Detection engineering
Drill 20 practice questions focused entirely on Detection engineering for the Google Cloud PSOE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your threat intel team publishes a weekly CSV that maps known malicious infrastructure to attributes: an IP address, the associated threat actor group, and a confidence tier (high/medium/low). You are writing a YARA-L single-event rule that must (a) match outbound connections to any listed IP and (b) populate the resulting detection's outcome with the specific threat actor name and confidence tier for that IP so analysts can triage without a separate lookup. Which SecOps construct should back this rule to satisfy both requirements most maintainably?
A detection engineer wrote a YARA-L single-event rule that fires on any authenticated SSH login from an external IP to production hosts. The rule generates hundreds of alerts daily, and analysts confirm the overwhelming majority originate from a known, authorized third-party vulnerability scanning service whose source IPs change weekly but always resolve within a documented ASN. Which tuning approach best reduces false positives while preserving detection of genuinely anomalous external SSH logins?
A detection engineer is maintaining a YARA-L single-event rule that flags process executions matching a curated list of known malicious file hashes derived from a threat intel feed. The list currently holds about 40 hashes hard-coded as a string literal comparison chain in the rule using multiple 'or' conditions. The intel team now delivers roughly 2,000 new hashes weekly and wants the detection updated without editing rule logic each time or triggering a full rule re-approval. Which approach best supports this requirement in Google SecOps?
A detection engineer is authoring a YARA-L rule based on a published APT threat report. Leadership requires that every deployed rule be auditable, so analysts triaging an alert can immediately trace the rule back to the intelligence source, the analytic assumption, and any reference material used during authoring. Which approach in the rule's metadata section best satisfies this traceability requirement without affecting detection logic?
A detection engineer is building a new YARA-L 2.0 multi-event rule in Google SecOps. The rule must be attributed to a specific analyst team, must automatically deprecate older rule iterations when a newer version is promoted, and must allow the SOC lead to filter all rules owned by the 'threat-detection' team in the rule dashboard. Which YARA-L rule construct should the engineer use to satisfy the ownership and filtering requirement without affecting detection logic?
Your detection engineering team maintains a library of community Sigma rules that they want to operationalize in Google SecOps. One Sigma rule detects suspicious use of certutil.exe to download files. Rather than blindly auto-converting the Sigma rule to YARA-L, your lead insists the team review each converted rule before deploying it to production. Which reason BEST justifies this manual review step during Sigma-to-YARA-L migration?
A detection engineer at a financial services firm receives a threat intelligence report describing an adversary that abuses Windows Management Instrumentation (WMI) for lateral movement and executes payloads via WMI event subscriptions for persistence. She writes a YARA-L rule to detect the WMI event subscription behavior and wants to ensure the rule is discoverable and correctly attributed when the SOC later runs ATT&CK coverage reports in Google SecOps. According to detection engineering best practice, how should she populate the rule metadata?
A detection engineer writes a YARA-L single-event rule to catch execution of a renamed 'mimikatz.exe' binary. The rule matches on $e.target.process.file.full_path, but the team observes that the tool is often dropped with mixed-case names like 'MimiKatz.exe' and 'MIMIKATZ.EXE', and the current rule misses these variants. The engineer also wants to avoid false positives from a legitimate internal utility named 'mimic_katalog.exe'. Which change best addresses both goals?
A detection engineer is authoring a YARA-L multi-event rule that fires when a single user authenticates from three or more distinct source IP addresses within 15 minutes. During test runs against historical data, the rule generates correct detections, but the security analysts complain that each alert only shows one source IP in the alert details, making triage difficult because they cannot see the full set of IPs that contributed to the detection. Which change to the rule best resolves this without altering the detection logic or threshold?
A detection engineer writes a YARA-L single-event rule to alert on suspicious PowerShell activity. The rule uses one event variable $e and defines three match strings for command-line flags. In the condition section, the engineer wants the rule to fire only when at least two of the three suspicious flags appear in the same PowerShell process command line. Which condition construct correctly expresses 'at least 2 of the 3 defined string conditions must be true'?
