Google Cloud Professional Security Operations Engineer — Question 11

Your organization recently implemented Google Security Operations (SecOps) with Applied Threat Intelligence enabled. You were notified by the networking team about potentially anomalous communications to external domains in the last 30 days. You plan to start your threat hunting by looking at communications to external domains. You are ingesting the following logs into Google SecOps:

Firewall logs -

Proxy logs -

DNS logs -

DHCP logs -
What should you do? (Choose two.)

Answer options

• A. Perform a UDM search across the logs for domains with geolocations that were first seen in the last 30 days.
• B. Perform a UDM search across the logs for domains with low prevalence that were first seen in the last 30 days.
• C. Perform a raw log search across the logs for domains with low prevalence that were first seen in the last 30 days.
• D. Identify the domains with the higher normalized risk in Risk Analytics. Drill down into those entities to determine their prevalence and if they were first seen in the last 30 days.
• E. Navigate to the IOC Matches page and filter based on domain type over the last 30 days. Look for the first seen and last seen timestamps for the reported domains. Investigate these domains using the IOC drilldown link.

Correct answer: B, E

Explanation

The correct answer options B and E focus on identifying potentially malicious domains based on their low prevalence and timestamps, which helps in efficiently targeting new threats. Options A and C do not effectively narrow down the search criteria, while option D, though useful, does not directly align with the low prevalence focus needed for initial threat hunting.