Online Access Free Security-Operations-Engineer Exam Questions

You are working with your company's analyst team to automate the investigation of phishing alerts ingested directly into Google Security Operations (SecOps) SOAR from an email inbox.
The analyst team currently uses a SIEM query to search for related information. You need to design a solution to automatically include the query results in the Google SecOps case without writing any new code. What should you do?

• A.Add a widget to the Default Case View in Google SecOps SOAR that allows the analyst team to query directly from the widget.
• B.Modify the detection rule in the SIEM to include the query results as part of the detection.
• C.Add an action to the playbook that runs the SIEM query and returns the results.
• D.Create a custom action in Google SecOps IDE that runs the SIEM query from a playbook through an API call and returns the results.

You have identified and isolated a new malware sample installed by an advanced threat group that you believe was developed specifically for an attack against your organization. You want to quickly and efficiently analyze this malware to get IOCs without alerting the threat group. What should you do?

• A.Upload the malware to Google Threat Intelligence by using Private Scanning.
• B.Search for the threat group in Google Threat Intelligence.
• C.Calculate the file checksum for the malware, and search for the checksum in GoogleThreat Intelligence by using VirusTotal.
• D.Upload the malware to Google Threat Intelligence by using VirusTotal.

Your company uses Google Security Operations (SecOps) Enterprise and is ingesting various logs. You need to proactively identify potentially compromised user accounts. Specifically, you need to detect when a user account downloads an unusually large volume of data compared to the user's established baseline activity. You want to detect this anomalous data access behavior using the least amount of effort. What should you do?

• A.Inspect Security Command Center (SCC) default findings for data exfiltration in Google SecOps.
• B.Develop a custom YARA-L detection rule in Google SecOps that counts download bytes per user per hour and triggers an alert if a threshold is exceeded.
• C.Create a log-based metric in Cloud Monitoring, and configure an alert to trigger if the data downloaded per user exceeds a predefined limit. Identify users who exceed the predefined limit in Google SecOps.
• D.Enable curated detection rules for User and Endpoint Behavioral Analytics (UEBA), and use the Risk Analytics dashboard in Google SecOps to identify metrics associated with the anomalous activity.

Which Google Cloud log source is MOST critical for detecting unauthorized IAM role changes?

• A.Cloud Audit Logs - Admin Activity
• B.VPC Flow Logs
• C.Firewall Rules logs
• D.Cloud DNS logs

You are tasked with building a workflow in Google Security Operations (SecOps) SOAR. The documentation you are using requires a logical split that has eight different possible paths. You need to break the workflow into eight separate workflows using an automatic and efficient approach. What should you do?

• A.Create a playbook that uses a Multi-Choice Question flow and a second Multi-Choice Question for the additional answer choices. Add instructions describing which logic to use in the instruction or question fields. Have the analyst select the appropriate answer to move the flow into the right branch.
• B.Create a playbook that uses a flow condition. Add four more branches to have a total of five branches and an "Else" branch. On the "Else" branch, include another flow condition. Include the remaining three branches with the logic required.
• C.Create eight playbooks for each workflow. Configure the triggered playbook to end on an instruction action that tells the analyst to pick a workflow from the playbooks tab and attach that workflow to the alert.
• D.Create eight playbooks for each workflow. Create a job that identifies your recently opened cases, applies the needed logic to determine which of the eight workflows should be attached, and attaches that workflow to the alert.