Security Operations Engineer Intermediate Practice Exam: Medium Difficulty 2025

Your organization uses Google SecOps for security monitoring. A new team wants to onboard 30 Google Cloud projects and ensure detections are consistent across all of them. You also need to minimize false positives by standardizing asset context (project, VPC, labels) and user identity context. What is the best approach?

A security team needs to ensure that only approved security administrators can change Google SecOps detection rules and playbooks, while analysts can investigate alerts but not modify detection logic. They also need an audit trail of changes. What should you do?

Your SOC receives alerts from Google Security Command Center (SCC) and wants to reduce alert fatigue. Many findings are duplicates across projects because they reference the same underlying resource issue. You want Google SecOps to group related alerts into a single incident for triage. What configuration is most appropriate?

An analyst suspects data exfiltration from a Compute Engine VM. You have VPC Flow Logs enabled and Cloud Audit Logs ingested into Google SecOps. What is the best next step to validate the suspicion with the available telemetry?

You detect repeated failed logins to Google Workspace accounts followed by a successful login from an unfamiliar country. You want to enrich the alert in Google SecOps with user risk context and prioritize cases that involve privileged accounts. Which approach best meets the requirement?

A detection rule alerts on possible service account key misuse: a service account is used from an IP range not previously seen. You want to quickly determine whether the service account has recently been granted new permissions or had keys created. Which data sources should you pivot to first?

Your SOC needs to investigate lateral movement attempts inside a VPC. You ingest VPC Flow Logs and endpoint telemetry. You want a detection that flags a host that suddenly begins connecting to many internal destinations on administrative ports. What detection strategy is most appropriate?

A high-severity alert indicates a compromised user account in Google Workspace. The incident commander wants a repeatable workflow that ensures evidence is collected, the account is contained, and stakeholder notifications are tracked. What should you implement in Google SecOps?

During an active incident, you need to preserve relevant logs for legal hold while still allowing analysts to continue normal investigations. The organization uses Google Cloud logging sources ingested into Google SecOps. What is the best approach?

You want to automatically enrich alerts in Google SecOps with threat intelligence and then trigger a containment action in Google Cloud only when confidence is high. Specifically, if an external IP in an alert matches a high-confidence TI feed and the affected asset is tagged as "production," you want to add the IP to a Cloud Armor deny rule and create a tracked action in the case. What is the best solution?