Google Cloud SecOps Technical Credential Answers

1 rating

This assessment will test your knowledge of the SecOps (Chronical and Mandiant) products. You must achieve a score of 80% or higher to receive the technical credential.

Questions:

Identify the Security Operations Center (SOC) Practitioner Personas that are most likely to be using Security Information and Event Management (SIEM) on a regular basis.

Select two that apply, and then click Submit.

Security Analyst
Security Engineer
Software Developer
Malware Researcher

Identify the three features referred to as "table stakes" for Security Information and Event Management (SIEM).

Select one that applies, and then click Submit.

Detection, Application Monitoring, and User and Entity Behavior Analytics (UEBA)
Search, Application Monitoring, and Statistical Normalization
Search, Detection, and Visualization
Visualization, Vulnerability Management, and User and Entity Behavior Analytics (UEBA)

The rule language in Chronicle Security Information and Event Management (SIEM) was designed for what purpose?

Select one that applies, and then click Submit.

Business Intelligence
Data Analytics
Metric Visualization
Threat Detection

Aliasing applies to what kinds of entities in Chronicle Security Information and Event Management (SIEM)?

Select one that applies, and then click Submit.

Users, Internet Protocol (IP) Addresses, Domains, and Indicators of Compromise (IOCs)
Users, Processes, Assets, and Hashes
Internet Protocol (IP) Addresses, Hostnames, and Domains
Users, Hostnames, Binaries, and Indicators of Compromise (IOCs)

What three components make up the Chronicle Entity Context Graph (ECG)?

Select one that applies, and then click Submit.

Entity Context, Asset Context, and Time Domain Context
Host Context, Process Context, and Time Domain Context
Entity Context, Global Context, and Local Context
Entity Context, Derived Context, and Global Context

What is the product name of the largest threat observatory, operated by Google, that plugs directly into Chronicle?

Select one that applies, and then click Submit.

Google Cloud Threat Intelligence (GCTI)
Emerging Threats
VirusTotal
Mandiant Red Threats

There are rules that are created by the customer or owner of a Chronicle Security Information and Event Management (SIEM) tenant, and there are a group of rules developed by Uppercase based on Google threat intelligence. What is the Google-provided rules called?

Select one that applies, and then click Submit.

Default Rules
Curated Rules
Template Rules
Repo Rules

Over what time span will Chronicle Security Information and Event Management (SIEM) re-evaluate Indicators of Compromise (IOCs) and create new correlations and alerts?

Select one that applies, and then click Submit.

72 hours
1 month
1 week
1 year

Data from Chronicle can be transparently copied out into what data warehouse for further analytics?

Select one that applies, and then click Submit.

Google BigData
Google BigQuery
Google Datastore
Google Firestore

When selecting a data source to forward to Chronicle Security Information and Event Management (SIEM), for what parsers can you expect the most rigorous testing?

Select one that applies, and then click Submit.

Default Parsers
Diamond Parsers
Platinum Parsers
Gold Parsers

What does UDM stand for?

Select one that applies, and then click Submit.

Uppercase Data Model
Unified Data Model
Unicorn Data Mode
Uninterruptable Data Model

The UDM is designed to contain models for what two types of data?

Select one that applies, and then click Submit.

Events and Objects
Objects and Lists
Events and Entities
Events and Lists

Chronicle Security Information and Event Management (SIEM) applies the schema at what point to ensure maximum performance and increase the number of pivots that can be done on data?

Select one that applies, and then click Submit.

It depends on the parser
On search
Some on write, some on search
On write

What is the primary job of the Indexing service?

Select one that applies, and then click Submit.

Index the telemetry for maximum data resiliency.
Index the telemetry for fast retrieval.
Return the results of a search.
Create unique markers for data integrity.

Which Chronicle Security Information and Event Management (SIEM) search method allows for a "grep" like functionality?

Select one that applies, and then click Submit.

Unified Data Model (UDM) Search
Indexed Log Search
Raw Log Search
Entity Graph Search

What are the two primary functions of the Partner Application Programming Interfaces (APIs)?

Select one that applies, and then click Submit.

Provision new customers and process billing
Ingestion metrics and process billing
Provision new customers and rotate customer keying information
Provision new customers and parser tools

What are the required sections of a YARA-L rule?

Select one that applies, and then click Submit.

Meta, events, and condition
Meta, events, condition, and match
Meta, events, condition, and outcome
Meta and events

Which optional field is required for a multi-event YARA-L rule?

Select one that applies, and then click Submit.

Events
Match
Outcome
Options

In YARA-L, what is the equivalent of #var > 0?

Select one that applies, and then click Submit.

