Your team is responsible for cybersecurity for a large multinational corporation. You have been tasked with identifying unknown command and control nodes (C2s) that are potentially active in your organization's environment. You need to generate a list of potential matches within the next 24 hours. What should you do?
Answer(s): A
The fastest and most effective way to identify unknown C2 nodes within 24 hours is to write a detection rule in Google SecOps that compares historic outbound connections against ingested threat intelligence, then run it as a retrohunt across the full tenant. Retrohunt enables rapid scanning of past telemetry at scale to surface potential matches without waiting for new events to occur.
You received an alert from Container Threat Detection that an added binary has been executed in a business critical workload. You need to investigate and respond to this incident. What should you do? (Choose two.)
Answer(s): A,B
The correct response involves both notifying the workload owner and following the response playbook to ensure coordinated incident handling, and reviewing the finding while investigating the pod and related resources to understand the attack and determine the appropriate remediation. This approach ensures proper communication, structured incident response, and thorough technical investigation without prematurely deleting or silencing critical evidence.
You are reviewing the security analyst team's playbook action process. Currently, security analysts navigate to the Playbooks tab in Google Security Operations (SecOps) for each alert and manually run steps assigned to a user. You need to present all actions from alerts awaiting user input in one location for the analyst to execute.What should you do?
Answer(s): C
The correct approach is to use the Pending Actions widget in the Default Case View. This widget consolidates all manual playbook actions that require analyst input, allowing them to be executed from a single location. This streamlines the workflow, reduces manual navigation, and ensures analysts don't miss pending steps across multiple alerts.
You are managing a Google Security Operations (SecOps) implementation for a regional customer. Your customer informs you that logs are appearing in the platform after a consistent six-hour delay. After some research, you determine that there is a log time zone issue. You want to fix this problem. What should you do?
Answer(s): B
The correct fix is to create a parser extension to correct the time zone. Parser extensions let you adjust specific fields, such as timestamps, without modifying the default parser. This resolves ingestion delays caused by time zone mismatches while maintaining the integrity and upgrade compatibility of the default parser.
Your organization uses Google Security Operations (SecOps). You need to identify the most commonly occurring processes and applications across your organization's large number of servers so you can implement baselines and exclusion lists on a regular basis. You want to use the most efficient approach. What should you do?
The most efficient method is to run a UDM search and use aggregations on process-related UDM fields. This allows you to quickly identify the most common processes and applications across all servers, providing accurate data to establish baselines and exclusion lists without relying only on alerts or dashboards.
You work for an organization that uses Security Command Center (SCC) with Event Threat Detection (ETD) enabled. You need to enable ETD detections for data exfiltration attempts from designated sensitive Cloud Storage buckets and BigQuery datasets. You want to minimize Cloud Logging costs. What should you do?
To detect data exfiltration attempts from sensitive Cloud Storage buckets and BigQuery datasets using ETD, you only need "data read" audit logs. These logs capture access and read events (which indicate potential exfiltration). Enabling them only for the designated sensitive resources minimizes Cloud Logging costs while still providing the necessary visibility for detections.
Your company uses Security Command Center (SCC) and Google Security Operations (SecOps). Last week, an attacker attempted to establish persistence by generating a key for an unused service account. You need to confirm that you are receiving alerts when keys are created for unused service accounts and that newly created keys are automatically deleted. You want to minimize the amount of manual effort required. What should you do?
The most efficient solution is to use the built-in SCC detection "Initial Access: Dormant Service Account Key Created", ingest the finding into Google SecOps, and automate the response with a custom SOAR action that deletes the key. This leverages existing SCC findings for accurate detection, integrates directly with Google SecOps for centralized alerting, and minimizes manual effort by automating remediation.
Your company recently adopted Security Command Center (SCC) but is not using Google Security Operations (SecOps). Your organization has thousands of active projects. You need to detect anomalous behavior in your Google Cloud environment by windowing and aggregating data over a given time period, based on specific log events or advanced calculations. You also need to provide an interface for analysts to triage the alerts. How should you build this capability?
The correct approach is to sink logs to BigQuery, where you can perform windowing and advanced aggregations over time. Then, use Cloud Run functions to periodically query BigQuery and generate normalized alerts published to a Pub/Sub topic. From there, alerts can be written back into SCC as findings via the SCC API, giving analysts a central interface for triage. This architecture supports large-scale environments, advanced calculations, and efficient integration with SCC.
Share your comments for Google Security-Operations-Engineer exam with other users:
i purchased this exam dumps from another website with way more questions but they were all invalid and outdate. this exam dumps was right to the point and all from recent exam. it was a hard pass.
it was a good experience and i got 90% in the 200-901 exam.
hi please upload this
please upload it
really need this dump. can you please help.
really good and covers many areas explaining the answer.
yes, can you please upload the exam?
how many questions are there in these dumps?
hi team, please upload this , i need it.
question 14 - run terraform import: this is the recommended best practice for bringing manually created or destroyed resources under terraform management. you use terraform import to associate an existing resource with a terraform resource configuration. this ensures that terraform is aware of the resource, and you can subsequently manage it with terraform.
please upload dump. thanks in advance.
great great
answer 16 should be b your organizational policies require you to use virtual machines directly
the question are kind of tricky of you didnt get the hnag on it.
can anyone tell me if this is for rhel8 or rhel9?
good content
pdb and cdb are critical to the database
till 104 questions are free, lets see how it helps me in my exam today.
question # 56, answer is true not false.
i would be requiring dumps to prepare for certification exam
very helpful
control file is the heart of rman backup
hi could you please upload the ibm c2090-543 dumps
appriciate if you could upload this again
please upload the dump
i found some questions answers mismatch with explanation answers. please properly update
nothing to mention
knowable questions
very helpfull
good questions
its helpful
i just took my oracle exam and let me tell you, this exam dumps was a lifesaver! without them, iam not sure i would have passed. the questions were tricky and the answers were obscure, but the exam dumps had everything i needed. i would recommend to anyone looking to pass their oracle exams with flying colors (and a little bit of cheating) lol.
22. if you need to make sure that one computer in your hot-spot network can access the internet without hot-spot authentication, which menu allows you to do this? answer is ip binding and not wall garden. wall garden allows specified websites to be accessed with users authentication to the hotspot
is question 1 correct?