nerdexam
Google

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #37

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #37: Real Exam Question with Answer & Explanation

The correct answer is A. Perform a Google SecOps SIEM UDM search that looks for NETWORK_CONNECTION or. To identify rare network communications that could indicate C2 activity, you should run a Google SecOps SIEM UDM search for NETWORK_CONNECTION or NETWORK_HTTP events and filter for low rolling prevalence on target domains over the past 14 days. This approach highlights unusual ou

Question

Your organization recently conducted a penetration test on their environment. You have been tasked with identifying a successful attack chain. The required log sources have been ingested into Google Security Operations (SecOps). You discover anomalous outbound traffic to external domains. You suspect that the finding is a communication to a command and control (C2) infrastructure. You need to identify the least common network communications over the last 14 days. What should you do?

Options

  • APerform a Google SecOps SIEM UDM search that looks for NETWORK_CONNECTION or
  • BPerform a Google SecOps SIEM UDM search that looks for NETWORK_CONNECTION or
  • CPerform a Google SecOps SOAR search that looks for cases with low rolling prevalence of
  • DPerform a Google SecOps SIEM raw log search that looks for low rolling prevalence domains with

Explanation

To identify rare network communications that could indicate C2 activity, you should run a Google SecOps SIEM UDM search for NETWORK_CONNECTION or NETWORK_HTTP events and filter for low rolling prevalence on target domains over the past 14 days. This approach highlights unusual outbound communications to external domains that are least common in your environment, aligning with C2 detection best practices.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Practice