🔥 3-day streak
Professional Security Operations Engineer145 / 241
Question 145 of 241

A threat hunter at a financial services firm suspects that an attacker has deployed a rarely-used administrative utility across a small number of endpoints following a phishing campaign that began three days ago. The hunter wants to use Google SecOps UDM search to surface processes that are genuinely new to the environment, while avoiding false positives from legitimate tools that are simply uncommon but have existed for months. Which approach BEST supports identifying truly low-prevalence, recently-introduced processes?

Reviewed for accuracy · Report an issueNext question