Free Google Security-Operations-Engineer Exam Dumps Questions & Answers

Your company's SOC recently responded to a ransomware incident that began with the execution of a malicious document. EDR tools contained the initial infection. However, multiple privileged service accounts continued to exhibit anomalous behavior, including credential dumping and scheduled task creation. You need to design an automated playbook in Google Security Operations (SecOps) SOAR to minimize dwell time and accelerate containment for future similar attacks. Which action should you take in your Google SecOps SOAR playbook to support containment and escalation?

• A.  Add a YARA-L rule that sends an alert when a document is executed using a scripting engine such as wscript.exe.
• B.  Configure a step that revokes OAuth tokens and suspends sessions for high-privilege accounts based on entity risk.
• C.  Create an external API call to VirusTotal to submit hashes from forensic artifacts.
• D.  Add an approval step that requires an analyst to validate the alert before executing a containment action.

You have identified a common malware variant on a potentially infected computer. You need to find reliable IoCs and malware behaviors as quickly as possible to confirm whether the computer is infected and search for signs of infection on other computers. What should you do?

• A.  Create a Compute Engine VM, and perform dynamic and static malware analysis.
• B.  Search for the malware hash in Google Threat Intelligence, and review the results.
• C.  Perform a UDM search for the file checksum in Google Security Operations (SecOps). Review activities that are associated with, or attributed to, the malware.
• D.  Run a Google Web Search for the malware hash, and review the results.

You are developing a new detection rule in Google Security Operations (SecOps). You are defining the YARA-L logic that includes complex event, match, and condition sections. You need to develop and test the rule to ensure that the detections are accurate before the rule is migrated to production. You want to minimize impact to production processes. What should you do?

• A.  Use Gemini in Google SecOps to develop the rule by providing a description of the parameters and conditions, and transfer the rule into the Rules Editor.
• B.  Develop the rule in the Rules Editor, define the sections of the rule logic, and test the rule by setting it to live but not alerting. Run a YARA-L retrohunt from the rules dashboard.
• C.  Develop the rule in the Rules Editor, define the sections of the rule logic, and test the rule using the test rule feature.
• D.  Develop the rule logic in the UDM search, review the search output to inform changes to filters and logic, and copy the rule into the Rules Editor.

Your organization uses Cloud Identity as their identity provider (IdP) and is a Google Security Operations (SecOps) customer. You need to grant a group of users access to the Google SecOps instance with read-only access to all resources, including detection engine rules. How should this be configured?

• A.  Create a workforce identity pool at the organization level. Grant the roles/chronicle.editor IAM role to the principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID principal set on the project associated with your Google SecOps instance.
• B.  Create a workforce identity pool at the organization level. Grant the roles/chronicle.limitedViewer IAM role to the principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group
  /GROUP_ID principal set on the project associated with your Google SecOps instance.
• C.  Create a Google Group and add the required users. Grant the roles/chronicle.viewer IAM role to the group on the project associated with your Google SecOps instance.
• D.  Create a Google Group and add the required users. Grant the roles/chronicle.limitedViewer IAM role to the group on the project associated with your Google SecOps instance.

You are a SOC manager guiding an implementation of your existing incident response plan (IRP) into Google Security Operations (SecOps). You need to capture time duration data for each of the case stages. You want your solution to minimize maintenance overhead. What should you do?

• A.  Write a job in the IDE that runs frequently to check the progress of each case and updates the notes with timestamps to reflect when these changes were identified.
• B.  Create a Google SecOps dashboard that displays specific actions that have been run, identifies which stage a case is in, and calculates the time elapsed since the start of the case.
• C.  Configure Case Stages in the Google SecOps SOAR settings, and use the Change Case Stage action in your playbooks that captures time metrics when the stage changes.
• D.  Configure a detection rule in SIEM Rules & Detections to include logic to capture the event fields for each case with the relevant stage metrics.