To investigate outbound and inbound traffic to a known C2 IP address, which search approach should you use in SecOps?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

To investigate outbound and inbound traffic to a known C2 IP address, which search approach should you use in SecOps?

Explanation:
When you want to see how a known C2 IP is moving traffic to and from your environment, the key is querying the actual network logs with the fields that record who talked to whom. A SIEM search that uses the source IP and the destination (target) IP lets you capture both directions of communication: outbound connections from internal hosts to the C2 IP (internal src.ip to the C2 as target.ip) and inbound connections from the C2 back to internal hosts (C2 as src.ip to the internal as target.ip). This approach gives you a clear timeline of interactions, identifies which assets participated, and shows the volume and timing of the traffic, all essential for understanding infection breadth and persistence. The other options don’t line up as well with the goal. A SOAR playbook focus is on automated responses and orchestration rather than directly surfacing traffic patterns to a known IP. Searching for cases containing the IP doesn’t reveal actual traffic flows or which hosts were communicating. Relying on a grouped IP field with enriched events may obscure per-session detail and depend on enrichment quality, making it harder to precisely identify inbound versus outbound traffic to the C2 IP.

When you want to see how a known C2 IP is moving traffic to and from your environment, the key is querying the actual network logs with the fields that record who talked to whom. A SIEM search that uses the source IP and the destination (target) IP lets you capture both directions of communication: outbound connections from internal hosts to the C2 IP (internal src.ip to the C2 as target.ip) and inbound connections from the C2 back to internal hosts (C2 as src.ip to the internal as target.ip). This approach gives you a clear timeline of interactions, identifies which assets participated, and shows the volume and timing of the traffic, all essential for understanding infection breadth and persistence.

The other options don’t line up as well with the goal. A SOAR playbook focus is on automated responses and orchestration rather than directly surfacing traffic patterns to a known IP. Searching for cases containing the IP doesn’t reveal actual traffic flows or which hosts were communicating. Relying on a grouped IP field with enriched events may obscure per-session detail and depend on enrichment quality, making it harder to precisely identify inbound versus outbound traffic to the C2 IP.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy