Your organization uses Google Security Operations (SecOps) for security analysis and investigation. Your organization has decided that all security cases related to Data Loss Prevention (DLP) events must be categorized with a defined root cause specific to one of five DLP event types when the case is closed in Google SecOps.
How should you achieve this?

1. A. Customize the Case Name format to include the DLP event type.
2. B. Create a Google SecOps SOAR playbook that automatically assigns case tags where each tag contains the unique definition of one of the five DLP event types.
3. C. Create case tags in Google SecOps SOAR where each tag contains a unique definition of each of the five DLP event types, and have analysts assign them to cases manually.
4. D. Customize the Close Case dialog and add the five DLP event types as root cause options.

Correct Answer: D

You are part of a cybersecurity team at a large multinational corporation that uses Google Security Operations (SecOps). You have been tasked with identifying unknown command and control nodes (C2s) that are potentially active in your organization's environment. You need to generate a list of potential matches for the unknown C2s within the next 24 hours. What should you do?

1. A. Review Security Health Analytics (SHA) findings in Security Command Center (SCC).
2. B. Load network records into BigQuery to identify endpoints that are communicating with domains outside three standard deviations of normal.
3. C. Write a YARA-L rule in Google SecOps that scans historic network outbound connections against ingested threat intelligenc
4. D. Run the rule in a retrohunt against the full tenant.
5. E. Write a YARA-L rule in Google SecOps that compares network traffic from endpoints to recent WHOIS registration
6. F. Run the rule in a retrohunt against the full tenant.

Correct Answer: D

You have been tasked with developing a new response process in a playbook to contain an endpoint. The new process should take the following actions:
✑ Send an email to users who do not have a Google Security Operations (SecOps) account to request approval for endpoint containment.
✑ Automatically continue executing its logic after the user responds.
You plan to implement this process in the playbook by using the Gmail integration. You want to minimize the effort required by the SOC analyst. What should you do?

1. A. Set the containment action to 'Manual' and assign the action to the user to execute or skip the containment action.
2. B. Set the containment action to 'Manual' and assign the action to the appropriate tie
3. C. Contact the user by email to request approva
4. D. The analyst chooses to execute or skip the containment action.
5. E. Use the 'Send Email' action to send an email requesting approval to contain the endpoint, and use the 'Wait For Thread Reply' action to receive the resul
6. F. The analyst manually contains the endpoint.
7. G. Generate an approval link for the containment action and include the placeholder in the body of the 'Send Email' actio
8. H. Configure additional playbook logic to manage approved or denied containment actions.

Correct Answer: D

Your company requires PCI DSS v4.0 compliance for its cardholder data environment (CDE) in Google Cloud. You use a Security Command Center (SCC) security posture deployment based on the PCI DSS v4.0 template to monitor for configuration drift.1 This posture generates a finding indicating that a Compute Engine VM within the CDE scope has been configured with an external IP address. You need to take an immediate action to remediate the compliance drift identified by this specific SCC posture finding. What should you do?

1. A. Enable and enforce the constraints/compute.vmExternalIpAccess organization policy constraint at the project level for the project where the VM resides.
2. B. Remove the CDE-specific tag from the VM to exclude the tag from this particular PCI DSS posture evaluation scan.
3. C. Reconfigure the network interface settings for the VM to explicitly remove the assigned external IP address.
4. D. Navigate to the underlying Security Health Analytics (SHA) finding for public_ip_address on the V
5. E. and mark this finding as fixed.

Correct Answer: C

You recently joined a company that uses Google Security Operations (SecOps) with Applied Threat Intelligence enabled. You have alert fatigue from a recent red team exercise, and you want to reduce the amount of time spent sifting through noise. You need to filter out IoCs that you suspect were generated due to the exercise. What should you do?

1. A. Ask Gemini to provide a list of IoCs from the red team exercise.
2. B. Filter IoCs with an ingestion time that matches the time period of the red team exercise.
3. C. Navigate to the IOC Matches pag
4. D. Identify and mute the IoCs from the red team exercise.
5. E. Navigate to the IOC Matches pag
6. F. Review IoCs with an Indicator Confidence Score (IC-Score) label >= 80%.

Correct Answer: C