Free GCP-PSOE Sample Questions — Google Cloud Platform - Professional Security Operations Engineer

You are responsible for managing threat intelligence and IOC lists in your organization. You have compiled a list of IOCs from recent incidents. You want to quickly and efficiently share the IOCs with other teams for collaboration and integration into their operational processes. What should you do?

• A. Create a list in Google Security Operations (SecOps), and grant the required access to the other teams
• B. Export the IOCs from Google Threat Intelligence in CSV or JSON format, and email the file to the other teams
• C. Add the IOCs to a collection in Google Threat Intelligence, and share the collection with the other teams
• D. Create a new threat graph in Google Threat Intelligence, and share the graph with the other teams

You are an incident responder at your organization using Google Security Operations (SecOps) for monitonng and investigation. You discover that a critical production server, which handles financial transactions, shows signs of unauthorized file changes and network scanning from a suspicious IP address. You suspect that persistence mechanisms may have been installed. You need to use Google SecOps to immediately contain the threat while ensuring that forensic data remains available for investigation. What should you do first?

• A. Use the firewall integration to submit the IP address to a network block list to inhibit internet access from that machine
• B. Deploy emergency patches, and reboot the server to remove malicious persistence
• C. Use the EDR integration to quarantine the compromised asset
• D. Use VirusTotal to enrich the IP address and retrieve the domain. Add the domain to the proxy block list

You are a SOC analyst at an organization that uses Google Security Operations (SecOps). You are investigating suspicious activity in your organization's environment. Alerts in Google SecOps indicate repeated PowerShell activity on a set of endpoints. Outbound connections are made to a domain that does not appear in your threat intelligence feeds. The activity occurs across multiple systems and user accounts. You need to search across impacted systems and user identities to identify the malicious user and understand the scope of the compromise. What should you do?

• A. Perform a YARA-L 2.0 search to correlate activity across impacted systems and users
• B. Perform a raw log search for the suspicious domain string, and manually pivot to related user activity
• C. Use the User Sign-In Overview dashboard to monitor authentication trends and anomalies across all users
• D. Use the Behavioral Analytics dashboard in Risk Analytics to identify abnormal IP-based activity and high-risk user behavior

You use Google Security Operations (SecOps) curated detections and YARA-L rules to detect suspicious activity on Windows endpoints. Your source telemetry uses EDR and Windows Events logs. Your rules match on the principal.user.userid UDM field. You need to ingest an additional log source for this field to match all possible log entries from your EDR and Windows Event logs. What should you do?

• A. Ingest logs from Windows Sysmon
• B. Ingest logs from Microsoft Entra ID
• C. Ingest logs from Windows PowerShell
• D. Ingest logs from Windows Procmon

You are a SOC analyst working a case in Google Security Operations (SecOps). The case contains a file hash that your playbooks have automatically enriched with VirusTotal context and categorized as likely malicious. You need to quickly identify devices and users in your organization who have interacted with this file. What should you do?

• A. Build a playbook to perform a UDM search matching on the file hash in Google SecOps SIEM
• B. Build a playbook to query your threat intelligence platform (TIP) for the presence of the file hash
• C. Use a manual action in Google SecOps SOAR to perform a UDM search matching on the file hash in Google SecOps SIEM
• D. Use a manual action in Google SecOps SOAR to query your threat intelligence platform (TIP) for the presence of the file hash