Google Cloud Professional Security Operations Engineer — Question 9

You are developing a new detection rule in Google Security Operations (SecOps). You are defining the YARA-L logic that includes complex event, match, and condition sections. You need to develop and test the rule to ensure that the detections are accurate before the rule is migrated to production. You want to minimize impact to production processes. What should you do?

Answer options

• A. Develop the rule logic in the UDM search, review the search output to inform changes to filters and logic, and copy the rule into the Rules Editor.
• B. Use Gemini in Google SecOps to develop the rule by providing a description of the parameters and conditions, and transfer the rule into the Rules Editor.
• C. Develop the rule in the Rules Editor, define the sections the rule logic, and test the rule using the test rule feature.
• D. Develop the rule in the Rules Editor, define the sections of the rule logic, and test the rule by setting it to live but not alerting. Run a YARA-L retrohunt from the rules dashboard.

Correct answer: C

Explanation

The correct answer is C because developing the rule directly in the Rules Editor allows for immediate access to the testing features, ensuring that it can be validated properly before production. Options A and B involve additional steps that do not directly utilize the testing capabilities of the Rules Editor, while option D risks impacting production processes by enabling the rule live, even without alerts.