Google Cloud SecOps Technical Credential Assessment Answers

Google Cloud SecOps Technical Credential Assessment Answers

This assessment will test your knowledge of the SecOps (Chronical and Mandiant) products. You must achieve a score of 80% or higher to receive the technical credential.

50 questions

 

 

 

 

Questions:

 

When considering ingest options for transporting data into Google SecOps, which of the following is the best choice?

• Cloud Storage object
• Direct to Ingestion API
• Third party (3P) data feeds
• Syslog over TLS

 

Google SecOps supports ingestion through HTTP(s) streaming services. What are examples of data sources that can be sent to the HTTP(s) streaming services?

• Syslog over TLS
• Log4j
• PCAP raw
• Amazon Firehose

 

When configuring Bindplane to send Windows Logs to Google SecOps, in addition to the log channels which of these configurations are required?

• Disk Queue
• IAP Proxy
• Bindplane Gateway
• Raw Logs

 

Google SecOps has provided a forwarder docker image for several years. The Chronicle forwarder is being replaced by what Otel based forwarder?

• SyslogNG
• Bindplane
• Prometheus
• NXLog

 

When data is ingested into Google SecOps, when is the raw data discarded?

• Raw data is never retained in Google SecOps, only data successfully parsed into the UDM schema.
• If the data is ingested, the raw data is always retained even if parsing fails.
• If parsing fails then the raw data will also be discarded.
• If the parser for the data type indicates that the log should be dropped, it will be discarded.

 

What is the name of the Bindplane processor that will properly format and tag logs for Google SecOps?

• Google SecOps Standardization Processor
• Otel Schema Formatted Processor
• Google SecOps Output Processor
• Bindplane Standardization Processor

 

Which of the following data sources can be configured as a Direct ingestion data source?

• SCC Findings
• Any log source relayed by Bindplane
• AWS GuardDuty
• Azure Entra ID

 

When a scope has been defined and assigned to a user, what is the best way to verify which scopes were assigned?

• Navigate to Settings -> SIEM Settings -> Profile and look for assigned Data Access scopes.
• Use the Customer Management API to pull a list of users and their scopes.
• Run a search across all data using Regex and listing the LogTypes provided.
• Refer to the configuration in Workforce Identity Federation or Cloud Identity to see the roles assigned.

 

The Data RBAC feature allows you to create scoped or global data access policies that apply to what kinds of data in Google SecOps

• SIEM Search, Detection Rules, Reference Lists, Native Dashboards
• Ontology, Detection Rules. Reference Lists, Native Dashboards
• Entity Graph, Ontology, Detection Rules
• SIEM Search, Ontology, Cases, Detection Rules

 

Role-based Access Control (RBAC) in Google SecOps provides the ability to administer what two aspects of Google SecOps?

• Features and Data
• Threat Intelligence and AI
• People and Entities
• Rules and DataTables

 

Chronicle SIEM had a Legacy RBAC system that was replaced with what GCP technology?

• Google Cloud Identity
• Google Workforce Identity Federation
• Cloud IAM
• GMail Access Controls

 

In Google SecOps, assigning the Admins role to a user gives them access to how many SOAR Env's by default?

• All
• 1
• 2
• 3

 

When using the SOAR interface in Google SecOps which view is applied to all cases automatically?

• Default Case View
• Case Summary View
• Alert Case View
• Env Case View

 

What is the name for the component of Google SecOps SOAR that acts as a central hub for monitoring and managing the lifecycle of a security incident?

• Connectors
• Case
• Alert
• Artifacts

 

Google SecOps supports delivering connectors, actions and API connectivity to 3rd party products in a bundle. What is this bundle called?

• Integration
• Marketplace Tool
• App
• Connector

 

Simulating a case in Google SecOps is a powerful way to develop and test various objects SOAR, most notably Playbooks. Which of the following actions CANNOT be taken by the analyst using a simulation?

• All of these actions are possible.
• Ingest a simulated case as a Test case
• Assign a simulated case
• Choose the environment in which the simulation takes place

 

The rule language in Google SecOps was designed for what purpose?

• Metric Visualization
• Threat Detection
• Data Analytics
• Business Intelligence

 

In the SecOps Technical Overview & Architecture what programming interface allows you to connect to the APIs without constructing your own tooling?

• SecOps Template System (SOTS)
• SecOps CLI
• Google SecOps Swagger Interface
• SecOps Notebook

 

What three components make up the Google SecOps Entity Context Graph (ECG).

• Entity Context, Derived Context, Global Context
• Entity Context, Asset Context, Time Domain Context
• Host Context, Process Context, Time Domain Context
• Entity Context, Global Context, Local Context

 

Which Google SecOps capability reduces operator toil and MTTR?

• Telemetry Collection
• Analytics & Detection
• Alert Triage & Automated Response
• Applied Threat Intel & ML

 

According to the SecOps Technical Overview & Architecture what API can be used to provision the SIEM component of a SecOps deployment?

• Customer Management API
• Chronicle Provisioning API v1
• Backstory Deployment API
• SecOps Management API

 

What API must be enabled with a project to allow it to bind to Google SecOps?

• Google SecOps API
• Ingestion API
• Chronicle API
• Backstory Deployment API

 

What authentication methods are currently supported for a Google SecOps tenant?

• Google Cloud Identity, Google Workforce Identity Federation, Federated Auth with SAML
• Google Cloud Identity, Google Workforce Identity Federation, Local Authentication Accounts
• Local Authentication Accounts, Google Cloud Identity, OpenIdentity Federation
• Google Cloud Identity, Local Authentication Accounts, Federated Auth with SAML

 

The deployment of Google SecOps follows a similar provisioning flow for single or multiple tenant architectures. Which answer best represents that flow?

• Configure GCP Environment, Deploy Tenant, Enable Authentication
• Configure GCP Environment, Define Authentication, Deploy Tenant
• Install agent on endpoints, Configure GCP Environment, Define Authentication
• Define Authentication, Configure GCP Environment, Install agent on endpoints

 

How many regions can an MSSP tenant support?

• MSSP tenants can support customer tenants in multiple sub-regions.
• MSSP tenants can support customer tenants deployed anywhere in the world.
• MSSP tenants can support customer tenants in multiple regions.
• MSSP tenants can only support customer tenants in a single region

 

What Google provided authentication source can be used in lieu of Google Workforce Identity Federation?

• Google Cloud Identity
• One Time Passwords from Android Phones
• GMail Accounts
• Google Project IAM

 

How many Google SecOps tenants can be bound to a single GCP project?

• 3
• 1
• 4
• 2

 

The Unified Data Model provides a means to organize the data in logs into common fields so that data can but compared, enriched, and filtered more reliably. What are the two primary data models contained within UDM?

• Event, Case
• Event, IOC
• Event, Entity
• Entity, Alert

 

Properly parsing data into Google SecOps is fundamental to the function of the SIEM, SOAR and Threat Detection content. How many days, by default, does Google wait before auto applying parser updates?

• 30 days
• 5 days
• Never, the operator must opt-in
• 15 days

 

What parser related feature best fits the following description: A standalone filter that operates independently of the underlying parser logic that enables a customer to extract addtional data while accepting standard parser updates.

• Parser Extension
• Custom Parser
• CBN Extension
• Metaparser

 

Google SecOps parsers leverage a widely used and open source tool used to collect, process, and transform data. The syntax of Google SecOps parsers is based on this tool. What is it?

• Graylog
• sawmill
• Logstash
• Beats

 

Data Labels or LogTypes are metadata that associate a particular log stream with the parser that will fit the data to the UDM schema. What API and API endpoint allow you to pull the names of ALL supported Log Types?

• Collector API, Data Labels
• Feed Management API, Logtypes
• Parsing API, Data Labels
• Ingestion API, Logtypes

 

What parser function can be used to display the current state of the data being processing by the parser?

