Security Operations Engineer (Beta) (GCP-SOE-B) Free Practice Test

Question 1

Your company uses Google Security Operations (SecOps) Enterprise and is ingesting various logs. You need to proactively identify potentially compromised user accounts. Specifically, you need to detect when a user account downloads an unusually large volume of data compared to the user's established baseline activity. You want to detect this anomalous data access behavior using the least amount of effort. What should you do?

A. Enable curated detection rules for User and Endpoint Behavioral Analytics (UEBA), and use the Risk Analytics dashboard in Google SecOps to identify metrics associated with the anomalous activity.

B. Develop a custom YARA-L detection rule in Google SecOps that counts download bytes per user per hour and triggers an alert if a threshold is exceeded.

C. Create a log-based metric in Cloud Monitoring, and configure an alert to trigger if the data downloaded per user exceeds a predefined limit. Identify users who exceed the predefined limit in Google SecOps.

D. Inspect Security Command Center (SCC) default findings for data exfiltration in Google SecOps.

Correct Answer: A

Question 2

You are investigating an alert in Google Security Operations (SecOps). You want to view previous enrichment attributes and relevant historical cases for an entity using the fewest number of steps. What should you do?

A. Initiate a SIEM Search to query the entity.

B. Initiate a SOAR Search to query the entity.

C. Select View Details for the entity in the Entity Highlights widget.

D. Select the entity identifier in the Entity Highlights widget to open Entity Explorer.

Correct Answer: D

Question 3

You are building a detection rule in Google Security Operations (SecOps) to alert on requests to potentially malicious domains. You are planning to use the logs from your network detection and response (NDR) solution but you need to reduce noise and narrow the scope of detections. You want to minimize cost and deploy the solution quickly. What should you do?

A. Ingest logs from your threat intelligence platform (TIP), and build a multi-event rule that correlates the domains found in your NDR logs with your threat intelligence data.

B. Build a Google SecOps SOAR playbook that enriches domain entities in alerts with VirusTotal information and auto-closes cases when no domains are classified as malicious.

C. Ingest logs from a domain monitoring service, and build a multi-event rule that correlates the domains found in your NDR logs with your domain monitoring data.

D. Build a multi-event rule that correlates the domains found in your NDR logs with WHOIS context in the entity graph and sets the risk score based on domain creation time.

Correct Answer: A

Question 4

You are working with your company's analyst team to automate the investigation of phishing alerts ingested directly into Google Security Operations (SecOps) SOAR from an email inbox.
The analyst team currently uses a SIEM query to search for related information. You need to design a solution to automatically include the query results in the Google SecOps case without writing any new code. What should you do?

A. Add an action to the playbook that runs the SIEM query and returns the results.

B. Create a custom action in Google SecOps IDE that runs the SIEM query from a playbook through an API call and returns the results.

C. Modify the detection rule in the SIEM to include the query results as part of the detection.

D. Add a widget to the Default Case View in Google SecOps SOAR that allows the analyst team to query directly from the widget.

Correct Answer: A

Question 5

You are a security operations engineer in an enterprise that uses Google Security Operations (SecOps). Your organization recently faced a cybersecurity breach. You need to increase the threat analytics as quickly as possible. What should you do?

A. Ingest data from a threat intelligence platform (TIP) into Google SecOps.

B. Develop YARA-L detection rules that focus on threat intelligence.

C. Enable curated detections to identify threats.

D. Design YARA-L detection rules based on Google SecOps Marketplace use cases.

Correct Answer: C

Question 6

Your organization has a standard set of Google Security Operations (SecOps) playbooks that are applied to alerts in different circumstances. One playbook uses an "All" trigger that should always be applied if no other more specific playbooks have triggered. You need to ensure that the more specific playbook is attached and not the generic "All" playbook when multiple triggers match.
What should you do?

A. Create a tagging rule in the Google SecOps SOAR settings, and use a tag trigger to trigger the specific playbook.

B. Change the "All" trigger to be more precise so that it doesn't trigger when the other playbook is needed.

C. Set the priority of the "All" playbook to a higher value than the priority of the specific playbook to ensure the "All" trigger is evaluated after the previous priorities.

D. In the Outcomes section of the detection rule that is firing your alert, add a specific field to search for the specific playbook to base the trigger on.

Correct Answer: C

Question 7

You are conducting a proactive threat hunt in Google Security Operations (SecOps). You observe multiple login events with the same principal.user.userid field that originate from different countries within a short time window. You need to validate whether the account has been compromised. What should you do?

A. Perform a UDM search for login events, and pivot to group results by user and country of origin.

B. Use the entity graph to correlate the user's risk score with linked assets, and review any active alerts.

C. Run a YARA-L retrohunt rule that detects users who are logging in from multiple regions using multiple entity contexts.

D. Perform a YARA-L 2.0 search for login events and their associated principal.location.country field. Use an outcome field to aggregate the number of failed logins.

Correct Answer: A

Question 8

Your organization plans to ingest logs from an on-premises MySQL database as a new log source into its Google Security Operations (SecOps) instance. You need to create a solution that minimizes effort. What should you do?

A. Configure a third-party API feed in Google SecOps.

B. Configure direct ingestion from your Google Cloud organization.

C. Configure and deploy a Google SecOps forwarder.

D. Configure and deploy a Bindplane collection agent.

Correct Answer: C

Question 9

You work for an organization that uses Security Command Center (SCC) with Event Threat Detection (ETD) enabled. You need to enable ETD detections for data exfiltration attempts from designated sensitive Cloud Storage buckets and BigQuery datasets. You want to minimize Cloud Logging costs. What should you do?

A. Enable "data read" and "data write" audit logs for all Cloud Storage buckets and BigQuery datasets throughout the organization.

B. Enable "data read" and "data write" audit logs only for the designated sensitive Cloud Storage buckets and BigQuery datasets.

C. Enable "data read" audit logs only for the designated sensitive Cloud Storage buckets and BigQuery datasets.

D. Enable VPC Flow Logs for the VPC networks containing resources that access the sensitive Cloud Storage buckets and BigQuery datasets.

Correct Answer: C

Welcome to TestSimulate

Google Security Operations Engineer (Beta) (GCP-SOE-B) Free Practice Test