A. Use the UDM lookup feature to identify relevant process-related UDM fields and values.

B. Generate a Google SecOps SIEM dashboard based on relevant UDM fields, such as processes, that provides the counts for process names and files.

C. Review the Google SecOps SIEM Rules & Detections, and identify the most common processes appearing in alerts that are marked as false positives.

D. Run a UDM search, and review aggregations for relevant process-related UDM fields.

A. Use the playbook creation feature in Gemini, and enter details about the intended objectives. Add the necessary customizations for your environment, and test the generated playbook against a simulated remote shell alert.

B. Add instruction actions to the existing incident response playbook that include updated procedures with steps that should be completed. Have a senior analyst build out the playbook to include those new procedures.

C. Create a new custom playbook based on industry best practices, and work with an offensive security team to test the playbook against a simulated remote shell alert.

D. Use Gemini to generate a playbook based on a template from a standard incident response plan and implement automated scripts to filter network traffic based on known malicious IP addresses.

A. Assign the cases to a user in the Tier 3 role.

B. Instruct analysts in Tier 1 and Tier 2 to create a case queue filter to exclude cases assigned to the Tier 3 role.

C. Revoke additional role access from Tier 1 and Tier 2 analysts.

D. Configure the Cross Environment Policy to allow users to move cases between environments.
Move Tier 3 cases to an environment that only Tier 3 analysts can access.

A. Configure notifications in Cloud Monitoring when ingestion sources become silent in Bindplane.
Monitor and visualize Google SecOps data ingestion metrics using Bindplane Observability Pipeline (OP).

B. Configure automated scheduled delivery of an ingestion health report in the Data Ingestion and Health dashboard. Monitor and visualize data ingestion metrics in this dashboard.

C. Configure silent source notifications for Google SecOps collection agents in Cloud Monitoring.
Create a Cloud Monitoring dashboard to visualize data ingestion metrics.

D. Configure silent source alerts based on rule detections for anomalous data ingestion activity in Risk Analytics. Monitor and visualize the alert metrics in the Risk Analytics dashboard.

A. Reduce the severity score in the rule configuration when the IOC match occurs in any internal IP address range.

B. Add an exception in the detection rule to exclude matches originating from specific asset groups.

C. Add the IP address to a Google SecOps reference list, and configure the rule to suppress alerts for that list.

D. Temporarily disable the rule to avoid unnecessary alerts until the IOC expires in the threat feed.

A. Convert the rule into a multi-event rule that looks for repeated API calls across multiple buckets.

B. Add principal.user.email != "[email protected]" to the rule condition to exclude the automation account.

C. Replace api.operation with api.service_name = "storage.googleapis.com" to narrow the detection scope.

D. Adjust the rule severity to LOWto deprioritize alerts from automation tools.

A. Use the PUBLIC_IP_ADDRESS Security Health Analytics (SHA) detector to identify Compute Engine instances with external IP addresses. Determine whether the compliance=pci tag exists on the instances.

B. Create a custom Event Threat Detection module that alerts when a Compute Engine instance with the compliance=pci tag is assigned an external IP address.

C. Deploy the compute.vmExternalIpAccess organization policy constraint to prevent specific projects or folders with the compliance=pci tag from creating Compute Engine instances with external IP addresses.

D. Create a custom Security Health Analytics (SHA) module. Configure the detection logic to scan Cloud Asset Inventory data for compute.googleapis.com/Instance assets, and Search for the compliance=pci tag.