Detection engineering Questions
Practice questions for Detection engineering topic in Google Professional Security Operations Engineer. 42 questions covering this domain.
An enrichment-based rule initially evaluates without all expected context, then later stabilizes as enrichment completes. Which explanation matches th...
To improve the usefulness of the alert graph for a custom YARA-L rule, which section should include context fields such as principal, target, src, obs...
A rule must compare an integer-like UDM field against values stored in a STRING reference list. What is the documented approach?
What is the benefit of converting a successful Google SecOps search into a YARA-L rule?
Which statement about Google Cloud Threat Intelligence feeds in rules is correct?
A rule is firing on known benign admin behavior, but the team does not want to disable the entire rule. Which feature should they use?
A team wants a low-prevalence hunting rule to act as a secondary indicator during investigations instead of immediately creating alerts. What should t...
In Alert view, which sign indicates that an alert came from a composite detection rather than directly from raw events alone?
In YARA-L 2.0, which section groups events over a time window?
Before enabling a new rule in production, an engineer wants to test it against older telemetry. Which Google SecOps capability is designed for that?
Which statement about prevalence data in Google SecOps is correct?
An organization wants Google-curated rule sets to be enabled but still wants to selectively exclude known-benign findings. Which approach is documente...
A team wants to track detection engineering changes (rules added, modified, removed) in source control with peer review before deployment. Which appro...
Which YARA-L feature lets a rule reference a curated list of values (such as approved admin users) without inlining them in the rule body?
A detection engineer wants a rule's outcome variables to drive alert graph context such as principals and targets. Which YARA-L section should be used...
Which YARA-L 2.0 section defines the events being matched, including their UDM filter conditions?
A detection engineer must reduce noise from a YARA-L rule that generates many alerts for the same entity within minutes. Which feature consolidates th...
A detection engineer wants a YARA-L rule that matches only when an event involves an internal user accessing an external service. Which approach is co...
Which Google SecOps capability lets a detection engineer publish a single detection logic that produces both a detection event and a higher-confidence...
Which YARA-L rule type is designed to detect anomalies based on statistical baselines such as standard deviations from a mean?
Sign in to see all 42 questions
Create a free account to browse all questions — completely free during our launch phase.