🔥 3-day streak
Professional Security Operations Engineer163 / 241
Question 163 of 241

A detection engineer at a financial services firm has authored a new YARA-L single-event rule to flag suspicious OAuth token grants. Before enabling live alerting, the team lead requires evidence that the rule fires correctly against known past incidents and does not generate excessive noise. The engineer wants to validate the rule against 30 days of already-ingested UDM events without creating alerts or notifications. Which Google SecOps capability should the engineer use to accomplish this?

Reviewed for accuracy · Report an issueNext question