最新的Google Security-Operations-Engineer免費考試真題

問題1

You are implementing Google Security Operations (SecOps) with multiple log sources. You want to closely monitor the health of the ingestion pipeline's forwarders and collection agents, and detect silent sources within five minutes. What should you do?

A. Create an ingestion notification for health metrics in Cloud Monitoring based on the total ingested log count for each collector_id.

B. Create a Looker dashboard that queries the BigQuery ingestion metrics schema for each log_type and collector_id.

C. Create a notification in Cloud Monitoring using a metric-absence condition based on sample policy for each collector_id.

D. Create a Google SecOps SIEM dashboard to show the ingestion metrics for each log_type and collector_id.

正確答案: C

說明：（僅 Fast2test 成員可見）

問題2

You are an incident response engineer at an organization that uses Google Security Operations (SecOps). You recently started monitoring IOCs in Applied Threat Intelligence using YARA-L rules. You have discovered that there are more false positive alerts than expected, which is causing noise for the SOC team. You need to reduce the number of false positive alerts. What should you do?

A. Create a playbook that automatically tunes the IOC source if its indicator confidence score (IC- Score) is between 60% and 80%.

B. Configure alert grouping for the most repetitive alerts.

C. Modify the YARA-L rules to use an indicator confidence score (IC-Score) of 60% and above.

D. Implement curated detections instead of custom YARA-L rules.

正確答案: C

說明：（僅 Fast2test 成員可見）

問題3

You are configuring a new integration in Google Security Operations (SecOps) to perform enrichment actions in playbooks. This enrichment technology is located in a private data center that does not allow inbound network connections. You need to connect your Google SecOps instance to the integration. What should you do?

A. Create a forwarder in the private data center. Configure an instance of the integration to run on the forwarder.

B. Create a remote agent in the private data center. Configure an instance of the integration to run on a remote agent in Google SecOps.

C. Create a network route in Google Cloud to the private data center.

D. Query the enrichment source in the private data center and upload the results to the case wall in Google SecOps.

正確答案: B

說明：（僅 Fast2test 成員可見）

問題4

You are a SOC manager guiding an implementation of your existing incident response plan (IRP) into Google Security Operations (SecOps). You need to capture time duration data for each of the case stages. You want your solution to minimize maintenance overhead. What should you do?

A. Configure a detection rule in SIEM Rules & Detections to include logic to capture the event fields for each case with the relevant stage metrics.

B. Configure Case Stages in the Google SecOps SOAR settings, and use the Change Case Stage action in your playbooks that captures time metrics when the stage changes.

C. Create a Google SecOps SOAR dashboard that displays specific actions that have been run, identifies which stage a case is in, and calculates the time elapsed since the start of the case.

D. Write a job in the IDE that runs frequently to check the progress of each case and updates the notes with timestamps to reflect when these changes were identified.

正確答案: B

說明：（僅 Fast2test 成員可見）

問題5

You have noticed that a Google Security Operations (SecOps) detection rule that detects excessive network connections is triggering too frequently and creating too many false positive alerts. You want to improve the rule to reduce the noise without reducing the effectiveness of the rule. What change to the detection rule should you implement?

A. Update the YARA-L events: section to exclude the most common IP addresses involved in the network connection alerts to reduce the number of alerts.

B. Add a threshold in the YARA-L condition: section to ensure that the rule only alerts after a certain number of connections.

C. Assign a risk score in the YARA-L outcome: section to prioritize alerts more effectively in the alert queue.

D. Include a 10 minute timeframe for the same source and destination of network connections in the YARA-L match: section to aggregate the alerts.

正確答案: B

說明：（僅 Fast2test 成員可見）

問題6

You are receiving security alerts from multiple connectors in your Google Security Operations (SecOps) instance. You need to identify which IP address entities are internal to your network and label each entity with its specific network name. This network name will be used as the trigger for the playbook. What should you do?

