Threat hunting Questions
Practice questions for Threat hunting topic in Google Professional Security Operations Engineer. 35 questions covering this domain.
An investigator needs to understand how a high-risk alert spread across related systems and accounts. Which Google SecOps workflow is the best fit?
A search returns too many results and the analyst only sees the newest subset. What is the best corrective action?
An alert shows only a suspicious file hash and no direct asset identifier. What is the best next step to identify the affected asset?
A custom client exceeds Google SecOps search quota and receives an API failure. Which response is documented for programmatic access when a limit is h...
A SOC wants to prioritize triage by organizational threat rather than by arrival time. Which workflow aligns with the Google SecOps investigation guid...
What is the purpose of watchlists in Google SecOps Risk Analytics?
A threat hunter wants to search events against an internal table of suspicious IPs without manually listing every value in the query. Which feature is...
An analyst wants to discover which UDM field contains a specific text value before writing a search query. Which Google SecOps feature should the anal...
An analyst suspects lateral movement even though no formal alert has fired. Which investigation approach best matches Google's guidance?
In Google SecOps search, what does the grouped field ip do?
A hunter wants to test a YARA-L hunting query against historical data without creating an active rule. Which Google SecOps capability supports this?
A hunter wants to determine whether a known indicator of compromise has been observed anywhere in the environment. Which Google SecOps feature is most...
Which Google SecOps search interface uses a simplified syntax to search across UDM events and entities?
A hunter wants to pivot from a suspicious user identity to all related events, devices, and processes for that user. Which Google SecOps capability su...
A hunter wants to identify newly created service accounts that are then granted elevated IAM roles within minutes (a known credential-abuse pattern). ...
An analyst suspects a compromised account exfiltrating data to an unfamiliar domain. Which Google SecOps investigation sequence is most appropriate?
Which Google SecOps capability provides an interactive timeline for an entity, showing related events and risk factors over time?
A threat hunter wants to find rare combinations of process and parent-process names across the entire fleet to identify suspicious execution patterns....
A SOC wants to use MITRE ATT&CK coverage to identify hunting gaps. Which Google SecOps dashboard supports this analysis?
A hunter wants to build a search query that matches events involving IP addresses from a specific cloud provider's known egress ranges stored as a lis...
Sign in to see all 35 questions
Create a free account to browse all questions — completely free during our launch phase.