• printf()
• statedump
• dump
• line_24_print

 

There are two methods that can be used to manage Google SecOps parsers (CBNs), what are they?

• Parser Management UI, CLI Tool
• Parser Extension UI, gcloud parser terminal
• CBN Parser API Extension, logstash graph interface
• Parser Management UI, grok TUI

 

When creating a Playbook in Google SecOps, it is important to understand how playbooks will be triggered. How is a playbook triggered?

• Manual Intervention
• Cases
• Rules
• Alerts

 

A commonly used set of actions can be saved as a block. In addition to saving the operator time and reproducibility, which of the following is a benefit of using blocks?

• A block can merge playbooks
• Custom python code must be contained in a block
• Additional functions are accessible in a block
• Updating a block, updates it everywhere.

 

Playbook Views in Google SecOps can do several things, but which of the following are NOT one a feature of Playbook Views?

• Run a playbook
• Display HTML widgets
• Display highlighted entities
• Customizable by user role

 

UDM has two major types of data, one is Event data and the other is Entity data. What are the 3 types of Entity Sources?

• Time Context, Device Context, Domain Context
• Entity Context, Derived Context, Global Context
• Name Context, IP Context, Hash Context
• Local Context, Inferred Context, Universal Context

 

When writing regular expressions in Google SecOps it is best to combine multiple regex statements into one, when possible and to use built-in functions instead of building your own patterns. Which of the following is a built-in function to YARA-L?

• net.ip_range_in_cidr
• uint.cc_number
• text.hash_id
• number.postal_code

 

The Google SecOps search interface provides two methods to search data. What are they?

• Raw and Event
• Event and Entity
• Raw and Alerts
• Raw and UDM

 

What is the name of the API that enables users to create and manage rules?

• Detection Engine API
• Ingestion API
• Threat Rule API
• Alert API

 

Google SecOps can accept and reference data that describes objects such as devices, users, machines, and file hashes. How can that dat a be used in YARA-L based Threat Detection?

• Using the entity graph syntax
• preprending 'e' to the field name
• referencing functions that use Google Threat Intel
• Using a join from an external database

 

UDM and Data Parsing allow Google SecOps to provide rich contextual data to events. How can one tell when data isn enriched in the Google SecOps interface?

• Enriched fields are not displayed until they are present in a case.
• The enriched fields are the only fields displayed.
• The enriched fields are annotated with an 'E'
• Enriched fields are created with the outcome section of an alert.

 

UDM Grouped fields provide a shortcut for searching across multiple UDM fields of similar data type. Which of the following are 3 of the 9 grouped fields?

• domain, source, time
• domain, email, file path
• namespace, file path, date
• time, destination, path

 

In Google SecOps, UDM is a schema that applies structure to the data for faster search and enrichment among many other benefits. What does UDM stand for?

• Universal Data Model
• Unified Data Management
• Unified Data Model
• Universal Data Management

 

When grouping alerts by entities it can be possible to group too many alerts because the entity occurs often within your logs. This can interfere with case triage and incident investigation by attaching irrelevant alerts. What feature can you use to prevent this from happening?

• Exception list
• Playbooks
• Filter list
• Blocklist

 

Events are modelled into Visual Families based on a hierarchy. What is the best representation of that hierarchy?

• Alert Type - Period - Data Source
• Alert Type - Product - Data Source
• Data Source - Product - Event Type
• Product - Subscriber Product - Data Source

 

Google SecOps has functions within the SOAR components that allow you to group alerts via what mechanism?

• Time window
• Entity mapping
• Grouping Rules
• Case viewer

 

A core function of Google SecOps is to collect information and present it in a way that it is actionable by humans or automation. What is the logical order of SOAR elements and their grouping?

• Events -> Alerts -> Rule
• Alerts -> Groups -> Rule
• Events -> Alerts -> Case
• Alerts -> Events -> Case

 

When selecting Integration packages in the Google SecOps Marketplace, which of the following will NOT be contained in any package?

• Webhooks
• Actions
• Mapping rules
• Connectors