$var
&var
%var
$var = 1

For what kind of field will the nocase operator cause an error?

Select one that applies, and then click Submit.

Optional Fields
String Fields
Enumerated Fields
Classless Inter-Domain Routing (CIDR) Fields

What are the special operators that can act on a repeated field value in YARA-L?

Select one that applies, and then click Submit.

ANY, ALL
AND, NOT
ANY, NONE
OR, NOT

What is the maximum time range for a match section of a multi-event rule in YARA-L?

Select one that applies, and then click Submit.

1 day
1 week
48 hours
72 hours

What two operators in YARA-L create a sliding window of time that will match events in a specific order?

Select one that applies, and then click Submit.

until, after
before, gt
lt, gt
before, after

What string function can be used to decode encoded command lines, especially in PowerShell?

Select one that applies, and then click Submit.

strings.decode
strings.base64_decode
strings.hashmatch
strings.encode

When considering parsing in Chronicle Security Information and Event Management (SIEM), a data source must always be associated with what?

Select one that applies, and then click Submit.

Metadata event type
Data Application Programming Interface (API)
Metadata path
Data label

What are the extract functions used in Google's Configuration-based Normalization?

Select one that applies, and then click Submit.

JSON, XML, KV, GROK, and CSV
JSON, TSV, KV, and CSV
XML, KV, CSV, TSV, and SQL
XML, KV, and CSV

What are the two search modes available in Chronicle Security Information and Event Management (SIEM)?

Select one that applies, and then click Submit.

Regex and field query
Unified Data Model (UDM) Search and grep regex
Unified Data Model (UDM) Search and Raw Log Scan
Unified Data Model (UDM) Search and YARA-L

On the Mandiant Advantage Threat Intelligence home page, high-level activity metrics for which types of threats are shown on the dashboard?

Select one that applies, and then click Submit.

Actor, Smishing, and Vulnerability
Actor, Malware, and Vulnerability
Vulnerability, Insider Threat, and Phishing
Actor, Phishing, and Vulnerability

What is the minimum Mandiant Threat Intel subscription level that provides access to MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) tactics and techniques for Mandiant-tracked Actors and Malware?

Select one that applies, and then click Submit.

Threat Intelligence Security Operations
Malware Intelligence Operations
Threat Operations
Security Operations Assistance Platform

If a prospect requires a keyword-driven solution for deep, dark, and open web reconnaissance, which Mandiant Threat Intelligence subscription should be considered?

Select one that applies, and then click Submit.

Deep Web Threat Monitoring
Dark Search Tools
Digital Threat Monitoring
Digital Actor Monitoring

What is the minimum Mandiant Threat Intelligence subscription level that provides full-narrative strategic to tactical analysis and access to 20+ report types from Mandiant frontline threat intelligence analysts?

Select one that applies, and then click Submit.

Mandiant Threat Level Report
Threat Aggregation
Mandiant Weather Report
Threat Intelligence Fusion

Mandiant Threat Intelligence malware profiles include malware detections written in what language?

Select one that applies, and then click Submit.

SQL
YARA
KSQL
Snort

Which Mandiant Threat Intelligence Application Programming Interface (API) version four endpoint will return a list of all threat actors?

Select one that applies, and then click Submit.

/v4/actor
/v4/actors.all
/mandiant/threatactors
/mati/actors

Which Mandiant Threat Intelligence API version 4 endpoint will return information about vulnerabilities, including in a given period, by Identity Document (ID) or Common Vulnerabilities and Exposures (CVE)?

Select one that applies, and then click Submit.

/v4/actors
/v4/vulnerability.all
/v4/vulnerability
/v4/vuln

Which Mandiant Threat Intelligence Application Programming Interface (API) version 4 endpoint will return a list of indicators?

Select one that applies, and then click Submit.

/var/indicators.all
/v4/threats/indicators
/v4/actor/indicator
/v4/indicator

Mandiant Attack Surface Management (ASM) supports scanning for vulnerability exploitation that was demonstrated during the SolarWinds events publicized in December 2020. What kind of vulnerability exploitation was it?

Select one that applies, and then click Submit.

Supply chain attack
Phishing attack
RAT-based attack
Insider threat

When does Mandiant Attack Surface Management (ASM) require some form of authentication for discovery?

Select one that applies, and then click Submit.

Insider Threat
When integrating into Cloud Assets or third party tools
Always
Never

Mandiant Attack Surface Management (ASM) discovers technologies using what method?

Select one that applies, and then click Submit.

Secure SHell (SSH) prompt scanning
Simple Network Management Protocol (SNMP) query
Banner scanning
Fingerprinting

Which tab in the Mandiant Attack Surface Management (ASM) interface provides a high level exportable executive summary of the ASM solution's findings?

Select one that applies, and then click Submit.

Insights
Big Picture
Executive Review
30,000 Foot View

In Attack Surface Management, what is a seed?

Select one that applies, and then click Submit.

A foothold where an attacker might gain entry to an environment
A specific piece of software running on an entity
A zip file downloaded to an endpoint
A starting point for discovery

Which of the following are examples of issues that Mandiant Attack Surface Management (ASM) can identify?

Select three that apply, and then click Submit.

Vulnerabilities
Misconfigurations
Expired Certificates
Disabled Endpoint Solution

Which of the following is a currently supported outbound integration for Mandiant Attack Surface Management (ASM)?

Select one that applies, and then click Submit.

Tenable
PaloAlto Xpanse
JIRA
Trellix Helix

What part of an Entity page shows how Attack Surface Management (ASM) found this entity from the initial seed as well as the task that uncovered it?

Select one that applies, and then click Submit.

Associated Issues
Discovery Context
Entity Context
Scoping Map

What collection scan settings can be supplied if custom input types are required?

Select one that applies, and then click Submit.

Cookies, Ports, and Headers
Cookies, Internet Protocol (IP) Addresses, and Authentication Tokens
Ports, Cookies, and Secure SHell (SSH) Keys
Headers, Bearer Tokens, and Internet Protocol (IP) Addresses

What are the main types of actors used in Mandiant Security Validation?

Select two that apply, and then click Submit.

Server
Network
Database
Endpoint

What happens to an Actor in a protected Theater after the conclusion of each test?

Select one that applies, and then click Submit.

They are deleted.
They are reverted to their original state.
They are reverted to a traditional endpoint actor.
An Automated Environmental Change/Drift Analysis (AEDA) job is generated for that actor for all actions in the test.

The ability to automate drift detection, reducing manual efforts in standardization, is a function of what module of Mandiant Security Validation?

Select one that applies, and then click Submit.

Endpoint Protected Theater
Threat Actor Assurance Module
Email Theater
Advanced Environmental Drift Analysis

When considering a Proof of Concept (POC) of Mandiant Security Validation, in addition to the Success Criteria, what other customer information should be documented before the beginning of the POC?

Select three that apply, and then click Submit.

Customer Validation Use Cases
Customer Network Infrastructure and Deployed Security Controls
Customer Internet Egress Internet Protocol (IP) Addresses
Customer Security Lifecycle Framework

Which are the two MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) tactics that are not covered by Mandiant Security Validation?

Select two that apply, and then click Submit.

Resource Development
Reconnaissance
Command and Control
Defense Evasion

How do you Sync integrations between your Director and Third party integrations?

Select one that applies, and then click Submit.

Go to Settings > Integrations. Locate the integration you want to sync to the appropriate table. Click the vertical ellipses in the last column. Click Sync in the drop-down list. Wait for the sync to complete.
Go to Settings > Configuration. Configure the Application you want to sync in the appropriate table. Click the vertical ellipses in the last column. Click Sync in the drop-down list. Wait for the sync to complete.
Integrations do not need to Synchronize with the director, only output from the alerting system is required.
You do not need to Sync them, it is automated.

What is the name of the core Mandiant Security Validation component that is required for running actions against Network Security Controls, Linux, Mac, and Linux endpoint controls, and Email controls.

Select one that applies, and then click Submit.

Director
Agents
Actors
Modules

What is the scope of selecting the "All Environments" button when creating a playbook?

Select one that applies, and then click Submit.

The function will run on all future environments.
The function will run all the time, regardless of the playbook selection.
The function will run on all current environments.
This function created within the playbook will run on all current environments as well as on all future environments.

Identify the use of blocks.

Select one that applies, and then click Submit.

Repeatable actions
Condition features
Insight features

Who typically has sufficient rights to turn off the "simulator" mode?

Select one that applies, and then click Submit.

Security Operations Center (SOC) Analyst
Assistant
Admin

What is the difference between Jobs and Connectors within Chronicle Security Orchestration, Automation, and Response (SOAR)?

Select one that applies, and then click Submit.

Connectors notify us of any errors in the alert ingestion process. Jobs notify if a specific job has failed at least three times (sends a notification for each specific job once every three hours).
Connectors are used to ingest cases into the platform. Jobs support healthcheck and synchonization tasks.
Jobs are used to ingest cases into the platform. Connectors support healthcheck and synchonization tasks.
Connectors include tasks or actions to be performed by the playbook. Jobs are notified if a specific action has failed at least three times across all cases it was performed in.

Where can you check all the Active System Modules?

Select one that applies, and then click Submit.