Google Cloud Professional Security Operations Engineer — Question 25

You are planning log onboarding for a Google Security Operations (SecOps) SIEM deployment in a cloud-heavy enterprise environment. The detection engineering team is requesting log sources that support visibility into:

User identity behavior -

Lateral movement -

Privilege escalation attempts -
You need to determine which telemetry sources are ingested first. Which log source should you prioritize?

Answer options

• A. Cloud access security broker (CASB) logs
• B. EDR logs
• C. IAM logs
• D. Network firewall logs

Correct answer: B

Explanation

The correct answer is B, EDR logs, as they provide detailed information about endpoint activities, including user behavior and potential threats like lateral movement and privilege escalation. While IAM logs (C) are important for identity management, they do not capture endpoint activities as thoroughly as EDR logs. CASB logs (A) focus on cloud applications, and network firewall logs (D) primarily monitor traffic rather than user behavior.