Professional Security Operations Engineer · Domain 1 · 14% of exam

Platform operations

Drill 20 practice questions focused entirely on Platform operations for the Google Cloud PSOE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A security operations team must detect network-based exploitation attempts (e.g., known CVE exploit signatures) targeting workloads communicating across a shared VPC. The team already forwards SCC findings and VPC Flow Logs into Google SecOps but is not detecting in-flight exploit payloads. They want to justify adding a new telemetry source rather than expanding an existing one. Which telemetry source should be prioritized, and why is it not redundant with the existing sources?

Reviewed for accuracy · Report an issue
Question 2 of 20

A security operations team currently runs SCC Premium, Cloud IDS on three VPCs, Google SecOps, and GTI Enterprise. Leadership asks the team to justify the continued spend on Cloud IDS, noting that SecOps already ingests VPC Flow Logs and firewall logs, and that SCC surfaces network-related findings. As the lead engineer, which justification most accurately defends retaining Cloud IDS as a distinct telemetry source rather than consolidating onto the existing tools?

Reviewed for accuracy · Report an issue
Question 3 of 20

A security operations team has integrated SCC, Google SecOps, GTI, and Cloud IDS. During a purple-team exercise, the red team exfiltrated data from a Compute Engine VM to an external attacker-controlled host over an encrypted channel on a non-standard port. SecOps received VPC Flow Log telemetry showing the connection, but no alert fired identifying the traffic as malicious, and Cloud IDS produced no signature match. Which conclusion best identifies the coverage gap and the most appropriate remediation?

Reviewed for accuracy · Report an issue
Question 4 of 20

A SOC manager wants to reduce analyst pivot time during triage. Analysts currently review Google SecOps alerts, then manually copy suspicious hashes and domains into the Google Threat Intelligence (GTI) web portal to check reputation and associations. The manager asks you to redesign the integration so that reputation context appears directly within the SecOps investigation workflow, while keeping GTI's deeper attribution and malware-family reporting available for escalations. Which approach best satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A security operations engineer is evaluating tool effectiveness across the organization's Google Cloud environment. The current stack includes Security Command Center (SCC) for posture and misconfiguration findings, Cloud IDS for network-layer intrusion detection on VPC traffic, and Google SecOps ingesting audit and platform logs. During a tabletop exercise, the team notes that a compromised Cloud Run service executing malicious code was not detected until data exfiltration triggered a downstream alert. Which conclusion best identifies the coverage gap the engineer should address?

Reviewed for accuracy · Report an issue
Question 6 of 20

A security architect is designing detection coverage for a large GCP estate. Security Command Center Premium already provides Event Threat Detection findings that leverage Google's curated threat intelligence, including known malicious IP and domain indicators. Leadership questions why the team also wants to license Google Threat Intelligence (GTI) as a separate tool, arguing it duplicates the threat intel already baked into SCC. Which justification best supports adding GTI alongside SCC in the architecture?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your organization runs workloads in Google Cloud and already uses Security Command Center (SCC) Premium for misconfiguration and vulnerability findings. A compliance auditor questions why the security team also proposes deploying Cloud IDS, arguing that it appears redundant with SCC's threat detection capabilities. As the Security Operations Engineer, what is the strongest justification for maintaining both tools rather than eliminating one to reduce cost?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your organization has just onboarded a tier-1 SOC team into Google SecOps. These analysts must triage alerts, run UDM searches, and add comments to cases, but company policy forbids them from modifying detection rules, altering data ingestion settings, or exporting bulk log data. A junior engineer proposes granting the team the 'Chronicle API Admin' IAM role to ensure they have enough access to work efficiently. As the security operations engineer reviewing this request, what is the most appropriate action?

Reviewed for accuracy · Report an issue
Question 9 of 20

A SecOps engineer at a healthcare firm has deployed Cloud IDS to inspect north-south and east-west traffic in a VPC hosting patient-facing web applications. During a coverage review, the engineer notices that Cloud IDS is generating very few detections for a set of microservices that communicate over mutually authenticated TLS (mTLS). Leadership asks the engineer to evaluate whether Cloud IDS is providing effective detection coverage for these services and to recommend how to close any gap. What should the engineer conclude and recommend?

Reviewed for accuracy · Report an issue
Question 10 of 20

Your SOC has deployed 40 YARA-L detection rules in Google SecOps over the past quarter. Leadership asks you to evaluate which rules are effective versus which are creating noise before the next tuning cycle. You pull metrics showing, per rule: alert volume, analyst dispositions (true positive / false positive / benign), and mean time to triage. Rule 'susp-oauth-grant' generated 900 alerts with a 2% true-positive rate, while rule 'admin-priv-escalation' generated 12 alerts with a 92% true-positive rate. Which approach best evaluates tool/rule effectiveness and identifies where coverage or tuning effort should go?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company running workloads across multiple GCP projects wants to detect publicly exposed Cloud Storage buckets, overly permissive IAM bindings, and unencrypted disks as soon as they are introduced. The security operations team already uses Google SecOps for log-based threat detection, Cloud IDS for network intrusion detection, and GTI for threat intelligence enrichment. Which telemetry source should the team prioritize as the primary detection mechanism for these cloud resource misconfigurations?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your SOC uses Security Command Center (SCC), Google SecOps (SIEM/SOAR), Google Threat Intelligence (GTI), and Cloud IDS. Analysts report that east-west (VM-to-VM) traffic containing exploit attempts against internal services is going undetected until well after compromise. Leadership asks you to justify which telemetry source should be prioritized to close this specific detection gap, and how it fits the architecture. Which recommendation best addresses the gap?

Reviewed for accuracy · Report an issue
Question 13 of 20

A security operations engineer is evaluating tool coverage across a large Google Cloud organization. During a review, they discover that several development teams have spun up projects outside the standard folder hierarchy, and misconfigurations in those projects are not appearing in dashboards. Security Command Center Premium is enabled at the organization level, and findings are forwarded to Google SecOps. The engineer confirms SCC is scanning known projects correctly. What is the MOST likely reason the shadow projects' misconfigurations are missing, and how should coverage be validated?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security operations team ingests SCC findings, Cloud IDS alerts, and endpoint telemetry into Google SecOps. Analysts report severe alert fatigue: Cloud IDS generates thousands of low-severity signature matches daily, and most never correlate with any confirmed incident. Leadership wants to keep Cloud IDS in the architecture for its packet-level visibility but reduce noise reaching analysts, without permanently losing the raw data. Which approach best balances coverage retention with reducing analyst burden?

Reviewed for accuracy · Report an issue
Question 15 of 20

A security engineer is integrating a third-party CSPM vendor into Security Command Center so that the vendor's findings appear alongside native SCC findings in the central dashboard. The vendor uses a dedicated service account to push findings via the SCC API. Following least-privilege principles, which IAM role should be granted to the vendor's service account so it can create and update its own findings without gaining broad visibility into all organizational findings or the ability to modify Google-native findings?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security operations team wants Security Command Center (SCC) Premium findings—such as vulnerabilities and misconfigurations—to flow automatically into Google SecOps so analysts can correlate them with UDM events and threat intel. The lead engineer must configure the integration so findings are ingested continuously without granting excessive permissions to the export mechanism. Which approach correctly enables this integration while following least-privilege principles?

Reviewed for accuracy · Report an issue
Question 17 of 20

Your security operations team runs Google SecOps as the central SIEM and has recently activated SCC Premium across the organization. During a review, the SecOps lead notes that analysts are overwhelmed by thousands of individual misconfiguration and vulnerability findings forwarded from SCC, and they cannot tell which findings actually expose crown-jewel assets to external threats. The team wants to reduce noise while ensuring the most business-critical exposures are escalated first. Which approach best leverages the existing tool architecture to achieve this?

Reviewed for accuracy · Report an issue
Question 18 of 20

A security operations team ingests findings from both Security Command Center (SCC) Premium and Google SecOps into a single case management workflow. Analysts complain that the same GCP VM compromise generates one SCC finding (from a built-in detector) and one SecOps detection (from a YARA-L rule that consumes SCC findings forwarded into SecOps), producing duplicate cases. Leadership wants to preserve both tools but eliminate the duplicate case creation while keeping SecOps as the correlation and investigation hub. What is the most appropriate architectural adjustment?

Reviewed for accuracy · Report an issue
Question 19 of 20

A security architect is presenting a proposed SecOps platform to a cost-conscious steering committee. The design ingests SCC findings, Cloud IDS alerts, and GTI intelligence into Google SecOps. A committee member argues that SCC and Google SecOps overlap because 'both show security alerts' and demands one be removed to cut licensing. Which justification best defends retaining BOTH tools rather than consolidating?

Reviewed for accuracy · Report an issue
Question 20 of 20

You are the security operations engineer standing up a greenfield Google Cloud environment. Leadership wants detection and response capability in Google SecOps as fast as possible, but the organization has 40 projects with no consistent logging, no asset inventory baseline, and no threat intel enrichment yet. You must decide the initial onboarding sequence for integrating SCC, Google SecOps, GTI, and Cloud IDS so that early detections are trustworthy and not undermined by blind spots. Which sequencing approach best balances speed with detection reliability?

Reviewed for accuracy · Report an issue

More PSOE practice

Keep going with the other Professional Security Operations Engineer domains, or take a full timed mock exam.

← Back to PSOE overview