Google Cloud Professional Security Operations Engineer — Question 29

You are a SOC analyst working a case in Google Security Operations (SecOps). The case contains a file hash that your playbooks have automatically enriched with VirusTotal context and categorized as likely malicious. You need to quickly identify devices and users in your organization who have interacted with this file. What should you do?

Answer options

• A. Build a playbook to perform a UDM search matching on the file hash in Google SecOps SIEM.
• B. Build a playbook to query your threat intelligence platform (TIP) for the presence of the file hash.
• C. Use a manual action in Google SecOps SOAR to perform a UDM search matching on the file hash in Google SecOps SIEM.
• D. Use a manual action in Google SecOps SOAR to query your threat intelligence platform (TIP) for the presence of the file hash.

Correct answer: C

Explanation

The correct answer is C, as using a manual action in Google SecOps SOAR allows for a targeted UDM search specifically on the file hash within the Google SecOps SIEM, which is essential for quickly identifying affected devices and users. Options A and B suggest building playbooks, which may not provide the immediate response needed, while option D focuses on querying the TIP, which does not directly address the immediate need to identify interactions with the file.