Your organization plans to ingest logs from an on-premises MySQL database as a new log source into its Google Security Operations (SecOps) instance. You need to create a solution that minimizes effort. What should you do?

1. A. Configure and deploy a Bindplane collection agent
2. B. Configure a third-party API feed in Google SecOps.
3. C. Configure direct ingestion from your Google Cloud organization.
4. D. Configure and deploy a Google SecOps forwarder.

Correct Answer: D

You are developing a playbook to respond to phishing reports from users at your company. You configured a UDM query action to identify all users who have connected to a malicious domain. You need to extract the users from the UDM query and add them as entities in an alert so the playbook can reset the password for those users. You want to minimize the effort required by the SOC analyst. What should you do?

1. A. Implement an Instruction action from the Flow integration that instructs the analyst to add the entities in the Google SecOps user interface.
2. B. Use the Create Entity action from the Siemplify integratio
3. C. Use the Expression Builder to create a placeholder with the usernames in the Entities Identifier parameter.
4. D. Configure a manual Create Entity action from the Siemplify integration that instructs the analyst to input the Entities Identifier parameter based on the results of the action.
5. E. Create a case for each identified user with the user designated as the entity.

Correct Answer: B

You use Google Security Operations (SecOps) curated detections and YARA-L rules to detect suspicious activity on Windows endpoints. Your source telemetry uses EDR and Windows Events logs. Your rules match on the principal.user.userid UDM field. You need to ingest an additional log source for this field to match all possible log entries from your EDR and Windows Event logs. What should you do?

1. A. Ingest logs from Microsoft Entra ID.
2. B. Ingest logs from Windows Procmon.
3. C. Ingest logs from Windows PowerShell.
4. D. Ingest logs from Windows Sysmon.

Correct Answer: A

A Google Security Operations (SecOps) detection rule is generating frequent false positive alerts. The rule was designed to detect suspicious Cloud Storage enumeration by triggering an alert whenever the storage.objects.list API operation is called using the api.operation UDM field. However, a legitimate backup automation tool that uses the same API, causing the rule to fire unnecessarily. You need to reduce these false positives from this trusted backup tool while still detecting potentially malicious usage. How should you modify the rule to improve its accuracy?

1. A. Adjust the rule severity to low to deprioritize alerts from automation tools.
2. B. Convert the rule into a multi-event rule that looks for repeated API calls across multiple buckets.
3. C. Replace api.operation with api.service_name = "storage.googleapis.com" to narrow the detection scope.
4. D. Add principal.user.email != "backup-bot@fcobaa.com" to the rule condition to exclude the automation account.

Correct Answer: D

Your company uses Google Security Operations (SecOps) Enterprise and is ingesting various logs. You need to proactively identify potentially compromised user accounts. Specifically, you need to detect when a user account downloads an unusually large volume of data compared to the user's established baseline activity. You want to detect this anomalous data access behavior using minimal effort. What should you do?

1. A. Develop a custom YARA-L detection rule in Google SecOps that counts download bytes per user per hour and triggers an alert if a threshold is exceeded.
2. B. Create a log-based metric in Cloud Monitoring, and configure an alert to trigger if the data downloaded per user exceeds a predefined limi
3. C. Identify users who exceed the predefined limit in Google SecOps.
4. D. Inspect Security Command Center (SCC) default findings for data exfiltration in Google SecOps.
5. E. Enable curated detection rules for User and Endpoint Behavioral Analytics (UEBA), and use the Risk Analytics dashboard in Google SecOps to identify metrics associated with the anomalous activity.

Correct Answer: D