Professional Security Operations Engineer · Difficulty

Medium PSOE practice questions

Applied — put a concept to work in a realistic situation. 124 medium questions available — no sign-up, always free.

Question 1 of 25

A security operations team must detect network-based exploitation attempts (e.g., known CVE exploit signatures) targeting workloads communicating across a shared VPC. The team already forwards SCC findings and VPC Flow Logs into Google SecOps but is not detecting in-flight exploit payloads. They want to justify adding a new telemetry source rather than expanding an existing one. Which telemetry source should be prioritized, and why is it not redundant with the existing sources?

Reviewed for accuracy · Report an issue
Question 2 of 25

Your organization forwards logs from a niche in-house web application firewall to Google SecOps. The logs arrive successfully, but analysts report that key fields such as source IP, blocked URL, and rule ID appear only as raw text and cannot be searched or used in detection rules. There is no default parser for this custom log format. What is the most appropriate action to make these fields usable in searches and rules?

Reviewed for accuracy · Report an issue
Question 3 of 25

Your SOC platform team publishes a weekly 'log source health' dashboard. A recent phishing incident revealed that a critical mail-gateway log source had stopped forwarding events three days before the attack, yet the dashboard showed the source as 'healthy' the entire week. On investigation, the dashboard's health status is based solely on cumulative event count over the trailing 7 days, which remained high due to a large burst earlier in the week. Which metric change would MOST reliably surface this type of gap going forward?

Reviewed for accuracy · Report an issue
Question 4 of 25

Your SOC tracks endpoint telemetry health across three business units of very different sizes: BU-A has 12,000 hosts, BU-B has 2,500 hosts, and BU-C has 300 hosts. Leadership wants a single coverage dashboard that fairly compares how well each business unit is delivering endpoint process-event telemetry, and flags units that are under-reporting relative to expectations. Raw daily event counts show BU-A dominating simply because it has more hosts. Which metric should you present as the primary comparison to fairly identify under-reporting units?

Reviewed for accuracy · Report an issue
Question 5 of 25

You are preparing a quarterly executive report on the effectiveness of your security operations program. Leadership wants a single headline metric that best communicates whether the SOC's detection engineering effort is actually improving the organization's ability to catch adversary behavior across the attack lifecycle — not just how busy the team is. Which metric should you feature as the primary indicator?

Reviewed for accuracy · Report an issue
Question 6 of 25

Your SOC maintains a curated inventory of business-critical server hostnames and their asset owners in a spreadsheet. Analysts want detections and searches in Google SecOps to automatically flag events involving these critical assets and surface the owning team, without modifying the raw logs or rewriting parsers for every log source. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 25

A threat intel bulletin from GTI reports a new malware campaign associated with a specific SHA-256 file hash and warns it may have been active for up to 45 days before public disclosure. Your organization's Google SecOps tenant retains 90 days of UDM data. You want to form a hypothesis-driven hunt to determine whether this hash ever executed anywhere in your environment, prioritizing completeness over speed. Which approach best fits this hunting goal?

Reviewed for accuracy · Report an issue
Question 8 of 25

A SOC manager wants to reduce analyst pivot time during triage. Analysts currently review Google SecOps alerts, then manually copy suspicious hashes and domains into the Google Threat Intelligence (GTI) web portal to check reputation and associations. The manager asks you to redesign the integration so that reputation context appears directly within the SecOps investigation workflow, while keeping GTI's deeper attribution and malware-family reporting available for escalations. Which approach best satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 9 of 25

A threat hunter at a manufacturing company suspects that an attacker deployed a rarely-seen dropper across a small number of endpoints after an initial phishing compromise. She wants to surface processes that have executed on very few hosts across the fleet within the last 14 days, prioritizing binaries that appear on only one or two distinct assets. Which Google SecOps UDM search approach best supports this prevalence-based hunting hypothesis?

Reviewed for accuracy · Report an issue
Question 10 of 25

After containing a data exfiltration incident, your SOC lead asks you to lead the post-incident review. The incident timeline shows the alert fired at 02:14 but was not acknowledged in the Google SecOps case queue until 09:40, when the day-shift analyst began triage. Containment was completed within 20 minutes of triage starting. Leadership wants the post-incident activity to produce a corrective action that most directly reduces the risk of this delay recurring. Which finding should drive the primary corrective action?

Reviewed for accuracy · Report an issue
Question 11 of 25

A SecOps analyst is triaging the morning queue in Google SecOps. Three separate alerts have opened as distinct cases within a 15-minute window: (1) a suspicious PowerShell execution on host WIN-APP-04, (2) an outbound connection from WIN-APP-04 to a domain flagged by GTI as C2 infrastructure, and (3) a rare scheduled task creation on WIN-APP-04. The analyst confirms all three reference the same host entity, the same user principal, and overlapping timestamps consistent with a single intrusion chain. What is the MOST appropriate triage action before beginning containment?

Reviewed for accuracy · Report an issue
Question 12 of 25

A security architect is designing detection coverage for a large GCP estate. Security Command Center Premium already provides Event Threat Detection findings that leverage Google's curated threat intelligence, including known malicious IP and domain indicators. Leadership questions why the team also wants to license Google Threat Intelligence (GTI) as a separate tool, arguing it duplicates the threat intel already baked into SCC. Which justification best supports adding GTI alongside SCC in the architecture?