A detection engineer maintains a single-event YARA-L rule that flags process executions from a hard-coded list of 40 known malicious binary names embedded in a large regex alternation. The threat intel team updates the malicious binary list roughly twice a week, and each update currently requires editing, re-testing, and re-versioning the rule. The engineer wants to reduce operational overhead while keeping the detection logic stable. Which change best achieves this goal?
A detection engineer has finished authoring and validating a new YARA-L multi-event rule in Google SecOps. Testing against historical data confirmed strong precision. The team now wants the rule to generate alerts on incoming data and to also retroactively evaluate the last two weeks of stored events to catch any prior activity, without duplicating alerts already surfaced during testing. Which lifecycle action correctly achieves this?
A detection engineer has authored a new multi-event YARA-L rule in Google SecOps intended to detect credential dumping followed by lateral movement. Before enabling it for live alerting across production, the team wants to validate that the rule fires on known malicious activity without generating excessive noise, and they need evidence to support promoting it through their change-control process. Which approach best supports safe promotion of this rule into production alerting?
A detection engineer is writing a YARA-L single-event rule to flag PowerShell downloads via LOLBins. Leadership requires that the alert severity dynamically reflect risk: events involving a system account should be tagged 'HIGH', all others 'LOW'. The engineer wants this severity to appear as a queryable field on each detection so downstream SOAR playbooks can route on it. Which approach correctly implements this in YARA-L 2.0?
A detection engineer at a financial services firm has authored a new YARA-L single-event rule to flag suspicious OAuth token grants. Before enabling live alerting, the team lead requires evidence that the rule fires correctly against known past incidents and does not generate excessive noise. The engineer wants to validate the rule against 30 days of already-ingested UDM events without creating alerts or notifications. Which Google SecOps capability should the engineer use to accomplish this?
A detection engineer maintains a YARA-L single-event rule that flags any use of `certutil.exe` with a URL argument (a known LOLBin download technique). The rule is technically accurate but generates ~300 alerts per day because a legitimate internal patch-management tool uses certutil to fetch signed update manifests from a fixed internal server. The engineer must preserve detection of genuinely suspicious certutil downloads while eliminating the recurring benign noise, and wants the tuning to remain maintainable and self-documenting. Which approach best meets these goals?
A detection engineer is drafting a YARA-L rule to catch a credential-dumping tool that must correlate a process-creation event with a subsequent registry-read event on the SAM hive from the same host within 5 minutes. Their first draft uses a single event variable ($e) with two selection blocks and adds a 'match' section grouping by principal.hostname. The rule fails to compile with an error indicating the match variables are not correlated across events. What is the root cause and the correct fix?
A detection engineer is building a YARA-L single-event rule to detect suspicious use of Windows Management Instrumentation (WMI) for remote execution. The SOC requires that every deployed rule be traceable to MITRE ATT&CK so that coverage reports can be generated automatically from the rule corpus. What is the BEST way to ensure this rule contributes to automated ATT&CK coverage reporting in Google SecOps?
A threat intelligence report describes an adversary that uses Windows Management Instrumentation (WMI) to remotely execute commands on target hosts (mapped to MITRE ATT&CK T1047). Your detection engineering team wants to build a YARA-L rule that generalizes to this technique rather than matching only the specific tool hashes named in the report. Which approach best translates the intelligence into durable, behavior-based detection coverage?
A detection engineer is writing a YARA-L multi-event rule to flag possible data staging. The intent is to detect when a single host both reads from more than 50 distinct sensitive files AND transfers an aggregate volume exceeding 500 MB within the same match window. The engineer wants the condition to evaluate two computed aggregate values against thresholds. Which approach correctly implements this in a YARA-L 2.0 rule?
More PSOE practice
Keep going with the other Professional Security Operations Engineer domains, or take a full timed mock exam.
← Back to PSOE overview