When you see multiple login events with the same principal.user.userid from different countries within a short time window, you need to validate whether the account is compromised. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

When you see multiple login events with the same principal.user.userid from different countries within a short time window, you need to validate whether the account is compromised. What should you do?

Explanation:
When trying to determine if an account is compromised, the fastest and most direct signal is cross-region login activity tied to the same user. A UDM search for login events focused on that user, followed by pivoting the results to group by user and country, lets you see at a glance whether logins are arriving from multiple countries within a short window. This pattern—the same user showing logins from different geolocations in quick succession—is a classic indicator of credential abuse, so grouping by user and country makes the anomalous activity immediately apparent and actionable. Other approaches may still be useful for broader risk management, but they don’t surface this specific signal as quickly. An entity graph with risk scores can help prioritize incidents across assets, but it’s not as targeted to expose the exact cross-border login pattern for a single user. YARA-L rules are powerful for pattern-matching on artifacts, yet they’re not tailored to geolocation and time-window aggregation for login events. RetroHunt looks at historical data, which is valuable for trend detection but isn’t the fastest method for validating a current potential compromise.

When trying to determine if an account is compromised, the fastest and most direct signal is cross-region login activity tied to the same user. A UDM search for login events focused on that user, followed by pivoting the results to group by user and country, lets you see at a glance whether logins are arriving from multiple countries within a short window. This pattern—the same user showing logins from different geolocations in quick succession—is a classic indicator of credential abuse, so grouping by user and country makes the anomalous activity immediately apparent and actionable.

Other approaches may still be useful for broader risk management, but they don’t surface this specific signal as quickly. An entity graph with risk scores can help prioritize incidents across assets, but it’s not as targeted to expose the exact cross-border login pattern for a single user. YARA-L rules are powerful for pattern-matching on artifacts, yet they’re not tailored to geolocation and time-window aggregation for login events. RetroHunt looks at historical data, which is valuable for trend detection but isn’t the fastest method for validating a current potential compromise.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy