You are writing a SecOps SIEM rule that sends a risk score to the alert. You have GTI data via subscription. You need the threat score in detection logic to inform alert risk score and be available for future detections. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

You are writing a SecOps SIEM rule that sends a risk score to the alert. You have GTI data via subscription. You need the threat score in detection logic to inform alert risk score and be available for future detections. What should you do?

Explanation:
Enriching the alert with external threat intel and making that threat score available to detection logic requires a workflow that can fetch GTI data on demand and write the result back into the alert’s context. A SOAR playbook is the right tool here because it can call the VirusTotal integration to query the latest GTI threat score for the involved artifact, then update the alert’s risk_score in its context. This ensures the risk score informs the current detection logic and remains accessible for future detections or correlated alerts by persisting it in the alert context. Relying on a feed to automatically enrich entities would add GTI data to entities but doesn’t ensure the per-alert risk_score is surfaced to detection logic in real time or retained for future detections. The other options focus on filtering or predefined outcomes and don’t provide the dynamic enrichment and persistent risk_score value needed for ongoing detections.

Enriching the alert with external threat intel and making that threat score available to detection logic requires a workflow that can fetch GTI data on demand and write the result back into the alert’s context. A SOAR playbook is the right tool here because it can call the VirusTotal integration to query the latest GTI threat score for the involved artifact, then update the alert’s risk_score in its context. This ensures the risk score informs the current detection logic and remains accessible for future detections or correlated alerts by persisting it in the alert context.

Relying on a feed to automatically enrich entities would add GTI data to entities but doesn’t ensure the per-alert risk_score is surfaced to detection logic in real time or retained for future detections. The other options focus on filtering or predefined outcomes and don’t provide the dynamic enrichment and persistent risk_score value needed for ongoing detections.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy