Hard PSOE practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 117 hard questions available — no sign-up, always free.
A security operations team currently runs SCC Premium, Cloud IDS on three VPCs, Google SecOps, and GTI Enterprise. Leadership asks the team to justify the continued spend on Cloud IDS, noting that SecOps already ingests VPC Flow Logs and firewall logs, and that SCC surfaces network-related findings. As the lead engineer, which justification most accurately defends retaining Cloud IDS as a distinct telemetry source rather than consolidating onto the existing tools?
As a Security Operations Engineer, you maintain a coverage dashboard that shows all 4,200 corporate endpoints reporting EDR telemetry into your SIEM. Alert volumes look healthy and log freshness is under 5 minutes fleet-wide. However, during a recent incident, a detection for credential dumping (LSASS access) never fired on the compromised host, even though the same rule fired reliably on other hosts. The host was actively sending process and network events at the time. What is the MOST likely observability gap to investigate first?
During a quarterly observability review, a SOC engineer notices that the endpoint detection rules covering a critical business unit's Windows fleet fire far less often than expected. The log source shows as 'onboarded' in the platform, ingestion volume graphs show steady EPS, and no forwarder health alerts are active. However, a MITRE ATT&CK coverage heatmap shows techniques for that fleet dropped from 'covered' to 'partial' over the last 30 days. What is the most likely root cause the engineer should investigate first?
A SOC lead is building a quarterly observability review for the security operations platform. They have a MITRE ATT&CK heatmap showing rule counts per technique, an alert-volume trend, and an EPS ingestion chart. Leadership asks a pointed question: 'Which ATT&CK tactics can we currently NOT detect at all, regardless of how many rules exist elsewhere?' Which additional analysis is MOST directly required to answer this specific question?
A SOC manager reviews the quarterly observability dashboard for the security operations platform. The 'endpoint process execution' log source shows healthy ingestion volume and low parser error rates, yet the MITRE ATT&CK coverage panel indicates that the Credential Access tactic has zero mapped active detections for endpoint telemetry. Meanwhile, the alert volume dashboard shows a steady stream of Credential Access alerts sourced only from the identity provider logs. Which conclusion is best supported by these observability signals?
A security operations engineer is building an observability dashboard to measure the health of telemetry feeding the SIEM. For a critical Windows endpoint log source that is confirmed onboarded and parsing successfully, several detection rules that depend on the UDM field 'principal.process.command_line' are firing far less often than expected. Ingestion volume and log freshness metrics both appear normal. Which metric should the engineer add to the dashboard to best diagnose whether this detection gap is caused by an underlying telemetry quality problem?
You manage observability for a SecOps platform that ingests logs from 40 log sources. Leadership wants an automated way to catch a log source that has stopped sending data OR has abnormally spiked, before it affects detection coverage. Some sources are batch-based (bursty every 6 hours) and some stream continuously. Which monitoring approach best balances early gap detection with minimizing false alarms across these mixed ingestion patterns?
A security operations team has integrated SCC, Google SecOps, GTI, and Cloud IDS. During a purple-team exercise, the red team exfiltrated data from a Compute Engine VM to an external attacker-controlled host over an encrypted channel on a non-standard port. SecOps received VPC Flow Log telemetry showing the connection, but no alert fired identifying the traffic as malicious, and Cloud IDS produced no signature match. Which conclusion best identifies the coverage gap and the most appropriate remediation?
A threat intelligence report from Google Threat Intelligence (GTI) attributes a recent campaign to a group that stages payloads on a rotating set of newly registered domains, all sharing a distinctive TLS certificate serial number. Your SecOps team wants to run a hypothesis-driven hunt to determine whether any endpoints in your environment have contacted infrastructure matching this campaign, even if the specific domains in the report are not yet observed in your logs. Which approach best supports this hunt in Google SecOps?
During a hypothesis-driven hunt, a SecOps threat hunter pulls a Google Threat Intelligence (GTI) collection containing roughly 4,000 suspected C2 IP addresses associated with a commodity loader campaign. A UDM search for network connections against this set returns 62 distinct internal hosts matching various IPs across the last 30 days. With limited time before an incident review, the hunter must decide which matches to investigate first. Which approach best prioritizes the matches while minimizing wasted effort on likely false positives?
A security operations engineer is evaluating tool effectiveness across the organization's Google Cloud environment. The current stack includes Security Command Center (SCC) for posture and misconfiguration findings, Cloud IDS for network-layer intrusion detection on VPC traffic, and Google SecOps ingesting audit and platform logs. During a tabletop exercise, the team notes that a compromised Cloud Run service executing malicious code was not detected until data exfiltration triggered a downstream alert. Which conclusion best identifies the coverage gap the engineer should address?
A SecOps engineer at a healthcare firm has deployed Cloud IDS to inspect north-south and east-west traffic in a VPC hosting patient-facing web applications. During a coverage review, the engineer notices that Cloud IDS is generating very few detections for a set of microservices that communicate over mutually authenticated TLS (mTLS). Leadership asks the engineer to evaluate whether Cloud IDS is providing effective detection coverage for these services and to recommend how to close any gap. What should the engineer conclude and recommend?
Your SOC has deployed 40 YARA-L detection rules in Google SecOps over the past quarter. Leadership asks you to evaluate which rules are effective versus which are creating noise before the next tuning cycle. You pull metrics showing, per rule: alert volume, analyst dispositions (true positive / false positive / benign), and mean time to triage. Rule 'susp-oauth-grant' generated 900 alerts with a 2% true-positive rate, while rule 'admin-priv-escalation' generated 12 alerts with a 92% true-positive rate. Which approach best evaluates tool/rule effectiveness and identifies where coverage or tuning effort should go?
Your SOC relies on roughly 400 active YARA-L detection rules in Google SecOps. Over the past quarter, an internal audit found that one high-value rule had silently stopped producing detections for six weeks because an upstream schema change caused the referenced UDM field to always be empty — no errors were raised. Leadership asks you to design an observability control that would surface this class of failure going forward. Which approach most directly detects rules that have silently gone dormant?
After closing a phishing-driven credential-theft incident in Google SecOps, the post-incident review finds that the initial malicious OAuth token grant went undetected for 6 days because no rule existed to flag high-privilege third-party app authorizations. The SOC lead wants the review to produce the most durable improvement to prevent a repeat blind spot. Which post-incident action best closes the loop between the RCA finding and future detection coverage?
After containing a compromised GKE workload, your team must reconstruct the attacker's activity timeline for the post-incident report. During the incident, an analyst manually terminated the malicious pod before capturing forensic artifacts, and the SOAR playbook's evidence-collection step was skipped due to a connector timeout. You need to determine the earliest reliable point of initial access. Which approach provides the most defensible timeline reconstruction given the missing artifacts?
Your SOC uses Security Command Center (SCC), Google SecOps (SIEM/SOAR), Google Threat Intelligence (GTI), and Cloud IDS. Analysts report that east-west (VM-to-VM) traffic containing exploit attempts against internal services is going undetected until well after compromise. Leadership asks you to justify which telemetry source should be prioritized to close this specific detection gap, and how it fits the architecture. Which recommendation best addresses the gap?
A security operations engineer is evaluating tool coverage across a large Google Cloud organization. During a review, they discover that several development teams have spun up projects outside the standard folder hierarchy, and misconfigurations in those projects are not appearing in dashboards. Security Command Center Premium is enabled at the organization level, and findings are forwarded to Google SecOps. The engineer confirms SCC is scanning known projects correctly. What is the MOST likely reason the shadow projects' misconfigurations are missing, and how should coverage be validated?
A security operations team ingests SCC findings, Cloud IDS alerts, and endpoint telemetry into Google SecOps. Analysts report severe alert fatigue: Cloud IDS generates thousands of low-severity signature matches daily, and most never correlate with any confirmed incident. Leadership wants to keep Cloud IDS in the architecture for its packet-level visibility but reduce noise reaching analysts, without permanently losing the raw data. Which approach best balances coverage retention with reducing analyst burden?
A security engineer is integrating a third-party CSPM vendor into Security Command Center so that the vendor's findings appear alongside native SCC findings in the central dashboard. The vendor uses a dedicated service account to push findings via the SCC API. Following least-privilege principles, which IAM role should be granted to the vendor's service account so it can create and update its own findings without gaining broad visibility into all organizational findings or the ability to modify Google-native findings?
Your security operations team runs Google SecOps as the central SIEM and has recently activated SCC Premium across the organization. During a review, the SecOps lead notes that analysts are overwhelmed by thousands of individual misconfiguration and vulnerability findings forwarded from SCC, and they cannot tell which findings actually expose crown-jewel assets to external threats. The team wants to reduce noise while ensuring the most business-critical exposures are escalated first. Which approach best leverages the existing tool architecture to achieve this?
A security operations team ingests findings from both Security Command Center (SCC) Premium and Google SecOps into a single case management workflow. Analysts complain that the same GCP VM compromise generates one SCC finding (from a built-in detector) and one SecOps detection (from a YARA-L rule that consumes SCC findings forwarded into SecOps), producing duplicate cases. Leadership wants to preserve both tools but eliminate the duplicate case creation while keeping SecOps as the correlation and investigation hub. What is the most appropriate architectural adjustment?
A security architect is presenting a proposed SecOps platform to a cost-conscious steering committee. The design ingests SCC findings, Cloud IDS alerts, and GTI intelligence into Google SecOps. A committee member argues that SCC and Google SecOps overlap because 'both show security alerts' and demands one be removed to cut licensing. Which justification best defends retaining BOTH tools rather than consolidating?
You are the security operations engineer standing up a greenfield Google Cloud environment. Leadership wants detection and response capability in Google SecOps as fast as possible, but the organization has 40 projects with no consistent logging, no asset inventory baseline, and no threat intel enrichment yet. You must decide the initial onboarding sequence for integrating SCC, Google SecOps, GTI, and Cloud IDS so that early detections are trustworthy and not undermined by blind spots. Which sequencing approach best balances speed with detection reliability?
A security operations team runs Security Command Center (Premium) with Vulnerability and Web Security Scanner detectors enabled, and forwards SCC findings into Google SecOps where they build correlation rules. During a quarterly review, leadership asks the team to demonstrate that each tool is being used for its highest-value purpose rather than overlapping wastefully. The team notes that most SecOps correlation rules simply re-alert on the same misconfiguration findings SCC already surfaces, producing duplicate tickets. Which change best improves overall tool effectiveness while preserving justified overlap?