nerdexam
Google

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #30

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #30: Real Exam Question with Answer & Explanation

The correct answer is A. Use the outcomes section of your detection logic to pull UDM enrichment fields from the event. The correct method is to use the outcomes section of the YARA-L detection logic to apply logic on UDM enrichment fields (including GTI data), calculate the total risk outcome, and store it in the risk_score variable. This ensures the risk score is attached to the alert and availa

Question

You are writing a detection rule in Google Security Operations (SecOps) SIEM that sends a risk score to the alert. You have access to Google Threat Intelligence (GTI) data through your Google SecOps subscription. You need to ensure that the threat score output in the detection logic informs the alert's risk score and is available for future detections. What should you do?

Options

  • AUse the outcomes section of your detection logic to pull UDM enrichment fields from the event
  • BUse the match section of your detection logic to filter out irrelevant entities. Store the remaining
  • CConfigure a feed in Google SecOps SIEM to ingest GTI data to automatically enrich the
  • DCreate a Google SecOps SOAR playbook to query GTI that uses the VirusTotal integration to

Explanation

The correct method is to use the outcomes section of the YARA-L detection logic to apply logic on UDM enrichment fields (including GTI data), calculate the total risk outcome, and store it in the risk_score variable. This ensures the risk score is attached to the alert and available for correlation in future detections.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Practice