Google Cloud Professional Security Operations Engineer — Question 2

You are responsible for identifying suspicious activity and security events at your organization. You have been asked to search in Google Security Operations (SecOps) for network traffic associated with an active HTTP backdoor that runs on TCP port 5555. You want to use the most effective approach to identify traffic originating from the server that is running the backdoor. What should you do?

Answer options

• A. Detect on events where network.ApplicationProtocol is HTTP.
• B. Detect on events where target.port is 5555.
• C. Detect on events where principal.port is 5555.
• D. Detect on events where network.ip_protocol is TCP.

Correct answer: C

Explanation

The correct answer is C because detecting on events where principal.port is 5555 directly identifies traffic from the specific server running the backdoor. Option A focuses on HTTP protocol but does not specify the port, which is crucial in this case. Option B targets the target port but not the source, and option D looks at the IP protocol type rather than the specific port used by the backdoor.