A. Configure each network in the Google SecOps SOAR settings.

B. Create an outcome variable in the rule to assign the network name.

C. Modify the entity attribute in the alert overview.

D. Enrich the IP address entities as the initial step of the playbook.

正確答案: D

說明：（僅 Fast2test 成員可見）

問題7

You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?

A. Configure the rule to check whether the external IP address from the network connection event has a high confidence score across any enabled threat intelligence feed.

B. Configure the rule to detect outbound network connections to the external IP address. Create a Google SecOps SOAR playbook that queries the Fusion Feed to determine if the IP address has an APT41 relationship.

C. Configure the rule to establish a join between the live network connection event and Fusion Feed data for the common external IP address. Filter the joined Fusion Feed data for explicit associations with the APT41 threat group or related indicators.

D. Configure the rule to trigger when the external IP address from the network connection event matches an entry in a manually pre-curated reference list of all APT41-related IP addresses.

正確答案: C

說明：（僅 Fast2test 成員可見）

問題8

Your company uses Security Command Center (SCC) and Google Security Operations (SecOps). Last week, an attacker attempted to establish persistence by generating a key for an unused service account. You need to confirm that you are receiving alerts when keys are created for unused service accounts and that newly created keys are automatically deleted. You want to minimize the amount of manual effort required. What should you do?

A. Use the Initial Access: Dormant Service Account Key Created finding from SCC, and ingest this finding into Google SecOps. Create a custom action in Google SecOps SOAR that is triggered on this finding. Use the built-in IDE to build code to delete the service account key.

B. Use the Initial Access: Dormant Service Account Key Created finding from SCC, and write this finding to a Pub/Sub topic. Create a Cloud Run function that subscribes to the Pub/Sub topic and deletes the service account key.

C. Configure a Cloud Logging sink to write logs to a Pub/Sub topic that filters for the methodName:
"google.iam.admin.v1.CreateServiceAccountKey" field. Create a Cloud Run function that subscribes to the Pub/Sub topic and deletes the service account key.

D. Generate a YARA-L rule in Google SecOps that detects when a service account key is created.
Using the built-in IDE, create a custom action in Google SecOps SOAR that deletes the service account key.

正確答案: A

說明：（僅 Fast2test 成員可見）

問題9

You are developing a playbook to respond to phishing reports from users at your company. You configured a UDM query action to identify all users who have connected to a malicious domain.
You need to extract the users from the UDM query and add them as entities in an alert so the playbook can reset the password for those users. You want to minimize the amount of effort required by the SOC analyst. What should you do?

A. Implement an Instruction action from the Flow integration that instructs the analyst to add the entities in the Google SecOps user interface.

B. Create a case for each identified user with the user designated as the entity.

C. Configure a manual Create Entity action from the Siemplify integration that instructs the analyst to input the Entities Identifier parameter based on the results of the action.

D. Use the Create Entity action from the Siemplify integration. Use the Expression Builder to create a placeholder with the usernames in the Entities Identifier parameter.

正確答案: D

說明：（僅 Fast2test 成員可見）

問題10

You recently joined a company that uses Google Security Operations (SecOps) with Applied Threat Intelligence enabled. You have alert fatigue from a recent red team exercise, and you want to reduce the amount of time spent sifting through noise. You need to filter out IOCs that you suspect were generated due to the exercise. What should you do?

A. Ask Gemini to provide a list of IOCs from the red team exercise.

B. Filter IOCs with an ingestion time that matches the time period of the red team exercise.

C. Navigate to the IOC Matches page. Review IOCs with an Indicator Confidence Score (IC-Score) label >= 80%.

D. Navigate to the IOC Matches page. Identify and mute the IOCs from the red team exercise.

正確答案: D

說明：（僅 Fast2test 成員可見）

最新的Google Cloud Certified - Professional Security Operations Engineer (PSOE) - Security-Operations-Engineer免費考試真題

聯系我們

站內鏈接

最新更新