Google Professional Security Operations Engineer Exam Questions

Question 6 of 131

Your organization has recently acquired Company A, which has its own SOC and security tooling. You have already configured ingestion of Company A's security telemetry and migrated their detection rules to Google Security Operations (SecOps). You now need to enable Company A's analysts to work their cases in Google SecOps. You need to ensure that Company A's analysts: do not have access to any case data originating from outside of Company A. are able to re-purpose playbooks previously developed by your organization's employees.
You need to minimize effort to implement your solution. What is the first step you should take?

Acquire a second Google SecOps SOAR tenant for Company A.

Provision a new service account for Company A.

Define a new SOC role for Company A.

Create a Google SecOps SOAR environment for Company A.

Correct Answer: C

Question 7 of 131

You have identified and isolated a new malware sample installed by an advanced threat group that you believe was developed specifically for an attack against your organization. You want to quickly and efficiently analyze this malware to get IOCs without alerting the threat group. What should you do?

Search for the threat group in Google Threat Intelligence.

Upload the malware to Google Threat Intelligence by using VirusTotal.

Upload the malware to Google Threat Intelligence by using Private Scanning.

Calculate the file checksum for the malware, and search for the checksum in GoogleThreat Intelligence by using VirusTotal.

Correct Answer: C

Question 8 of 131

Your organization uses Cloud Identity as their identity provider (IdP) and is a Google Security Operations (SecOps) customer You need to grant a group of users access to the Google SecOps instance with read-only access to all resources, including detection engine rules. How should this be configured?

Create a Google Group and add the required users. Grant the roles/chronicle.Viewer IAM role to the group on the project associated with your Google SecOps Instance.

Create a Google Group and add the required users. Grant the roles/chronicle.limitedViewer IAM role to the group on the project associated with your Google SecOps instance.

Create a workforce identity pool at the organization level. Grant the roles/chronicle.editor IAM role to the principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID principal set on the project associated with your Google SecOps instance.

Create a workforce identity pool at the organization level Grant the roles/chronicle.limitedViewer IAM role to the principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID principal set on the project associated with your Google SecOps Instance.

Correct Answer: A

Question 9 of 131

Your team is responsible for cybersecurity for a large multinational corporation. You have been tasked with identifying unknown command and control nodes (C2s) that are potentially active in your organization's environment. You need to generate a list of potential matches within the next 24 hours. What should you do?

Write a rule in Google Security Operations (SecOps) that scans historic network outbound connections against ingested threat intelligence Run the rule in a retrohunt against the full tenant.

Load network records into BigQuery to identify endpoints that are communicating with domains outside three standard deviations of normal.

Review Security Health Analytics (SHA) findings in Security Command Center (SCC).

Write a YARA-L rule in Google Security Operations (SecOps) that compares network traffic of endpoints to low prevalence domains against recent WHOIS registrations.

Correct Answer: A

Question 10 of 131

You received an alert from Container Threat Detection that an added binary has been executed in a business critical workload. You need to investigate and respond to this incident. What should you do? (Choose two.)

Notify the workload owner. Follow the response playbook, and ask the threat hunting team to identify the root cause of the incident.

Review the finding, investigate the pod and related resources, and research the related attack and response methods.

Review the finding, quarantine the cluster containing the running pod, and delete the running pod to prevent further compromise.

Silence the alert in the Security Command Center (SCC) console, as the alert is a low severity finding.

Keep the cluster and pod running, and investigate the behavior to determine whether the activity is malicious.

Correct Answer: A, B