Google Cloud Professional Security Operations Engineer — Question 27

You are a SOC analyst at an organization that uses Google Security Operations (SecOps). You are investigating suspicious activity in your organization's environment. Alerts in Google SecOps indicate repeated PowerShell activity on a set of endpoints. Outbound connections are made to a domain that does not appear in your threat intelligence feeds. The activity occurs across multiple systems and user accounts. You need to search across impacted systems and user identities to identify the malicious user and understand the scope of the compromise. What should you do?

Answer options

• A. Perform a YARA-L 2.0 search to correlate activity across impacted systems and users.
• B. Perform a raw log search for the suspicious domain string, and manually pivot to related user activity.
• C. Use the User Sign-In Overview dashboard to monitor authentication trends and anomalies across all users.
• D. Use the Behavioral Analytics dashboard in Risk Analytics to identify abnormal IP-based activity and high-risk user behavior.

Correct answer: D

Explanation

The correct answer is D because the Behavioral Analytics dashboard provides insights into abnormal IP activity and identifies high-risk user behavior, which is crucial for understanding the compromise's scope. Option A is incorrect as a YARA-L search is more suited for file analysis rather than user activity. Option B may help but lacks the broader context needed for comprehensive analysis, while option C focuses on authentication trends, which may not directly address the ongoing PowerShell activity.