During an incident investigation, which UDM search field best captures network activity tied to rarely seen commands?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

During an incident investigation, which UDM search field best captures network activity tied to rarely seen commands?

Explanation:
This question focuses on how to find events that show a command being run and then connect that to later network activity. To capture activity tied to rarely seen commands, you want the event-category field that records what kind of action actually occurred on the host. metadata.event_type is the best fit because it directly describes the event type, including process launches and other command executions. By querying for process_launch or related command events in this field, you identify when a rarely seen command begins, which you can then correlate with any network activity that follows or accompanies that process. The other fields focus on different signals. product_event_type covers product-specific alerts like antimalware events, which isn’t about the command execution itself. principal.ip looks at the source IP involved in network traffic, which may help locational or traffic pattern analysis but doesn’t tell you what command was run. principal.user.userid tracks user sign-ons, which is useful for user activity but not the actual command execution or its immediate network consequences. Therefore, metadata.event_type best ties together the rare command execution with its network context.

This question focuses on how to find events that show a command being run and then connect that to later network activity. To capture activity tied to rarely seen commands, you want the event-category field that records what kind of action actually occurred on the host. metadata.event_type is the best fit because it directly describes the event type, including process launches and other command executions. By querying for process_launch or related command events in this field, you identify when a rarely seen command begins, which you can then correlate with any network activity that follows or accompanies that process.

The other fields focus on different signals. product_event_type covers product-specific alerts like antimalware events, which isn’t about the command execution itself. principal.ip looks at the source IP involved in network traffic, which may help locational or traffic pattern analysis but doesn’t tell you what command was run. principal.user.userid tracks user sign-ons, which is useful for user activity but not the actual command execution or its immediate network consequences. Therefore, metadata.event_type best ties together the rare command execution with its network context.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy