exam.
i need the dump
i want it bad, even if cs6 maybe retired, i want to learn cs6