Free Security-Operations-Engineer Questions for Google Security-Operations-Engineer Exam

Question #1

You received an IOC from your threat intelligence feed that is identified as a suspicious domain used for command and control (C2). You want to use Google Security Operations (SecOps) to investigate whether this domain appeared in your environment. You want to search for this IOC using the most efficient approach. What should you do?

A. Enable Group by Field in scan view to cluster events by hostname.

B. Enter the IOC into the IOC Search feature, and wait for detections with this domain to appear in the Case view.

C. Run a raw log search to search for the domain string.

D. Configure a UDM search that queries the DNS section of the network noun.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #2

You are the SOC manager at a large enterprise that uses Google Security Operations (SecOps).
You need to create a report that shows the Return on Investment (ROI) attributed to analyst activities in Google SecOps SOAR for the previous month. The report should include the time saved and efficiency gains from using SOAR's features. You need to generate this report using the most efficient and accurate approach while providing the required level of detail. What should you do?

A. Create a custom Google SecOps SOAR search query that filters for all cases handled by specific analysts in the last month. Export the results to a spreadsheet for analysis and ROI calculation.

B. Use the filters and visualizations in the Management - SOC Status report in SOAR Reports to extract case-specific performance data.

C. Develop a Google SecOps SOAR playbook that automatically aggregates analyst performance metrics, incorporates custom weighted factors for different case types, calculates ROI based on predefined formulas, and generates a PDF report on a monthly schedule.

D. Use the ROI - Analysts Benchmark report in SOAR Reports. Configure the report to display data for the desired time period, and filter by individual analysts.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #3

You are a member of the incident response team working in a global enterprise. You need to identify all potential Google Threat Intelligence IOCs within your organization's data using Google Security Operations (SecOps). What should you do?

A. Use the Alerts & IOCs page in Google SecOps.

B. Create YARA-L rules to detect and alert when Google Threat Intelligence identifies potential threats.

C. Use the Cases page in Google SecOps.

D. Use Gemini to perform a search for potential cybersecurity threats against your organization's data.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #4

You recently joined a company that uses Google Security Operations (SecOps) with Applied Threat Intelligence enabled. You have alert fatigue from a recent red team exercise, and you want to reduce the amount of time spent sifting through noise. You need to filter out IOCs that you suspect were generated due to the exercise. What should you do?

A. Ask Gemini to provide a list of IOCs from the red team exercise.

B. Navigate to the IOC Matches page. Identify and mute the IOCs from the red team exercise.

C. Navigate to the IOC Matches page. Review IOCs with an Indicator Confidence Score (IC-Score) label >= 80%.

D. Filter IOCs with an ingestion time that matches the time period of the red team exercise.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #5

You work at a financial services company. You need to detect in near real-time when a Cloud Run functions service agent modifies the IAM policy of an Artifact Registry repository. You plan to use Security Command Center (SCC). You want to follow the Google-recommended approach.
What should you do?

A. Create a custom Security Health Analytics (SHA) detector that scans Artifact Registry repositories for IAM policy changes. When a change is detected identify the principal that made the change.

B. Implement a Cloud Run function that is triggered by IAM policy changes within the project and sends an alert to SCC using the Security Command Center API.

C. Use Event Threat Detection in SCC with a custom unexpected Cloud API call rule that detects when a specified principal calls a method against a resource.

D. Configure a Cloud Logging log sink to export all IAM policy changes to BigQuery, and create a custom dashboard in SCC to visualize the data.

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #6

Your company is taking a more proactive approach to security. You want to generate an alert when a binary hash first appears in your environment. What should you do?

A. Enable the Applied Threat Intelligence - Curated Prioritization rule set in curated detections.

B. Create a table by using the Google Security Operations (SecOps) statistics in search to examine file-related events for the current day. Verify that the first_seen_time value predates the current day.

C. Navigate to the Alerts & IOCs page in Google Security Operations (SecOps). Create a filter that targets hashes and specifies a first_seen_time value excluding the current date.

D. Write a rule to examine file-related events that join with derived context for hashes in the entity graph. Compare the timestamp of the hash with the first_seen_time field.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #7

Your company requires PCI DSS v4.0 compliance for its cardholder data environment (CDE) in Google Cloud. You use a Security Command Center (SCC) security posture deployment based on the PCI DSS v4.0 template to monitor for configuration drift. This posture generates a finding indicating that a Compute Engine VM within the CDE scope has been configured with an external IP address. You need to take an immediate action to remediate the compliance drift identified by this specific SCC posture finding. What should you do?

A. Enable and enforce the constraints/compute.vmExternalIpAccess organization policy constraint at the project level for the project where the VM resides.

B. Reconfigure the network interface settings for the VM to explicitly remove the assigned external IP address.

C. Remove the CDE-specific tag from the VM to exclude the tag from this particular PCI DSS posture evaluation scan.

D. Navigate to the underlying Security Health Analytics (SHA) finding for PUBLIC_IP_ADDRESSon the VM, and mark this finding as fixed.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #8

An organization detects a successful login to a Google Cloud IAM user from an unfamiliar country, followed by the creation of multiple new service account keys within minutes. No malware alerts are triggered. What is the MOST appropriate immediate action?

A. Disable the service accounts and continue monitorin

B. Wait for evidence of data access

C. Rotate only the affected user's password

D. Revoke active credentials, disable the compromised identity, and initiate an incident response

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #9

You are a senior SOC analyst in your organization. You are receiving alerts of traffic to a command and control (C2) IP address. You want to use Google Security Operations (SecOps) to investigate the IP address associated with the C2 IP address. What should you do?

A. Use Google SecOps SOAR Search to identify the cases where the suspicious IP address exists.

B. Conduct a Google SecOps SIEM Search that uses src.ip and target.ip to identify outbound and inbound traffic associated with the suspicious IP address.

C. Use Google SecOps SIEM Search to query against the grouped ip field, and use the enriched field from the suspicious events to identify related activity.

D. Use Google SecOps SOAR Search to run a playbook designed to investigate the suspicious IP address and identify related outbound and inbound traffic.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Question #10

Your company's Google Security Operations (SecOps) instance has three roles: Tier 1, Tier 2, and Tier 3. Currently, analysts in all tiers can access all cases in Google SecOps. Your company's SOC has a new requirement to restrict access to cases assigned to the Tier 3 role from the other tiers. You need to ensure cases that are assigned to the Tier 3 role can only be accessed by Tier 3 analysts. What should you do?

A. Revoke additional role access from Tier 1 and Tier 2 analysts.

B. Assign the cases to a user in the Tier 3 role.

C. Configure the Cross Environment Policy to allow users to move cases between environments.
Move Tier 3 cases to an environment that only Tier 3 analysts can access.

D. Instruct analysts in Tier 1 and Tier 2 to create a case queue filter to exclude cases assigned to the Tier 3 role.

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Free Security-Operations-Engineer Questions for Google Cloud Certified - Professional Security Operations Engineer (PSOE) Security-Operations-Engineer Exam as PDF & Practice Test Engine

Download Free Google Security-Operations-Engineer Demo