Professional Security Operations Engineer · Domain 6 · 10% of exam

Observability

Drill 17 practice questions focused entirely on Observability for the Google Cloud PSOE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer17 questions
Question 1 of 17

As a Security Operations Engineer, you maintain a coverage dashboard that shows all 4,200 corporate endpoints reporting EDR telemetry into your SIEM. Alert volumes look healthy and log freshness is under 5 minutes fleet-wide. However, during a recent incident, a detection for credential dumping (LSASS access) never fired on the compromised host, even though the same rule fired reliably on other hosts. The host was actively sending process and network events at the time. What is the MOST likely observability gap to investigate first?

Reviewed for accuracy · Report an issue
Question 2 of 17

Your SOC platform team publishes a weekly 'log source health' dashboard. A recent phishing incident revealed that a critical mail-gateway log source had stopped forwarding events three days before the attack, yet the dashboard showed the source as 'healthy' the entire week. On investigation, the dashboard's health status is based solely on cumulative event count over the trailing 7 days, which remained high due to a large burst earlier in the week. Which metric change would MOST reliably surface this type of gap going forward?

Reviewed for accuracy · Report an issue
Question 3 of 17

During a quarterly observability review, a SOC engineer notices that the endpoint detection rules covering a critical business unit's Windows fleet fire far less often than expected. The log source shows as 'onboarded' in the platform, ingestion volume graphs show steady EPS, and no forwarder health alerts are active. However, a MITRE ATT&CK coverage heatmap shows techniques for that fleet dropped from 'covered' to 'partial' over the last 30 days. What is the most likely root cause the engineer should investigate first?

Reviewed for accuracy · Report an issue
Question 4 of 17

A SOC lead is building a quarterly observability review for the security operations platform. They have a MITRE ATT&CK heatmap showing rule counts per technique, an alert-volume trend, and an EPS ingestion chart. Leadership asks a pointed question: 'Which ATT&CK tactics can we currently NOT detect at all, regardless of how many rules exist elsewhere?' Which additional analysis is MOST directly required to answer this specific question?

Reviewed for accuracy · Report an issue
Question 5 of 17

A SOC manager reviews the quarterly observability dashboard for the security operations platform. The 'endpoint process execution' log source shows healthy ingestion volume and low parser error rates, yet the MITRE ATT&CK coverage panel indicates that the Credential Access tactic has zero mapped active detections for endpoint telemetry. Meanwhile, the alert volume dashboard shows a steady stream of Credential Access alerts sourced only from the identity provider logs. Which conclusion is best supported by these observability signals?

Reviewed for accuracy · Report an issue
Question 6 of 17

Your SOC tracks endpoint telemetry health across three business units of very different sizes: BU-A has 12,000 hosts, BU-B has 2,500 hosts, and BU-C has 300 hosts. Leadership wants a single coverage dashboard that fairly compares how well each business unit is delivering endpoint process-event telemetry, and flags units that are under-reporting relative to expectations. Raw daily event counts show BU-A dominating simply because it has more hosts. Which metric should you present as the primary comparison to fairly identify under-reporting units?

Reviewed for accuracy · Report an issue
Question 7 of 17

A security operations engineer is building an observability dashboard to measure the health of telemetry feeding the SIEM. For a critical Windows endpoint log source that is confirmed onboarded and parsing successfully, several detection rules that depend on the UDM field 'principal.process.command_line' are firing far less often than expected. Ingestion volume and log freshness metrics both appear normal. Which metric should the engineer add to the dashboard to best diagnose whether this detection gap is caused by an underlying telemetry quality problem?

Reviewed for accuracy · Report an issue
Question 8 of 17

You are preparing a quarterly executive report on the effectiveness of your security operations program. Leadership wants a single headline metric that best communicates whether the SOC's detection engineering effort is actually improving the organization's ability to catch adversary behavior across the attack lifecycle — not just how busy the team is. Which metric should you feature as the primary indicator?

Reviewed for accuracy · Report an issue
Question 9 of 17

You manage observability for a SecOps platform that ingests logs from 40 log sources. Leadership wants an automated way to catch a log source that has stopped sending data OR has abnormally spiked, before it affects detection coverage. Some sources are batch-based (bursty every 6 hours) and some stream continuously. Which monitoring approach best balances early gap detection with minimizing false alarms across these mixed ingestion patterns?

Reviewed for accuracy · Report an issue
Question 10 of 17

Your SOC leadership wants a single, defensible way to report which adversary behaviors the detection program can currently observe, and to prioritize where to invest engineering effort next quarter. You maintain roughly 400 active detection rules in Google SecOps. Which approach BEST communicates detection coverage and highlights meaningful gaps to leadership?

Reviewed for accuracy · Report an issue
Question 11 of 17

You are the SecOps engineer responsible for the observability of your detection program. Leadership asks for a single leading indicator that shows whether your detection engineering team is producing rules that actually fire on validated adversary behavior, as opposed to rules that never trigger or trigger only on benign activity. Which metric best serves as this leading indicator of detection engineering effectiveness?

Reviewed for accuracy · Report an issue
Question 12 of 17

As a SecOps engineer, you are building a monthly observability report for leadership. Over the past quarter, the SOC has authored 40 new detection rules. Leadership wants a single trend metric that reveals whether the detection engineering program is producing rules that analysts actually find actionable over time, rather than adding to alert fatigue. Which metric best measures this?

Reviewed for accuracy · Report an issue
Question 13 of 17

Your SOC relies on roughly 400 active YARA-L detection rules in Google SecOps. Over the past quarter, an internal audit found that one high-value rule had silently stopped producing detections for six weeks because an upstream schema change caused the referenced UDM field to always be empty — no errors were raised. Leadership asks you to design an observability control that would surface this class of failure going forward. Which approach most directly detects rules that have silently gone dormant?

Reviewed for accuracy · Report an issue
Question 14 of 17

A SOC manager reviews the observability dashboard and notices that the security operations platform is processing a steady 40,000 alerts per day with a stable false-positive rate. However, the security engineering team just confirmed that a new business-critical SaaS application went live two weeks ago and is not yet onboarded as a log source. The manager wants a single metric that best reflects whether the platform can actually detect threats against the organization's environment, rather than just how busy it is. Which metric should the manager prioritize on the dashboard?

Reviewed for accuracy · Report an issue
Question 15 of 17

Your SOC leadership claims MITRE ATT&CK coverage is at 82% based on the number of enabled detection rules mapped to techniques. During a recent red team exercise, several techniques that were counted as 'covered' generated no alerts. Which improvement to your observability program most directly addresses the discrepancy between reported coverage and actual detection effectiveness?

Reviewed for accuracy · Report an issue
Question 16 of 17

During a quarterly observability review, a SOC lead notices the detection platform has 480 enabled YARA-L rules, but a dashboard shows that 62 of them have not fired a single time in the past 18 months, while another 40 have fired but every alert was closed as false positive. Leadership wants a single, actionable metric to govern the health of the detection rule inventory going forward. Which metric best distinguishes rules that provide genuine defensive value from those that add maintenance burden without benefit?

Reviewed for accuracy · Report an issue
Question 17 of 17

A SOC manager is building a quarterly board report on detection and response effectiveness. Over the quarter, alert volume grew 40% due to onboarding new log sources, and the team added several new detection rules. The board specifically wants to understand whether the SOC is getting better at limiting how long attackers operate undetected inside the environment before being caught and contained. Which single metric most directly answers the board's question?

Reviewed for accuracy · Report an issue

More PSOE practice

Keep going with the other Professional Security Operations Engineer domains, or take a full timed mock exam.

← Back to PSOE overview