When writing a detection rule using a MISP feed to filter for domain indicators in the entity graph, which condition filters for domain IOCs?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

When writing a detection rule using a MISP feed to filter for domain indicators in the entity graph, which condition filters for domain IOCs?

Explanation:
Filtering domain indicators in the MISP entity graph relies on two specific metadata fields: the type of the entity and the provenance context. The entity_type must be DOMAIN_NAME, which labels the IOC as a domain, ensuring you’re looking at domain indicators rather than other entity kinds. The source_type must be ENTITY_CONTEXT, which indicates the indicator comes from the domain’s own context within the graph, giving precise provenance for domain IOCs. Using just the same entity_type without tying it to a domain-specific context could pull in items that aren’t strictly domain indicators, and using other context values like DERIVED_CONTEXT or GLOBAL_CONTEXT would reference different kinds of contexts that don’t specifically define domain IOCs in the entity graph. Leaving the source_type unspecified also removes the explicit provenance needed to confirm it’s a domain in the domain context. So combining DOMAIN_NAME with ENTITY_CONTEXT cleanly targets domain indicators within the domain’s entity context.

Filtering domain indicators in the MISP entity graph relies on two specific metadata fields: the type of the entity and the provenance context. The entity_type must be DOMAIN_NAME, which labels the IOC as a domain, ensuring you’re looking at domain indicators rather than other entity kinds. The source_type must be ENTITY_CONTEXT, which indicates the indicator comes from the domain’s own context within the graph, giving precise provenance for domain IOCs.

Using just the same entity_type without tying it to a domain-specific context could pull in items that aren’t strictly domain indicators, and using other context values like DERIVED_CONTEXT or GLOBAL_CONTEXT would reference different kinds of contexts that don’t specifically define domain IOCs in the entity graph. Leaving the source_type unspecified also removes the explicit provenance needed to confirm it’s a domain in the domain context.

So combining DOMAIN_NAME with ENTITY_CONTEXT cleanly targets domain indicators within the domain’s entity context.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy