Google Cloud Professional Security Operations Engineer — Question 16

Your organization uses Google Security Operations (SecOps). You discover frequent file downloads from a shared workspace within a short time window. You need to configure a rule in Google SecOps that identifies these suspicious events and assigns higher risk scores to repeated anomalies. What should you do?

Answer options

• A. Configure a rule that flags file download events with the highest risk score, regardless of time frame.
• B. Create a frequency-based YARA-L detection rule that assigns a risk outcome score and is triggered when multiple suspicious downloads occur within a defined time frame.
• C. Configure a single-event YARA-L detection rule that assigns a risk outcome score and is triggered when a user downloads a large number of files in 24 hours.
• D. Enable default curated detections, and use automatic alerting for single file download events.

Correct answer: B

Explanation

The correct answer is B because it specifically addresses the need to detect multiple suspicious downloads within a defined time window, assigning a higher risk score for such activities. Option A fails to consider the time factor, which is crucial for identifying anomalies. Option C focuses only on the volume of downloads in a day, and Option D does not provide specific detection for repeated suspicious activities.