In Google SecOps, to identify traffic originating from the server hosting an HTTP backdoor on TCP port 5555, which event attribute should you monitor?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

In Google SecOps, to identify traffic originating from the server hosting an HTTP backdoor on TCP port 5555, which event attribute should you monitor?

Explanation:
Focus on the port used by the initiating host. In these event models, the principal represents the entity that starts the connection, and its port shows the source port of that connection. Since the backdoor on the server would originate traffic with 5555 as its source port, monitoring the principal.port field for 5555 will detect that outbound activity. Why the others fit less well: the destination port (Target.port) would show where the traffic is going, not where it starts from; the network protocol (Network.ip_protocol) being TCP just confirms the transport and doesn’t pinpoint the 5555 port; and the application protocol (Network.ApplicationProtocol) being HTTP would only tell you the application layer protocol, not the specific source port used by the backdoor.

Focus on the port used by the initiating host. In these event models, the principal represents the entity that starts the connection, and its port shows the source port of that connection. Since the backdoor on the server would originate traffic with 5555 as its source port, monitoring the principal.port field for 5555 will detect that outbound activity.

Why the others fit less well: the destination port (Target.port) would show where the traffic is going, not where it starts from; the network protocol (Network.ip_protocol) being TCP just confirms the transport and doesn’t pinpoint the 5555 port; and the application protocol (Network.ApplicationProtocol) being HTTP would only tell you the application layer protocol, not the specific source port used by the backdoor.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy