You received a suspicious C2 domain IOC and want to investigate whether it appeared in your environment using the most efficient approach. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

You received a suspicious C2 domain IOC and want to investigate whether it appeared in your environment using the most efficient approach. What should you do?

Explanation:
When validating a domain IOC, the quickest signal is the DNS traffic your environment has seen. A domain used for C2 will typically generate DNS queries, so querying the DNS data in your network telemetry gives you direct, fast evidence of any lookups to that domain. Using a search that targets the DNS section of your UDM leverages the most relevant data source and returns results quickly, without digging through unrelated logs or waiting on detections to be generated. Raw logs would eventually reveal the domain but require scanning across many sources and formats, which is slower and more error-prone. Grouping by hostname helps analyze the data after you’ve found matches, but it doesn’t actually surface whether the IOC appeared. Relying on IOC detections means waiting for the system to generate and surface those hits, which can introduce delays. So, the fastest and most reliable way to confirm presence is to search the DNS data directly in the UDM.

When validating a domain IOC, the quickest signal is the DNS traffic your environment has seen. A domain used for C2 will typically generate DNS queries, so querying the DNS data in your network telemetry gives you direct, fast evidence of any lookups to that domain. Using a search that targets the DNS section of your UDM leverages the most relevant data source and returns results quickly, without digging through unrelated logs or waiting on detections to be generated.

Raw logs would eventually reveal the domain but require scanning across many sources and formats, which is slower and more error-prone. Grouping by hostname helps analyze the data after you’ve found matches, but it doesn’t actually surface whether the IOC appeared. Relying on IOC detections means waiting for the system to generate and surface those hits, which can introduce delays. So, the fastest and most reliable way to confirm presence is to search the DNS data directly in the UDM.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy