Google Cloud Professional Security Operations Engineer — Question 23

You use Google Security Operations (SecOps) curated detections and YARA-L rules to detect suspicious activity on Windows endpoints. Your source telemetry uses EDR and Windows Events logs. Your rules match on the principal.user.userid UDM field. You need to ingest an additional log source for this field to match all possible log entries from your EDR and Windows Event logs. What should you do?

Answer options

• A. Ingest logs from Windows Sysmon.
• B. Ingest logs from Microsoft Entra ID.
• C. Ingest logs from Windows PowerShell.
• D. Ingest logs from Windows Procmon.

Correct answer: A

Explanation

The correct answer is A, as ingesting logs from Windows Sysmon provides detailed information about process creation, network connections, and other system activities, which can help in populating the principal.user.userid UDM field. Options B, C, and D do not provide the same level of detailed telemetry necessary for this specific user identification purpose.