A case contains a file hash enriched with VirusTotal context and categorized as likely malicious. You need to quickly identify devices and users in your org who interacted with this file. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

A case contains a file hash enriched with VirusTotal context and categorized as likely malicious. You need to quickly identify devices and users in your org who interacted with this file. What should you do?

Explanation:
The key idea is to quickly map the indicator to people and machines in your environment by querying the centralized telemetry in your SIEM. When a file hash is enriched as likely malicious, the fastest way to see who and what interacted with that file is to run a playbook that performs a UDM search in the SecOps SIEM, using the hash as the search criterion. The Unified Data Model unifies data from endpoints, networks, and applications, so the search returns all relevant events where the file hash appeared—discovering which devices and which users touched it, along with timestamps and maybe related processes. This gives you a concrete, actionable view of impact and containment scope in one automated step. Relying solely on Threat Intelligence Platform data would tell you about the hash’s reputation, not about actual in-environment interactions. Manual actions in SOAR could work, but they’re slower and less repeatable than a targeted UDM-based playbook that automates the lookup and returns a ready-to-use list of affected entities.

The key idea is to quickly map the indicator to people and machines in your environment by querying the centralized telemetry in your SIEM. When a file hash is enriched as likely malicious, the fastest way to see who and what interacted with that file is to run a playbook that performs a UDM search in the SecOps SIEM, using the hash as the search criterion. The Unified Data Model unifies data from endpoints, networks, and applications, so the search returns all relevant events where the file hash appeared—discovering which devices and which users touched it, along with timestamps and maybe related processes. This gives you a concrete, actionable view of impact and containment scope in one automated step.

Relying solely on Threat Intelligence Platform data would tell you about the hash’s reputation, not about actual in-environment interactions. Manual actions in SOAR could work, but they’re slower and less repeatable than a targeted UDM-based playbook that automates the lookup and returns a ready-to-use list of affected entities.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy