Security-Operations-Engineer 試験問題を無料オンラインアクセス

You are responsible for identifying suspicious activity and security events in your organization's environment.
You discover that some detection rules are generating false positives when the principal.ip field contains one or more IP addresses in the 192.168.2.0/24 subnet. You want to improve these detection rules using the principal.ip repeated field. What should you add to the YARA-L detection rules?

• A.not net.ip_in_range_cidr(any $e.principal.ip, "192.168.2.0/24")
• B.net.ip_in_range_cidr(all $e.principal.ip, "192.168.2.0/24")
• C.net.ip_in_range_cidr(any $e.principal.ip, "192.168.2.0/24")
• D.not net.ip_in_range_cidr(all $e.principal.ip, "192.168.2.0/24")

You are developing a security strategy for your organization. You are planning to use Google Security Operations (SecOps) and Google Threat Intelligence (GTI). You need to enhance the detection and response across multi-cloud and on-premises systems. How should you integrate these products?
Choose 2 answers

• A.Ingest on-premises and cloud security logs into Google SecOps SIEM as events.
• B.Use Google SecOps SOAR integrations with GTI for entity enrichment.
• C.Use Google SecOps SOAR integrations with GTI for event enrichment.
• D.Ingest on-premises and cloud security logs into Google SecOps SIEM as entities.
• E.Ingest GTI IOCs into Google SecOps as security events.

You have a close relationship with a vendor who reveals to you privately that they have discovered a vulnerability in their web application that can be exploited in an XSS attack. This application is running on servers in the cloud and on-premises. Before the CVE is released, you want to look for signs of the vulnerability being exploited in your environment. What should you do?

• A.Create a YARA-L 2.0 rule to detect a time-ordered series of events where an external inbound connection to a server was followed by a process on the server that spawned subprocesses previously not seen in the environment.
• B.Activate a new Web Security Scanner scan in Security Command Center (SCC), and look for findings related to XSS.
• C.Create a YARA-L 2.0 rule to detect high-prevalence binaries on your web server architecture communicating with known command and control (C2) nodes. Review inbound traffic from those C2 domains that have only started appearing recently.
• D.Ask the Gemini Agent in Google Security Operations (SecOps) to search for the latest vulnerabilities in the environment.

Your organization uses Google Security Operations (SecOps) for security analysis and investigation. Your organization has decided that all security cases related to Data Loss Prevention (DLP) events must be categorized with a defined root cause specific to one of five DLP event types when the case is closed in Google SecOps. How should you achieve this?

• A.Create case tags in Google SecOps SOAR where each tag contains a unique definition of each of the five DLP event types, and have analysts assign them to cases manually.
• B.Customize the Case Name format to include the DLP event type.
• C.Customize the Close Case dialog and add the five DLP event types as root cause options.
• D.Create a Google SecOps SOAR playbook that automatically assigns case tags where each tag contains the unique definition of one of the five DLP event types.

Your organization requires the SOC director to be notified by email of escalated incidents and their results before a case is closed. You need to create a process that automatically sends the email when an escalated case is closed. You need to ensure the email is reliably sent for the appropriate cases. What process should you use?

• A.Navigate to the Alert Overview tab to close the Alert. Run a manual action to gather the case details. If the case was escalated, email the notes to the director. Use the Close Case action in the UI to close the case.
• B.Write a job to check closed cases for incident escalation status, pull the case status details if a case has been escalated, and send an email to the director.
• C.Create a playbook block that includes a condition to identify cases that have been escalated. The two resulting branches either close the alert and email the notes to the director, or close the alert without sending an email.
• D.Use the Close Case button in the UI to close the case. If the case is marked as an incident, export the case from the UI and email it to the director.