Google SecOps has functions within the SOAR components that allow you to group alerts via what mechanism?
- Time window
- Entity mapping
- Grouping Rules
- Case viewer
Questions
Events are modelled into Visual Families based on a hierarchy. What is the best representation of that hierarchy?
Events are modelled into Visual Families based on a hierarchy. What is the best representation of that hierarchy?
- Alert Type – Period – Data Source
- Alert Type – Product – Data Source
- Data Source – Product – Event Type
- Product – Subscriber Product – Data Source
When grouping alerts by entities it can be possible to group too many alerts because the entity occurs often within your logs. This can interfere with case triage and incident investigation by attaching irrelevant alerts. What feature can you use to prevent this from happening?
When grouping alerts by entities it can be possible to group too many alerts because the entity occurs often within your logs. This can interfere with case triage and incident investigation by attaching irrelevant alerts. What feature can you use to prevent this from happening?
- Exception list
- Playbooks
- Filter list
- Blocklist
In Google SecOps, UDM is a schema that applies structure to the data for faster search and enrichment among many other benefits. What does UDM stand for?
In Google SecOps, UDM is a schema that applies structure to the data for faster search and enrichment among many other benefits. What does UDM stand for?
- Universal Data Model
- Unified Data Management
- Unified Data Model
- Universal Data Management
UDM Grouped fields provide a shortcut for searching across multiple UDM fields of similar data type. Which of the following are 3 of the 9 grouped fields?
UDM Grouped fields provide a shortcut for searching across multiple UDM fields of similar data type. Which of the following are 3 of the 9 grouped fields?
- domain, source, time
- domain, email, file path
- namespace, file path, date
- time, destination, path
UDM and Data Parsing allow Google SecOps to provide rich contextual data to events. How can one tell when data isn enriched in the Google SecOps interface?
UDM and Data Parsing allow Google SecOps to provide rich contextual data to events. How can one tell when data isn enriched in the Google SecOps interface?
- Enriched fields are not displayed until they are present in a case.
- The enriched fields are the only fields displayed.
- The enriched fields are annotated with an ‘E’
- Enriched fields are created with the outcome section of an alert.