Which technique enables rapid identification of unknown C2 nodes by examining historic outbound connections against ingested threat intel?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Which technique enables rapid identification of unknown C2 nodes by examining historic outbound connections against ingested threat intel?

Explanation:
The idea being tested is retrospective hunting across the tenant. This approach uses a threat intel feed (IOCs like malicious domains, IPs, and hashes) to query historical telemetry—outbound connections, DNS, proxies, and other logs—across the entire tenant. By matching past activity against current threat intel, you can rapidly surface unknown command-and-control nodes that communicated with known bad infrastructure, even if the activity happened days or weeks earlier or wasn’t detected in real time. This scale and speed come from running a single historical search across all data, rather than waiting for new events or reviewing data endpoint by endpoint. This is why it’s the best fit: it leverages ingested threat intel to uncover past connections to C2 domains or IPs across the entire environment, enabling quick triage and containment. Real-time endpoint monitoring alone won’t reveal what happened previously; manual log review without threat intel is slow and incomplete; and blocking outbound connections by default is a preventative control that isn’t a discovery or identification technique.

The idea being tested is retrospective hunting across the tenant. This approach uses a threat intel feed (IOCs like malicious domains, IPs, and hashes) to query historical telemetry—outbound connections, DNS, proxies, and other logs—across the entire tenant. By matching past activity against current threat intel, you can rapidly surface unknown command-and-control nodes that communicated with known bad infrastructure, even if the activity happened days or weeks earlier or wasn’t detected in real time. This scale and speed come from running a single historical search across all data, rather than waiting for new events or reviewing data endpoint by endpoint.

This is why it’s the best fit: it leverages ingested threat intel to uncover past connections to C2 domains or IPs across the entire environment, enabling quick triage and containment. Real-time endpoint monitoring alone won’t reveal what happened previously; manual log review without threat intel is slow and incomplete; and blocking outbound connections by default is a preventative control that isn’t a discovery or identification technique.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy