Google Cloud Professional Security Operations Engineer — Question 8

You are conducting a proactive threat hunt in Google Security Operations (SecOps). You observe multiple login events with the same principal.user.userid field that originate from different countries within a short time window. You need to validate whether the account has been compromised. What should you do?

Answer options

• A. Use the entity graph to correlate the user's risk score with linked assets, and review any active alerts.
• B. Perform a YARA-L 2.0 search for login events and their associated principal.location.country field. Use an outcome field to aggregate the number of failed logins.
• C. Perform a UDM search for login events, and pivot to group results by user and country of origin.
• D. Run a YARA-L retrohunt rule that detects users who are logging in from multiple regions using multiple entity contexts.

Correct answer: A

Explanation

The correct answer is A because using the entity graph allows for a detailed examination of the user's risk score alongside linked assets, which is crucial for understanding account integrity. Options B and C focus on searching and aggregating login events but do not provide a comprehensive risk assessment. Option D, while useful for detection, does not specifically validate the compromise status of the account.