Online Access Free Security-Operations-Engineer Exam Questions

Your organization recently adopted Google Security Operations (SecOps), and has configured ingestion, parsing and rules for their log sources. The security operations team is currently triaging alerts one at a time using several external product dashboards with alerts and enrichment data. You want to use the case management functionality in Google SecOps to reduce the amount of pivoting between products your SOC analysts are required to do. You want to minimize development effort. What should you do first?

• A.Build a playbook for each of the noisiest alert sources to gather additional context on the case from the source product.
• B.Build a job to periodically iterate over recent cases, determine relevant context, and enrich alerts.
• C.Build a playbook for each detection rule to enrich and remediate alerts relative to the particular threat each rule is designed to detect.
• D.Build a low-priority, catch-all playbook for enrichment of entities in a case using threat intelligence sources.

Your company is taking a more proactive approach to security. You want to generate an alert when a binary hash first appears in your environment. What should you do?

• A.Enable the Applied Threat Intelligence - Curated Prioritization rule set in curated detections.
• B.Write a rule to examine file-related events that join with derived context for hashes in the entity graph. Compare the timestamp of the hash with the first_seen_time field.
• C.Create a table by using the Google Security Operations (SecOps) statistics in search to examine file-related events for the current day. Verify that the first_seen_time value predates the current day.
• D.Navigate to the Alerts & IOCs page in Google Security Operations (SecOps). Create a filter that targets hashes and specifies a first_seen_time value excluding the current date.

You have discovered that a server that hosts an internal web application has been accidentally exposed to the internet for 48 hours. Logging is enabled on the server. You want to use Google Security Operations (SecOps) to run a UDM search against the server logs to identify whether there have been any successful exploitations against it. What event field search should you use?

• A.Perform a search for sign-on activity for user accounts that are not expected on the server by using the principal.user.userid UDM field.
• B.Perform a search for network traffic where the principal is rarely seen by using the principal.ip UDM field.
• C.Perform a search for antimalware or endpoint security events by using the product_event_type UDM field.
• D.Perform a search for process launches and commands that are rarely seen by using the metadata.event_type UDM field.

Your organization uses the curated detection rule set in Google Security Operations (SecOps) for high priority network indicators. You are finding a vast number of false positives coming from your on-premises proxy servers. You need to reduce the number of alerts. What should you do?

• A.Configure a rule exclusion for the target.ip field.
• B.Configure a rule exclusion for the principal.ip field.
• C.Configure a rule exclusion for the target.domain field.
• D.Configure a rule exclusion for the network.asset.ip field.

You use Google Security Operations (SecOps) curated detections and YARA-L rules to detect suspicious activity on Windows endpoints. Your source telemetry uses EDR and Windows Events logs. Your rules match on the principal.user.userid UDM field. You need to ingest an additional log source for this field to match all possible log entries from your EDR and Windows Event logs.
What should you do?

• A.Ingest logs from Microsoft Entra ID.
• B.Ingest logs from Windows Sysmon.
• C.Ingest logs from Windows Procmon.
• D.Ingest logs from Windows PowerShell.