If you suspect anomalous outbound traffic to external domains is C2 communications, which search identifies least common network communications over the last 14 days?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

If you suspect anomalous outbound traffic to external domains is C2 communications, which search identifies least common network communications over the last 14 days?

Explanation:
Spotting anomalous, hidden C2 activity often means looking for outbound connections to external destinations that don’t usually show up in normal traffic. To do this effectively, you want a metric that flags rare or infrequent network communications, measured over a meaningful window so you can separate true anomalies from everyday chatter. Using a SIEM UDM search that pulls in NETWORK_CONNECTION or NETWORK_HTTP events and filters for low rolling prevalence specifically for target domains over the last 14 days does exactly that. It normalizes and analyzes outbound interactions to external domains, highlighting those domains that are unusually uncommon in the recent baseline. This makes it easier to spot suspicious C2-like behavior, where an endpoint periodically reaches unseen or rarely contacted domains. The other approaches are less ideal for this purpose. Focusing on principal domains can miss out on the actual external destinations being abused, since attacker infrastructure often uses a variety of unusual target domains. A SOAR search emphasizes automation and case management rather than direct detection of rare network patterns. A raw log search in firewall or proxy logs can work, but it typically requires more manual work to compute prevalence and lacks the normalization and cross-host visibility that a UDM-based search provides.

Spotting anomalous, hidden C2 activity often means looking for outbound connections to external destinations that don’t usually show up in normal traffic. To do this effectively, you want a metric that flags rare or infrequent network communications, measured over a meaningful window so you can separate true anomalies from everyday chatter. Using a SIEM UDM search that pulls in NETWORK_CONNECTION or NETWORK_HTTP events and filters for low rolling prevalence specifically for target domains over the last 14 days does exactly that. It normalizes and analyzes outbound interactions to external domains, highlighting those domains that are unusually uncommon in the recent baseline. This makes it easier to spot suspicious C2-like behavior, where an endpoint periodically reaches unseen or rarely contacted domains.

The other approaches are less ideal for this purpose. Focusing on principal domains can miss out on the actual external destinations being abused, since attacker infrastructure often uses a variety of unusual target domains. A SOAR search emphasizes automation and case management rather than direct detection of rare network patterns. A raw log search in firewall or proxy logs can work, but it typically requires more manual work to compute prevalence and lacks the normalization and cross-host visibility that a UDM-based search provides.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy