A server hosting an internal web app was exposed to the internet for 48 hours. You want to run a UDM search to identify successful exploitations. What event field search should you use?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

A server hosting an internal web app was exposed to the internet for 48 hours. You want to run a UDM search to identify successful exploitations. What event field search should you use?

Explanation:
When a server is exposed and you’re hunting for exploitation, you want to surface signs of what the attacker actually did on the host. In the Unified Data Model, the field metadata.event_type is designed to describe the kind of activity, including process launches and rarely seen commands. Those are exactly the telltale signs of compromise—new processes started by an attacker, shells opened, unusual tools invoked, or other uncommon commands that don’t belong to normal operation. By using a search scoped to metadata.event_type for process creation and rarely seen commands, you can identify sequences of activity that indicate exploitation on the server. Other fields don’t target this kind of signal as directly. product_event_type focuses on security product events like antimalware detections and endpoint alerts, which may be missing or incomplete on a server running a web app. principal.ip would flag unusual network origins but doesn’t confirm what the attacker did on the host. principal.user.userid looks for sign-ins, which may not occur or may not capture post-exploitation actions. The process-creation and rare-command signals in metadata.event_type provide the most direct window into successful exploitation.

When a server is exposed and you’re hunting for exploitation, you want to surface signs of what the attacker actually did on the host. In the Unified Data Model, the field metadata.event_type is designed to describe the kind of activity, including process launches and rarely seen commands. Those are exactly the telltale signs of compromise—new processes started by an attacker, shells opened, unusual tools invoked, or other uncommon commands that don’t belong to normal operation. By using a search scoped to metadata.event_type for process creation and rarely seen commands, you can identify sequences of activity that indicate exploitation on the server.

Other fields don’t target this kind of signal as directly. product_event_type focuses on security product events like antimalware detections and endpoint alerts, which may be missing or incomplete on a server running a web app. principal.ip would flag unusual network origins but doesn’t confirm what the attacker did on the host. principal.user.userid looks for sign-ins, which may not occur or may not capture post-exploitation actions. The process-creation and rare-command signals in metadata.event_type provide the most direct window into successful exploitation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy