Google Security Operations Engineer (Beta) Sample Questions:
1. Your organization recently implemented Google Security Operations (SecOps) with Applied Threat Intelligence enabled. You were notified by the networking team about potentially anomalous communications to external domains in the last 30 days. You plan to start your threat hunting by looking at communications to external domains. You are ingesting the following logs into Google SecOps:
- Firewall logs
- Proxy logs
- DNS logs
- DHCP logs
What should you do? (Choose two.)
A) Identify the domains with the higher normalized risk in Risk Analytics. Drill down into those entities to determine their prevalence and if they were first seen in the last 30 days.
B) Perform a UDM search across the logs for domains with geolocations that were first seen in the last 30 days.
C) Perform a UDM search across the logs for domains with low prevalence that were first seen in the last 30 days.
D) Perform a raw log search across the logs for domains with low prevalence that were first seen in the last 30 days.
E) Navigate to the IOC Matches page and filter based on domain type over the last 30 days. Look for the first seen and last seen timestamps for the reported domains. Investigate these domains using the IOC drilldown link.
2. You work for a large international company that has several Compute Engine instances running in production. You need to configure monitoring and alerting for Compute Engine instances tagged with compliance-pci that have an external IP address assigned. What should you do?
A) Deploy the compute.vmExternallpAccess organization policy constraint to prevent specific projects or folders with the compliance-pci tag from creating Compute Engine instances with external IP addresses.
B) Create a custom Event Threat Detection module that alerts when a Compute Engine instance with the compliance-pci tag is assigned an external IP address.
C) Create a custom Security Health Analytics (SHA) module. Configure the detection logic to scan Cloud Asset Inventory data for compute.googleapis.com/Instance assets, and Search for the compliance-pci tag.
D) Use the PUBLIC_IP_ADDRESS Security Health Analytics (SHA) detector to identify Compute Engine instances with external IP addresses. Determine whether the compliance-pci tag exists on the instances.
3. You work for a telecommunications company that wants to monitor their multi-region 5G network logs in Google Security Operations (SecOps). The logs are currently only available on- premises and are stored in a standalone network-attached storage (NAS) located in four different regions.
You need to ingest the logs into Google SecOps and tag each NAS as a specific log source to avoid IP address aliasing. What should you do?
A) Configure feed management to pull data from each log's location, and configure a namespace for each log source.
B) Configure a Bindplane agent that collects Syslog from each log's location, and configure a namespace for each log source.
C) Configure feed management to pull data from each log's location, and configure an ingestion label for each log source.
D) Configure a Bindplane agent that collects Syslog from each log's location and configure an ingestion label for each log source.
4. You are a senior SOC analyst in your organization. You are receiving alerts of traffic to a command and control (C2) IP address. You want to use Google Security Operations (SecOps) to investigate the IP address associated with the C2 IP address. What should you do?
A) Use Google SecOps SIEM Search to query against the grouped ip field, and use the enriched field from the suspicious events to identify related activity.
B) Use Google SecOps SOAR Search to run a playbook designed to investigate the suspicious IP address and identify related outbound and inbound traffic.
C) Use Google SecOps SOAR Search to identify the cases where the suspicious IP address exists.
D) Conduct a Google SecOps SIEM Search that uses src.ip and target.ip to identify outbound and inbound traffic associated with the suspicious IP address.
5. You are ingesting and parsing logs from an SSO provider and an on-premises appliance using Google Security Operations (SecOps). Users are tagged as "restricted" by an internal process. Restrictions last five days from the most recent flagging time. You need to create a rule to detect when restricted users log into the appliance. Your solution must be quickly implemented and easily maintained. What should you do?
A) Store the flagged users in a data table column with their corresponding time to live values in a second column. Use row-based comparisons in your detection rule.
B) Store the identifiers of the flagged users in the detection rule logic. Actively monitor for newly flagged users, and add them to the detection rule logic.
C) Use a Google SecOps SOAR global context value to store a list of flagged users with their corresponding time to live values. Use a SOAR job to dynamically build and deploy a new version of the detection rule with the updated list of flagged users.
D) Ingest the user flags as custom enrichment data using a feed. Use a multi-event detection rule to find logins from users flagged in the entity graph.
Solutions:
| Question # 1 Answer: A,C | Question # 2 Answer: D | Question # 3 Answer: C | Question # 4 Answer: D | Question # 5 Answer: D |














12 Customer Reviews
Quality and ValueITCertKing Practice Exams are written to the highest standards of technical accuracy, using only certified subject matter experts and published authors for development - no all study materials.
Tested and ApprovedWe are committed to the process of vendor and third party approvals. We believe professionals and executives alike deserve the confidence of quality coverage these authorizations provide.
Easy to PassIf you prepare for the exams using our ITCertKing testing engine, It is easy to succeed for all certifications in the first attempt. You don't have to deal with all dumps or any free torrent / rapidshare all stuff.
Try Before BuyITCertKing offers free demo of each product. You can check out the interface, question quality and usability of our practice exams before you decide to buy.
