Google Security Operations Engineer (Beta) Sample Questions:

1. You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?

A) Configure the rule to detect outbound network connections to the external IP address. Create a Google SecOps SOAR playbook that queries the Fusion Feed to determine if the IP address has an APT41 relationship.
B) Configure the rule to check whether the external IP address from the network connection event has a high confidence score across any enabled threat intelligence feed.
C) Configure the rule to trigger when the external IP address from the network connection event matches an entry in a manually pre-curated reference list of all APT41-related IP addresses.
D) Configure the rule to establish a join between the live network connection event and Fusion Feed data for the common external IP address. Filter the joined Fusion Feed data for explicit associations with the APT41 threat group or related indicators.

2. You received an alert from Container Threat Detection that an added binary has been executed in a business critical workload. You need to investigate and respond to this incident. What should you do? (Choose two.)

A) Notify the workload owner. Follow the response playbook, and ask the threat hunting team to identify the root cause of the incident.
B) Silence the alert in the Security Command Center (SCC) console, as the alert is a low severity finding.
C) Review the finding, quarantine the cluster containing the running pod, and delete the running pod to prevent further compromise.
D) Keep the cluster and pod running, and investigate the behavior to determine whether the activity is malicious.
E) Review the finding, investigate the pod and related resources, and research the related attack and response methods.

3. You work at a financial services company. You need to detect in near real-time when a Cloud Run functions service agent modifies the IAM policy of an Artifact Registry repository. You plan to use Security Command Center (SCC). You want to follow the Google-recommended approach.
What should you do?

A) Configure a Cloud Logging log sink to export all IAM policy changes to BigQuery, and create a custom dashboard in SCC to visualize the data.
B) Implement a Cloud Run function that is triggered by IAM policy changes within the project and sends an alert to SCC using the Security Command Center API.
C) Use Event Threat Detection in SCC with a custom unexpected Cloud API call rule that detects when a specified principal calls a method against a resource.
D) Create a custom Security Health Analytics (SHA) detector that scans Artifact Registry repositories for IAM policy changes. When a change is detected identify the principal that made the change.

4. You are investigating whether an advanced persistent threat (APT) actor has operated in your organization's environment undetected. You have received threat intelligence that includes:
- A SHA256 hash for a malicious DLL
- A known command and control (C2) domain
- A behavior pattern where rundll32.exe spawns powershell.exe with obfuscated arguments Your Google Security Operations (SecOps) instance includes logs from EDR, DNS, and Windows Sysmon. However, you have recently discovered that process hashes are not reliably captured across all endpoints due to an inconsistent Sysmon configuration. You need to use Google SecOps to develop a detection mechanism that identifies the associated activities. What should you do?

A) Create a single-event YARA-L detection rule based on the file hash, and run the rule against historical and incoming telemetry to detect the DLL execution.
B) Write a multi-event YARA-L detection rule that correlates the process relationship and hash, and run a retrohunt based on this rule.
C) Use Google SecOps search to identify recent uses of rundll32.exe, and tag affected assets for watchlisting.
D) Build a reference list that contains the hash and domain, and link the list to a high-frequency rule for near real-time alerting.

5. Your team has onboarded a new log source from a third-party DNS filtering solution. After ingestion, you observe that key UDM fields such as network.dns.questions.name and metadata.product_event_type are missing from the parsed events in Google Security Operations (SecOps). You suspect that the default parser does not fully align with the source format. You need to ensure these fields are available for downstream detection rules that rely on DNS query telemetry and event categorization. What should you do?

A) Use a custom parser that outputs all fields as raw JSON for detection.
B) Modify the ingestion source definition to remap raw fields directly to UDM by using the UDM sample output.
C) Create a parser extension that maps the missing source fields to the correct UDM fields and attach it to the existing parser.
D) Enable asset enrichment for the log source to infer missing fields based on correlated host activity.

Solutions: