Valid Security-Operations-Engineer Dumps shared by EduDump.com for Helping Passing Security-Operations-Engineer Exam! EduDump.com now offer the newest Security-Operations-Engineer exam dumps, the EduDump.com Security-Operations-Engineer exam questions have been updated and answers have been corrected get the newest EduDump.com Security-Operations-Engineer dumps with Test Engine here:
You are investigating whether an advanced persistent threat (APT) actor has operated in your organization's environment undetected. You have received threat intelligence that includes: * A SHA256 hash for a malicious DLL * A known command and control (C2) domain * A behavior pattern where rundll32.exe spawns powershell.exe with obfuscated arguments Your Google Security Operations (SecOps) instance includes logs from EDR, DNS, and Windows Sysmon. However, you have recently discovered that process hashes are not reliably captured across all endpoints due to an inconsistent Sysmon configuration. You need to use Google SecOps to develop a detection mechanism that identifies the associated activities. What should you do?
Correct Answer: D
The core of this problem is the unreliable data quality for the file hash. A robust detection strategy cannot depend on an unreliable data point. Options B and C are weak because they create a dependency on the SHA256 hash, which the prompt states is "not reliably captured." This would lead to missed detections. Option A is far too broad and would generate massive noise. The best detection engineering practice is to use the reliable IoCs in a flexible and high-performance manner. The domain is a reliable IoC (from DNS logs), and the hash is still a valuable IoC, even if it's only intermittently available. The standard Google SecOps method for this is to create a List (referred to here as a "data table") containing both static IoCs: the hash and the domain. An engineer can then write a single, efficient YARA-L rule that references this list. This rule would trigger if either a PROCESS_LAUNCH event is seen with a hash in the list or a NETWORK_DNS event is seen with a domain in the list (e.g., (event.principal.process.file.sha256 in %ioc_list) or (event.network.dns.question.name in %ioc_list)). This creates a resilient detection mechanism that provides two opportunities to identify the threat, successfully working around the unreliable data problem. (Reference: Google Cloud documentation, "YARA-L 2.0 language syntax"; "Using Lists in rules"; "Detection engineering overview")