If a Compute Engine instance is flagged for a high volume of outbound connections to diverse unknown IPs, what should you do to determine if it is compromised by malware?

When trying to confirm a malware compromise on a Compute Engine instance, focus on security telemetry that specifically flags suspicious activity and provides context for outbound behavior. Analyzing Event Threat Detection findings, along with the related events and outbound connection records, is the best approach because ETD is designed to detect indicators of compromise such as abnormal beaconing, connections to unknown or known-bad IPs, and unusual network patterns. Reviewing these findings lets you see exactly what the instance exhibited, when it happened, and which destinations were contacted, helping you determine if malware is present and what scope the impact may be. Other options don’t directly reveal malware activity: IAM roles show who or what can access resources, not whether a VM is compromised; the platform health dashboard tracks service issues rather than host-level threats; and cycling the network interface is a disruptive action that doesn’t diagnose infection or provide evidence.