Threat hunting
Drill 20 practice questions focused entirely on Threat hunting for the Google Cloud PSOE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A threat intel bulletin from GTI reports a new malware campaign associated with a specific SHA-256 file hash and warns it may have been active for up to 45 days before public disclosure. Your organization's Google SecOps tenant retains 90 days of UDM data. You want to form a hypothesis-driven hunt to determine whether this hash ever executed anywhere in your environment, prioritizing completeness over speed. Which approach best fits this hunting goal?
A threat intelligence report from Google Threat Intelligence (GTI) attributes a recent campaign to a group that stages payloads on a rotating set of newly registered domains, all sharing a distinctive TLS certificate serial number. Your SecOps team wants to run a hypothesis-driven hunt to determine whether any endpoints in your environment have contacted infrastructure matching this campaign, even if the specific domains in the report are not yet observed in your logs. Which approach best supports this hunt in Google SecOps?
During a hypothesis-driven hunt, a SecOps threat hunter pulls a Google Threat Intelligence (GTI) collection containing roughly 4,000 suspected C2 IP addresses associated with a commodity loader campaign. A UDM search for network connections against this set returns 62 distinct internal hosts matching various IPs across the last 30 days. With limited time before an incident review, the hunter must decide which matches to investigate first. Which approach best prioritizes the matches while minimizing wasted effort on likely false positives?
A threat hunter at a manufacturing company suspects that an attacker deployed a rarely-seen dropper across a small number of endpoints after an initial phishing compromise. She wants to surface processes that have executed on very few hosts across the fleet within the last 14 days, prioritizing binaries that appear on only one or two distinct assets. Which Google SecOps UDM search approach best supports this prevalence-based hunting hypothesis?
During a proactive hunt, a SecOps engineer suspects that an attacker has deployed a backdoor listener on a small number of Linux servers in a fleet of 4,000 hosts. The engineer wants to use a single UDM search to surface network listener events where the combination of listening port and process binary appears on very few distinct hosts across the last 30 days, while ignoring ports that are common across the fleet. Which UDM search approach best supports this hypothesis?
During a proactive hunt in Google SecOps, a threat hunter suspects that an attacker deployed a custom loader across a small number of workstations. The hunter wants to surface executables that have been observed on very few hosts and only appeared in the environment within the last 3 days, without relying on any known IOC. Which UDM search approach best supports this hypothesis?
A threat hunter has a GTI-sourced list of 40 suspicious domains tied to a commodity loader campaign. They run a UDM search over 30 days of DNS and HTTP proxy logs and find several matches, but they want to distinguish domains that were resolved but never actually connected to (potentially blocked or sinkholed) from domains where a full session was established. Which UDM search approach BEST lets them separate resolved-only activity from established-connection activity across both log sources in a single hunt?
During a hypothesis-driven hunt in Google SecOps, an analyst suspects a compromised host is communicating with attacker infrastructure. They have a list of 40 external IP addresses observed in outbound connections over the past week. The analyst wants to quickly determine which of these IPs are already associated with known malicious activity according to Google Threat Intelligence (GTI), so they can focus the investigation. Which approach best leverages GTI enrichment within SecOps to triage this list efficiently?
A threat hunter at a financial services firm suspects that an attacker has deployed a rarely-used administrative utility across a small number of endpoints following a phishing campaign that began three days ago. The hunter wants to use Google SecOps UDM search to surface processes that are genuinely new to the environment, while avoiding false positives from legitimate tools that are simply uncommon but have existed for months. Which approach BEST supports identifying truly low-prevalence, recently-introduced processes?
A threat hunter in Google SecOps wants to identify PowerShell child processes that have executed across only one or two hosts in the entire enterprise over the past 90 days, as a way to surface anomalous, low-prevalence activity. They write a UDM search filtering on target.process.file.full_path matching powershell.exe and group results, but the query returns hundreds of hosts and no useful low-prevalence signal. What is the MOST likely reason the hunt failed to surface rare activity, and how should it be corrected?
During a proactive hunt in Google SecOps, you hypothesize that an adversary is using valid credentials from an unusual location to access a set of internal admin consoles. You want to identify successful authentication events where the source geolocation country has almost never been seen for that specific user account over the past 90 days, so you can prioritize a small number of anomalous logins for investigation. Which UDM search approach best supports this hypothesis-driven hunt?
A threat hunter in Google SecOps is building a YARA-L 2.0 rule to operationalize a hypothesis-driven hunt. They want the rule to fire only when an outbound network connection's destination domain matches an IOC that Google Threat Intelligence (GTI) has enriched onto the event, AND only when GTI's confidence score for that indicator is high enough to reduce noise. Which approach correctly leverages the GTI enrichment data within the rule's event and condition sections?
A threat hunter forms a hypothesis that an adversary is using DNS TXT record queries for low-and-slow data exfiltration through a single internal host. The hunter wants a YARA-L 2.0 rule that surfaces hosts generating an anomalously high volume of DNS queries with long, high-entropy subdomain labels to a small set of second-level domains within a short window. Which approach best operationalizes this hypothesis in Google SecOps?
A threat hunter in Google SecOps forms a hypothesis that an attacker is staging tools by writing to hidden administrative shares (e.g., \\host\C$) on internal servers before lateral movement. The hunter wants a YARA-L 2.0 rule that surfaces only the FIRST time a given source host writes a file to an admin share on any destination host over the trailing 14 days, avoiding alerts on hosts that routinely perform such writes (backup and patch-management systems). Which approach best implements this hunt?
During a hypothesis-driven hunt in Google SecOps, you suspect that a phishing campaign is spawning script interpreters from Office applications. You want to write a YARA-L 2.0 rule that surfaces PROCESS_LAUNCH events where a Microsoft Office binary (e.g., winword.exe, excel.exe) is the parent of a scripting process (e.g., powershell.exe, wscript.exe), but only when that specific parent-child pairing is rare across your fleet. Which approach best fits YARA-L 2.0 to prioritize low-prevalence pairings rather than every match?
A threat hunter suspects that a compromised GCP service account is being used from an unexpected geographic location. In Google SecOps, they want a YARA-L 2.0 rule that flags whenever a service account authenticates from a country that has never been seen for that specific principal within a 30-day baseline. Which YARA-L construct is essential to express this 'first-seen country per principal' logic correctly?
A threat hunter suspects a custom malware sample is using a bespoke TLS library, which would produce a client-side JA3 fingerprint that no legitimate application in the fleet generates. They want a YARA-L 2.0 hunt rule that surfaces network connections whose JA3 hash has never been observed in the environment before the current 24-hour hunt window, while excluding hashes that appear across many hosts (indicating common software). Which approach best fits this hypothesis?
A threat hunter has a hypothesis that adversaries in their environment are abusing certutil.exe with a URL argument to download second-stage payloads. They want a YARA-L rule that surfaces only the FIRST time each host executes certutil with a URL-like command-line argument within the last 30 days, to avoid alerting on the many benign, repeated certutil invocations already present in the fleet. Which rule design best satisfies this first-seen-per-host hunting requirement?
A threat hunter suspects a slow-and-low data exfiltration campaign where compromised endpoints each reach out to a distinct staging domain that no other host in the fleet has ever contacted. The hunter wants a YARA-L 2.0 detection that surfaces network connections to domains that are unique to a single host and have never been observed elsewhere in the environment over the past 30 days. Which YARA-L construct is most appropriate to implement this hunt logic?
A threat hunter suspects an adversary is persisting by creating Windows services that point to binaries in unusual directories. They want a YARA-L hunting rule that surfaces service-creation events (UDM event_type SETTING_MODIFICATION with a service target) where the associated binary file path has NEVER been observed running as a service anywhere in the environment during the prior 14 days. Which approach correctly implements this 'first-seen service binary path' hunt in Google SecOps?
More PSOE practice
Keep going with the other Professional Security Operations Engineer domains, or take a full timed mock exam.
← Back to PSOE overview