Reviewed for accuracy · Report an issue
Question 13 of 25

Your organization runs workloads in Google Cloud and already uses Security Command Center (SCC) Premium for misconfiguration and vulnerability findings. A compliance auditor questions why the security team also proposes deploying Cloud IDS, arguing that it appears redundant with SCC's threat detection capabilities. As the Security Operations Engineer, what is the strongest justification for maintaining both tools rather than eliminating one to reduce cost?

Reviewed for accuracy · Report an issue
Question 14 of 25

Your organization has just onboarded a tier-1 SOC team into Google SecOps. These analysts must triage alerts, run UDM searches, and add comments to cases, but company policy forbids them from modifying detection rules, altering data ingestion settings, or exporting bulk log data. A junior engineer proposes granting the team the 'Chronicle API Admin' IAM role to ensure they have enough access to work efficiently. As the security operations engineer reviewing this request, what is the most appropriate action?

Reviewed for accuracy · Report an issue
Question 15 of 25

Your organization ingests firewall, DNS, and endpoint telemetry into Google SecOps. Compliance requires that all security logs be searchable for 1 year, but your team has determined that raw DNS logs generate the highest volume and are rarely needed after 90 days for active investigations. Leadership wants to control storage costs while still meeting the 1-year searchability mandate. What is the most appropriate way to configure data retention in Google SecOps?

Reviewed for accuracy · Report an issue
Question 16 of 25

Your SOC leadership wants a single, defensible way to report which adversary behaviors the detection program can currently observe, and to prioritize where to invest engineering effort next quarter. You maintain roughly 400 active detection rules in Google SecOps. Which approach BEST communicates detection coverage and highlights meaningful gaps to leadership?

Reviewed for accuracy · Report an issue
Question 17 of 25

You are the SecOps engineer responsible for the observability of your detection program. Leadership asks for a single leading indicator that shows whether your detection engineering team is producing rules that actually fire on validated adversary behavior, as opposed to rules that never trigger or trigger only on benign activity. Which metric best serves as this leading indicator of detection engineering effectiveness?

Reviewed for accuracy · Report an issue
Question 18 of 25

As a SecOps engineer, you are building a monthly observability report for leadership. Over the past quarter, the SOC has authored 40 new detection rules. Leadership wants a single trend metric that reveals whether the detection engineering program is producing rules that analysts actually find actionable over time, rather than adding to alert fatigue. Which metric best measures this?

Reviewed for accuracy · Report an issue
Question 19 of 25

Following a confirmed business email compromise incident, your SecOps team completed a blameless post-incident review. The review produced eight corrective actions, ranging from enabling phishing-resistant MFA to updating a SOAR playbook that lacked an approval gate. Two weeks later, leadership asks the SOC manager to demonstrate that the incident's lessons are actually reducing organizational risk. Which practice BEST ensures the post-incident review translates into measurable risk reduction?

Reviewed for accuracy · Report an issue
Question 20 of 25

During post-incident activities for a resolved credential-phishing case in Google SecOps, your team confirmed the attacker used a specific set of newly registered domains and a phishing kit hash that were NOT detected proactively. Leadership wants to ensure the organization can immediately identify whether these same indicators appeared elsewhere in the environment during the incident window AND be alerted if they recur. Which combination of post-incident actions BEST satisfies both goals?

Reviewed for accuracy · Report an issue
Question 21 of 25

Following the containment and eradication of a compromised service account that was used for data staging in a GCP project, your SOC lead asks you to run the post-incident review. During the review, one engineer admits they ignored an earlier low-severity SecOps alert about anomalous service account activity because they were overloaded. The team wants to prevent recurrence. Which approach best aligns with effective root cause analysis and post-incident practices?

Reviewed for accuracy · Report an issue
Question 22 of 25

A financial services company running workloads across multiple GCP projects wants to detect publicly exposed Cloud Storage buckets, overly permissive IAM bindings, and unencrypted disks as soon as they are introduced. The security operations team already uses Google SecOps for log-based threat detection, Cloud IDS for network intrusion detection, and GTI for threat intelligence enrichment. Which telemetry source should the team prioritize as the primary detection mechanism for these cloud resource misconfigurations?

Reviewed for accuracy · Report an issue
Question 23 of 25

A security operations team wants Security Command Center (SCC) Premium findings—such as vulnerabilities and misconfigurations—to flow automatically into Google SecOps so analysts can correlate them with UDM events and threat intel. The lead engineer must configure the integration so findings are ingested continuously without granting excessive permissions to the export mechanism. Which approach correctly enables this integration while following least-privilege principles?

Reviewed for accuracy · Report an issue
Question 24 of 25

A SecOps engineer is designing a detection strategy for compromised GCP identities. The organization uses Security Command Center Premium, Google SecOps SIEM ingesting Cloud Audit Logs, and Cloud IDS. Leadership wants the fastest reliable signal when a service account key is used from an anomalous geographic location to enumerate IAM permissions. Which telemetry source should the engineer prioritize as the primary detection input for this specific behavior, and why?

Reviewed for accuracy · Report an issue
Question 25 of 25

A retail organization is expanding its Google Cloud footprint and wants to strengthen its posture-management capabilities. Leadership requires automated detection of misconfigurations, virtual machine and container vulnerability scanning, threat detection via Event Threat Detection and Container Threat Detection, and attack path simulation to prioritize exposed high-value assets. The current deployment uses only the free posture-management features of Security Command Center. As the Security Operations Engineer, which action best closes this capability gap?

Reviewed for accuracy · Report an issue