Valid Security-Operations-Engineer Dumps shared by EduDump.com for Helping Passing Security-Operations-Engineer Exam! EduDump.com now offer the newest Security-Operations-Engineer exam dumps, the EduDump.com Security-Operations-Engineer exam questions have been updated and answers have been corrected get the newest EduDump.com Security-Operations-Engineer dumps with Test Engine here:
You are investigating whether an advanced persistent threat (APT) actor has operated in your organization's environment undetected. You have received threat intelligence that includes: - A SHA256 hash for a malicious DLL - A known command and control (C2) domain - A behavior pattern where rundll32.exe spawns powershell.exe with obfuscated arguments Your Google Security Operations (SecOps) instance includes logs from EDR, DNS, and Windows Sysmon. However, you have recently discovered that process hashes are not reliably captured across all endpoints due to an inconsistent Sysmon configuration. You need to use Google SecOps to develop a detection mechanism that identifies the associated activities. What should you do?
Correct Answer: A
Since process hashes are not consistently available across all endpoints, relying solely on the DLL hash would miss activity. The best solution is to write a multi-event YARA-L detection rule that correlates the process relationship (rundll32.exe spawning powershell.exe with obfuscated arguments) together with the C2 domain and hash when available, and run a retrohunt. This approach detects both behavior-based and IOC-based indicators, ensuring coverage even when hashes are missing.